add new upcloud cli deploy · evan.jarrett.net/at-container-registry@cd47945

+2 -2

.gitignore

··· 14 14 # Environment configuration 15 15 .env 16 16 17 - # Docker-created quota config (actual config is in deploy/quotas.yaml) 18 - quotas.yaml 17 + # Deploy state (contains server UUIDs and IPs) 18 + deploy/upcloud/state.json 19 19 20 20 # Generated assets (run go generate to rebuild) 21 21 pkg/appview/licenses/spdx-licenses.json

+2 -2

config-appview.example.yaml

··· 35 35 client_name: AT Container Registry 36 36 # Short name used in page titles and browser tabs. 37 37 client_short_name: ATCR 38 - # Separate domain for OCI registry API (e.g. "buoy.cr"). Browser visits redirect to BaseURL. 39 - registry_domain: "" 38 + # Separate domains for OCI registry API (e.g. ["buoy.cr"]). First is primary. Browser visits redirect to BaseURL. 39 + registry_domains: [] 40 40 # Web UI settings. 41 41 ui: 42 42 # SQLite database for OAuth sessions, stars, pull counts, and device approvals.

+191

deploy/upcloud/cloudinit.go

··· 1 + package main 2 + 3 + import ( 4 + "bytes" 5 + _ "embed" 6 + "fmt" 7 + "strings" 8 + "text/template" 9 + ) 10 + 11 + //go:embed systemd/appview.service.tmpl 12 + var appviewServiceTmpl string 13 + 14 + //go:embed systemd/hold.service.tmpl 15 + var holdServiceTmpl string 16 + 17 + //go:embed configs/appview.yaml.tmpl 18 + var appviewConfigTmpl string 19 + 20 + //go:embed configs/hold.yaml.tmpl 21 + var holdConfigTmpl string 22 + 23 + //go:embed configs/cloudinit.sh.tmpl 24 + var cloudInitTmpl string 25 + 26 + // ConfigValues holds values injected into config YAML templates. 27 + // Only truly dynamic/computed values belong here — deployment-specific 28 + // values like client_name, owner_did, etc. are literal in the templates. 29 + type ConfigValues struct { 30 + // S3 / Object Storage 31 + S3Endpoint string 32 + S3Region string 33 + S3Bucket string 34 + S3AccessKey string 35 + S3SecretKey string 36 + 37 + // Infrastructure (computed from zone + config) 38 + Zone string // e.g. "us-chi1" 39 + HoldDomain string // e.g. "us-chi1.cove.seamark.dev" 40 + HoldDid string // e.g. "did:web:us-chi1.cove.seamark.dev" 41 + BasePath string // e.g. "/var/lib/seamark" 42 + } 43 + 44 + // renderConfig executes a Go template with the given values. 45 + func renderConfig(tmplStr string, vals *ConfigValues) (string, error) { 46 + t, err := template.New("config").Parse(tmplStr) 47 + if err != nil { 48 + return "", fmt.Errorf("parse config template: %w", err) 49 + } 50 + var buf bytes.Buffer 51 + if err := t.Execute(&buf, vals); err != nil { 52 + return "", fmt.Errorf("render config template: %w", err) 53 + } 54 + return buf.String(), nil 55 + } 56 + 57 + // serviceUnitParams holds values for rendering systemd service unit templates. 58 + type serviceUnitParams struct { 59 + DisplayName string // e.g. "Seamark" 60 + User string // e.g. "seamark" 61 + BinaryPath string // e.g. "/opt/seamark/bin/seamark-appview" 62 + ConfigPath string // e.g. "/etc/seamark/appview.yaml" 63 + DataDir string // e.g. "/var/lib/seamark" 64 + ServiceName string // e.g. "seamark-appview" 65 + } 66 + 67 + func renderServiceUnit(tmplStr string, p serviceUnitParams) (string, error) { 68 + t, err := template.New("service").Parse(tmplStr) 69 + if err != nil { 70 + return "", fmt.Errorf("parse service template: %w", err) 71 + } 72 + var buf bytes.Buffer 73 + if err := t.Execute(&buf, p); err != nil { 74 + return "", fmt.Errorf("render service template: %w", err) 75 + } 76 + return buf.String(), nil 77 + } 78 + 79 + // generateAppviewCloudInit generates the cloud-init user-data script for the appview server. 80 + func generateAppviewCloudInit(cfg *InfraConfig, vals *ConfigValues, goVersion string) (string, error) { 81 + naming := cfg.Naming() 82 + 83 + configYAML, err := renderConfig(appviewConfigTmpl, vals) 84 + if err != nil { 85 + return "", fmt.Errorf("appview config: %w", err) 86 + } 87 + 88 + serviceUnit, err := renderServiceUnit(appviewServiceTmpl, serviceUnitParams{ 89 + DisplayName: naming.DisplayName(), 90 + User: naming.SystemUser(), 91 + BinaryPath: naming.InstallDir() + "/bin/" + naming.Appview(), 92 + ConfigPath: naming.AppviewConfigPath(), 93 + DataDir: naming.BasePath(), 94 + ServiceName: naming.Appview(), 95 + }) 96 + if err != nil { 97 + return "", fmt.Errorf("appview service unit: %w", err) 98 + } 99 + 100 + return generateCloudInit(cloudInitParams{ 101 + GoVersion: goVersion, 102 + BinaryName: naming.Appview(), 103 + BuildCmd: "appview", 104 + ServiceUnit: serviceUnit, 105 + ConfigYAML: configYAML, 106 + ConfigPath: naming.AppviewConfigPath(), 107 + ServiceName: naming.Appview(), 108 + DataDir: naming.BasePath(), 109 + RepoURL: cfg.RepoURL, 110 + RepoBranch: cfg.RepoBranch, 111 + InstallDir: naming.InstallDir(), 112 + SystemUser: naming.SystemUser(), 113 + ConfigDir: naming.ConfigDir(), 114 + LogFile: naming.LogFile(), 115 + DisplayName: naming.DisplayName(), 116 + }) 117 + } 118 + 119 + // generateHoldCloudInit generates the cloud-init user-data script for the hold server. 120 + func generateHoldCloudInit(cfg *InfraConfig, vals *ConfigValues, goVersion string) (string, error) { 121 + naming := cfg.Naming() 122 + 123 + configYAML, err := renderConfig(holdConfigTmpl, vals) 124 + if err != nil { 125 + return "", fmt.Errorf("hold config: %w", err) 126 + } 127 + 128 + serviceUnit, err := renderServiceUnit(holdServiceTmpl, serviceUnitParams{ 129 + DisplayName: naming.DisplayName(), 130 + User: naming.SystemUser(), 131 + BinaryPath: naming.InstallDir() + "/bin/" + naming.Hold(), 132 + ConfigPath: naming.HoldConfigPath(), 133 + DataDir: naming.BasePath(), 134 + ServiceName: naming.Hold(), 135 + }) 136 + if err != nil { 137 + return "", fmt.Errorf("hold service unit: %w", err) 138 + } 139 + 140 + return generateCloudInit(cloudInitParams{ 141 + GoVersion: goVersion, 142 + BinaryName: naming.Hold(), 143 + BuildCmd: "hold", 144 + ServiceUnit: serviceUnit, 145 + ConfigYAML: configYAML, 146 + ConfigPath: naming.HoldConfigPath(), 147 + ServiceName: naming.Hold(), 148 + DataDir: naming.BasePath(), 149 + RepoURL: cfg.RepoURL, 150 + RepoBranch: cfg.RepoBranch, 151 + InstallDir: naming.InstallDir(), 152 + SystemUser: naming.SystemUser(), 153 + ConfigDir: naming.ConfigDir(), 154 + LogFile: naming.LogFile(), 155 + DisplayName: naming.DisplayName(), 156 + }) 157 + } 158 + 159 + type cloudInitParams struct { 160 + GoVersion string 161 + BinaryName string 162 + BuildCmd string 163 + ServiceUnit string 164 + ConfigYAML string 165 + ConfigPath string 166 + ServiceName string 167 + DataDir string 168 + RepoURL string 169 + RepoBranch string 170 + InstallDir string 171 + SystemUser string 172 + ConfigDir string 173 + LogFile string 174 + DisplayName string 175 + } 176 + 177 + func generateCloudInit(p cloudInitParams) (string, error) { 178 + // Escape single quotes in embedded content for heredoc safety 179 + p.ServiceUnit = strings.ReplaceAll(p.ServiceUnit, "'", "'\\''") 180 + p.ConfigYAML = strings.ReplaceAll(p.ConfigYAML, "'", "'\\''") 181 + 182 + t, err := template.New("cloudinit").Parse(cloudInitTmpl) 183 + if err != nil { 184 + return "", fmt.Errorf("parse cloudinit template: %w", err) 185 + } 186 + var buf bytes.Buffer 187 + if err := t.Execute(&buf, p); err != nil { 188 + return "", fmt.Errorf("render cloudinit template: %w", err) 189 + } 190 + return buf.String(), nil 191 + }

+143

deploy/upcloud/config.go

··· 1 + package main 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "os" 7 + "strings" 8 + "time" 9 + 10 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/client" 11 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/service" 12 + "go.yaml.in/yaml/v3" 13 + ) 14 + 15 + const ( 16 + repoURL = "https://tangled.org/@evan.jarrett.net/at-container-registry" 17 + repoBranch = "main" 18 + privateNetworkCIDR = "10.0.1.0/24" 19 + ) 20 + 21 + // InfraConfig holds infrastructure configuration. 22 + type InfraConfig struct { 23 + Zone string 24 + Plan string 25 + SSHPublicKey string 26 + S3SecretKey string 27 + 28 + // Infrastructure naming — derived from configs/appview.yaml.tmpl. 29 + // Edit that template to rebrand. 30 + ClientName string 31 + BaseDomain string 32 + RegistryDomains []string 33 + RepoURL string 34 + RepoBranch string 35 + } 36 + 37 + // Naming returns a Naming helper derived from ClientName. 38 + func (c *InfraConfig) Naming() Naming { 39 + return Naming{ClientName: c.ClientName} 40 + } 41 + 42 + func loadConfig(zone, plan, sshKeyPath, s3Secret string) (*InfraConfig, error) { 43 + sshKey, err := readSSHPublicKey(sshKeyPath) 44 + if err != nil { 45 + return nil, err 46 + } 47 + 48 + clientName, baseDomain, registryDomains, err := extractFromAppviewTemplate() 49 + if err != nil { 50 + return nil, fmt.Errorf("extract config from template: %w", err) 51 + } 52 + 53 + return &InfraConfig{ 54 + Zone: zone, 55 + Plan: plan, 56 + SSHPublicKey: sshKey, 57 + S3SecretKey: s3Secret, 58 + ClientName: clientName, 59 + BaseDomain: baseDomain, 60 + RegistryDomains: registryDomains, 61 + RepoURL: repoURL, 62 + RepoBranch: repoBranch, 63 + }, nil 64 + } 65 + 66 + // extractFromAppviewTemplate renders the appview config template with 67 + // zero-value ConfigValues and parses the resulting YAML to extract 68 + // deployment-specific values. The template is the single source of truth. 69 + func extractFromAppviewTemplate() (clientName, baseDomain string, registryDomains []string, err error) { 70 + rendered, err := renderConfig(appviewConfigTmpl, &ConfigValues{}) 71 + if err != nil { 72 + return "", "", nil, fmt.Errorf("render appview template: %w", err) 73 + } 74 + 75 + var cfg struct { 76 + Server struct { 77 + BaseURL string `yaml:"base_url"` 78 + ClientName string `yaml:"client_name"` 79 + RegistryDomains []string `yaml:"registry_domains"` 80 + } `yaml:"server"` 81 + } 82 + if err := yaml.Unmarshal([]byte(rendered), &cfg); err != nil { 83 + return "", "", nil, fmt.Errorf("parse appview template YAML: %w", err) 84 + } 85 + 86 + clientName = strings.ToLower(cfg.Server.ClientName) 87 + baseDomain = strings.TrimPrefix(cfg.Server.BaseURL, "https://") 88 + registryDomains = cfg.Server.RegistryDomains 89 + 90 + return clientName, baseDomain, registryDomains, nil 91 + } 92 + 93 + // readSSHPublicKey reads an SSH public key from a file path. 94 + func readSSHPublicKey(path string) (string, error) { 95 + if path == "" { 96 + return "", fmt.Errorf("--ssh-key is required (path to SSH public key file)") 97 + } 98 + data, err := os.ReadFile(path) 99 + if err != nil { 100 + return "", fmt.Errorf("read SSH public key %s: %w", path, err) 101 + } 102 + key := strings.TrimSpace(string(data)) 103 + if key == "" { 104 + return "", fmt.Errorf("SSH public key file %s is empty", path) 105 + } 106 + return key, nil 107 + } 108 + 109 + // resolveInteractive fills in any empty Zone/Plan fields by launching 110 + // interactive TUI pickers that query the UpCloud API. 111 + func resolveInteractive(ctx context.Context, svc *service.Service, cfg *InfraConfig) error { 112 + if cfg.Zone == "" { 113 + z, err := pickZone(ctx, svc) 114 + if err != nil { 115 + return fmt.Errorf("zone picker: %w", err) 116 + } 117 + cfg.Zone = z 118 + } 119 + if cfg.Plan == "" { 120 + p, err := pickPlan(ctx, svc) 121 + if err != nil { 122 + return fmt.Errorf("plan picker: %w", err) 123 + } 124 + cfg.Plan = p 125 + } 126 + return nil 127 + } 128 + 129 + // newService creates an UpCloud API client. If token is non-empty it's used 130 + // directly; otherwise credentials are read from UPCLOUD_TOKEN env var. 131 + func newService(token string) (*service.Service, error) { 132 + var c *client.Client 133 + var err error 134 + if token != "" { 135 + c = client.New("", "", client.WithBearerAuth(token), client.WithTimeout(120*time.Second)) 136 + } else { 137 + c, err = client.NewFromEnv(client.WithTimeout(120 * time.Second)) 138 + if err != nil { 139 + return nil, fmt.Errorf("create UpCloud client: %w\n\nPass --token or set UPCLOUD_TOKEN", err) 140 + } 141 + } 142 + return service.New(c), nil 143 + }

+25

deploy/upcloud/configs/appview.yaml.tmpl

··· 1 + version: "0.1" 2 + log_level: info 3 + server: 4 + addr: :5000 5 + base_url: "https://seamark.dev" 6 + default_hold_did: "{{.HoldDid}}" 7 + oauth_key_path: "{{.BasePath}}/oauth/client.key" 8 + client_name: Seamark 9 + client_short_name: Seamark 10 + registry_domains: 11 + - "buoy.cr" 12 + - "bouy.cr" 13 + ui: 14 + database_path: "{{.BasePath}}/ui.db" 15 + theme: seamark 16 + jetstream: 17 + url: wss://jetstream2.us-west.bsky.network/subscribe 18 + backfill_enabled: true 19 + relay_endpoint: https://relay1.us-east.bsky.network 20 + auth: 21 + key_path: "{{.BasePath}}/auth/private-key.pem" 22 + cert_path: "{{.BasePath}}/auth/private-key.crt" 23 + legal: 24 + company_name: Seamark 25 + jurisdiction: State of Texas, United States

+72

deploy/upcloud/configs/cloudinit.sh.tmpl

··· 1 + #!/bin/bash 2 + set -euo pipefail 3 + exec > >(tee {{.LogFile}}) 2>&1 4 + 5 + echo "=== {{.DisplayName}} Setup: {{.BinaryName}} ===" 6 + echo "Started at $(date -u)" 7 + 8 + # Wait for DNS resolution 9 + echo "Waiting for DNS..." 10 + for i in $(seq 1 30); do 11 + if host go.dev >/dev/null 2>&1; then 12 + echo "DNS ready after ${i}s" 13 + break 14 + fi 15 + sleep 1 16 + done 17 + 18 + # System packages 19 + export DEBIAN_FRONTEND=noninteractive 20 + apt-get update && apt-get upgrade -y 21 + apt-get install -y git gcc make curl libsqlite3-dev nodejs npm htop 22 + 23 + # Swap (for builds on small instances) 24 + if [ ! -f /swapfile ]; then 25 + dd if=/dev/zero of=/swapfile bs=1M count=2048 26 + chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile 27 + echo '/swapfile none swap sw 0 0' >> /etc/fstab 28 + fi 29 + 30 + # Go {{.GoVersion}} 31 + curl -fsSL https://go.dev/dl/go{{.GoVersion}}.linux-amd64.tar.gz | tar -C /usr/local -xz 32 + echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/go.sh 33 + export PATH=$PATH:/usr/local/go/bin 34 + export GOTMPDIR=/var/tmp 35 + 36 + # Clone & build 37 + if [ -d {{.InstallDir}} ]; then 38 + cd {{.InstallDir}} && git pull origin {{.RepoBranch}} 39 + else 40 + git clone -b {{.RepoBranch}} {{.RepoURL}} {{.InstallDir}} 41 + cd {{.InstallDir}} 42 + fi 43 + npm ci 44 + go generate ./... 45 + CGO_ENABLED=1 go build \ 46 + -ldflags="-s -w -linkmode external -extldflags '-static'" \ 47 + -tags sqlite_omit_load_extension -trimpath \ 48 + -o bin/{{.BinaryName}} ./cmd/{{.BuildCmd}} 49 + 50 + # Service user & data dirs 51 + useradd --system --no-create-home --shell /usr/sbin/nologin {{.SystemUser}} || true 52 + mkdir -p {{.DataDir}} && chown {{.SystemUser}}:{{.SystemUser}} {{.DataDir}} 53 + 54 + # Config file 55 + mkdir -p {{.ConfigDir}} 56 + if [ ! -f {{.ConfigPath}} ]; then 57 + cat > {{.ConfigPath}} << 'CFGEOF' 58 + {{.ConfigYAML}} 59 + CFGEOF 60 + else 61 + echo "Config {{.ConfigPath}} already exists, skipping" 62 + fi 63 + 64 + # Systemd service 65 + cat > /etc/systemd/system/{{.ServiceName}}.service << 'SVCEOF' 66 + {{.ServiceUnit}} 67 + SVCEOF 68 + systemctl daemon-reload 69 + systemctl enable {{.ServiceName}} 70 + 71 + echo "=== Setup complete at $(date -u) ===" 72 + echo "Edit {{.ConfigPath}} then: systemctl start {{.ServiceName}}"

+30

deploy/upcloud/configs/hold.yaml.tmpl

··· 1 + version: "0.1" 2 + log_level: info 3 + storage: 4 + access_key: "{{.S3AccessKey}}" 5 + secret_key: "{{.S3SecretKey}}" 6 + region: "{{.S3Region}}" 7 + bucket: "{{.S3Bucket}}" 8 + endpoint: "{{.S3Endpoint}}" 9 + server: 10 + addr: :8080 11 + public_url: "https://{{.HoldDomain}}" 12 + public: false 13 + registration: 14 + owner_did: "did:plc:pddp4xt5lgnv2qsegbzzs4xg" 15 + allow_all_crew: true 16 + enable_bluesky_posts: false 17 + database: 18 + path: "{{.BasePath}}" 19 + admin: 20 + enabled: true 21 + quota: 22 + tiers: 23 + deckhand: 24 + quota: 5GB 25 + bosun: 26 + quota: 50GB 27 + quartermaster: 28 + quota: 100GB 29 + defaults: 30 + new_crew_tier: deckhand

+45

deploy/upcloud/go.mod

··· 1 + module atcr.io/deploy 2 + 3 + go 1.25.4 4 + 5 + require ( 6 + github.com/UpCloudLtd/upcloud-go-api/v8 v8.34.3 7 + github.com/charmbracelet/huh v0.8.0 8 + github.com/spf13/cobra v1.10.2 9 + go.yaml.in/yaml/v3 v3.0.4 10 + ) 11 + 12 + require ( 13 + github.com/atotto/clipboard v0.1.4 // indirect 14 + github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect 15 + github.com/catppuccin/go v0.3.0 // indirect 16 + github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect 17 + github.com/charmbracelet/bubbletea v1.3.6 // indirect 18 + github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect 19 + github.com/charmbracelet/lipgloss v1.1.0 // indirect 20 + github.com/charmbracelet/x/ansi v0.9.3 // indirect 21 + github.com/charmbracelet/x/cellbuf v0.0.13 // indirect 22 + github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect 23 + github.com/charmbracelet/x/term v0.2.1 // indirect 24 + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 25 + github.com/dustin/go-humanize v1.0.1 // indirect 26 + github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect 27 + github.com/inconshreveable/mousetrap v1.1.0 // indirect 28 + github.com/kr/text v0.2.0 // indirect 29 + github.com/lucasb-eyer/go-colorful v1.2.0 // indirect 30 + github.com/mattn/go-isatty v0.0.20 // indirect 31 + github.com/mattn/go-localereader v0.0.1 // indirect 32 + github.com/mattn/go-runewidth v0.0.16 // indirect 33 + github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect 34 + github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect 35 + github.com/muesli/cancelreader v0.2.2 // indirect 36 + github.com/muesli/termenv v0.16.0 // indirect 37 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 38 + github.com/rivo/uniseg v0.4.7 // indirect 39 + github.com/rogpeppe/go-internal v1.14.1 // indirect 40 + github.com/spf13/pflag v1.0.9 // indirect 41 + github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect 42 + golang.org/x/sync v0.15.0 // indirect 43 + golang.org/x/sys v0.33.0 // indirect 44 + golang.org/x/text v0.23.0 // indirect 45 + )

+109

deploy/upcloud/go.sum

··· 1 + github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= 2 + github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= 3 + github.com/UpCloudLtd/upcloud-go-api/v8 v8.34.3 h1:7ba03u4L5LafZPVO2k6B0/f114k5dFF3GtAN7FEKfno= 4 + github.com/UpCloudLtd/upcloud-go-api/v8 v8.34.3/go.mod h1:NBh1d/ip1bhdAIhuPWbyPme7tbLzDTV7dhutUmU1vg8= 5 + github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4= 6 + github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= 7 + github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= 8 + github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= 9 + github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY= 10 + github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E= 11 + github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY= 12 + github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc= 13 + github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws= 14 + github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw= 15 + github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU= 16 + github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc= 17 + github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs= 18 + github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk= 19 + github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY= 20 + github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4= 21 + github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY= 22 + github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30= 23 + github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0= 24 + github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE= 25 + github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k= 26 + github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs= 27 + github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U= 28 + github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ= 29 + github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA= 30 + github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0= 31 + github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ= 32 + github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U= 33 + github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4= 34 + github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ= 35 + github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ= 36 + github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg= 37 + github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY= 38 + github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo= 39 + github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI= 40 + github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4= 41 + github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= 42 + github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 43 + github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= 44 + github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= 45 + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= 46 + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 47 + github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= 48 + github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= 49 + github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= 50 + github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= 51 + github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4= 52 + github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM= 53 + github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= 54 + github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= 55 + github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 56 + github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 57 + github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 58 + github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 59 + github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= 60 + github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= 61 + github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 62 + github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 63 + github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4= 64 + github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88= 65 + github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= 66 + github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 67 + github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= 68 + github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= 69 + github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI= 70 + github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo= 71 + github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA= 72 + github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo= 73 + github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc= 74 + github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk= 75 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= 76 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 77 + github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= 78 + github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= 79 + github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= 80 + github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= 81 + github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= 82 + github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 83 + github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= 84 + github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= 85 + github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= 86 + github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 87 + github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= 88 + github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= 89 + github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= 90 + github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= 91 + go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= 92 + go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= 93 + golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= 94 + golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= 95 + golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= 96 + golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 97 + golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 98 + golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 99 + golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= 100 + golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 101 + golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= 102 + golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 103 + gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 104 + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 105 + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 106 + gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 107 + gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 108 + gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 109 + gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

+35

deploy/upcloud/goversion.go

··· 1 + package main 2 + 3 + import ( 4 + "fmt" 5 + "os" 6 + "path/filepath" 7 + "runtime" 8 + "strings" 9 + ) 10 + 11 + // requiredGoVersion reads the Go version from the root go.mod file. 12 + // Returns a version string like "1.25.4" for use in download URLs. 13 + func requiredGoVersion() (string, error) { 14 + _, thisFile, _, _ := runtime.Caller(0) 15 + rootMod := filepath.Join(filepath.Dir(thisFile), "..", "..", "go.mod") 16 + 17 + data, err := os.ReadFile(rootMod) 18 + if err != nil { 19 + return "", fmt.Errorf("read root go.mod: %w", err) 20 + } 21 + 22 + for _, line := range strings.Split(string(data), "\n") { 23 + line = strings.TrimSpace(line) 24 + if strings.HasPrefix(line, "go ") { 25 + version := strings.TrimPrefix(line, "go ") 26 + version = strings.TrimSpace(version) 27 + // Validate it looks like a version 28 + if len(version) > 0 && version[0] >= '1' && version[0] <= '9' { 29 + return version, nil 30 + } 31 + } 32 + } 33 + 34 + return "", fmt.Errorf("no 'go X.Y.Z' directive found in %s", rootMod) 35 + }

+23

deploy/upcloud/main.go

··· 1 + package main 2 + 3 + import ( 4 + "os" 5 + 6 + "github.com/spf13/cobra" 7 + ) 8 + 9 + var rootCmd = &cobra.Command{ 10 + Use: "upcloud", 11 + Short: "ATCR infrastructure provisioning tool for UpCloud", 12 + SilenceUsage: true, 13 + } 14 + 15 + func init() { 16 + rootCmd.PersistentFlags().StringP("token", "t", "", "UpCloud API token (env: UPCLOUD_TOKEN)") 17 + } 18 + 19 + func main() { 20 + if err := rootCmd.Execute(); err != nil { 21 + os.Exit(1) 22 + } 23 + }

+52

deploy/upcloud/naming.go

··· 1 + package main 2 + 3 + import "strings" 4 + 5 + // Naming derives all infrastructure names and paths from a single ClientName. 6 + type Naming struct { 7 + ClientName string // e.g. "seamark" 8 + } 9 + 10 + // DisplayName returns the title-cased client name (e.g. "Seamark"). 11 + func (n Naming) DisplayName() string { 12 + if n.ClientName == "" { 13 + return "" 14 + } 15 + return strings.ToUpper(n.ClientName[:1]) + n.ClientName[1:] 16 + } 17 + 18 + // SystemUser returns the unix user name. 19 + func (n Naming) SystemUser() string { return n.ClientName } 20 + 21 + // InstallDir returns the source/build directory (e.g. "/opt/seamark"). 22 + func (n Naming) InstallDir() string { return "/opt/" + n.ClientName } 23 + 24 + // ConfigDir returns the config directory (e.g. "/etc/seamark"). 25 + func (n Naming) ConfigDir() string { return "/etc/" + n.ClientName } 26 + 27 + // BasePath returns the data directory (e.g. "/var/lib/seamark"). 28 + func (n Naming) BasePath() string { return "/var/lib/" + n.ClientName } 29 + 30 + // LogFile returns the setup log path (e.g. "/var/log/seamark-setup.log"). 31 + func (n Naming) LogFile() string { return "/var/log/" + n.ClientName + "-setup.log" } 32 + 33 + // Appview returns the appview binary/service/server name (e.g. "seamark-appview"). 34 + func (n Naming) Appview() string { return n.ClientName + "-appview" } 35 + 36 + // Hold returns the hold binary/service/server name (e.g. "seamark-hold"). 37 + func (n Naming) Hold() string { return n.ClientName + "-hold" } 38 + 39 + // AppviewConfigPath returns the appview config file path. 40 + func (n Naming) AppviewConfigPath() string { return n.ConfigDir() + "/appview.yaml" } 41 + 42 + // HoldConfigPath returns the hold config file path. 43 + func (n Naming) HoldConfigPath() string { return n.ConfigDir() + "/hold.yaml" } 44 + 45 + // NetworkName returns the private network name (e.g. "seamark-private"). 46 + func (n Naming) NetworkName() string { return n.ClientName + "-private" } 47 + 48 + // LBName returns the load balancer name (e.g. "seamark-lb"). 49 + func (n Naming) LBName() string { return n.ClientName + "-lb" } 50 + 51 + // S3Name returns the name used for S3 storage, user, and bucket. 52 + func (n Naming) S3Name() string { return n.ClientName }

+88

deploy/upcloud/picker.go

··· 1 + package main 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "sort" 7 + 8 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud" 9 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/service" 10 + "github.com/charmbracelet/huh" 11 + ) 12 + 13 + // pickZone fetches available zones from the UpCloud API and presents an 14 + // interactive selector. Only public zones are shown. 15 + func pickZone(ctx context.Context, svc *service.Service) (string, error) { 16 + resp, err := svc.GetZones(ctx) 17 + if err != nil { 18 + return "", fmt.Errorf("fetch zones: %w", err) 19 + } 20 + 21 + var opts []huh.Option[string] 22 + for _, z := range resp.Zones { 23 + if z.Public != upcloud.True { 24 + continue 25 + } 26 + label := fmt.Sprintf("%s — %s", z.ID, z.Description) 27 + opts = append(opts, huh.NewOption(label, z.ID)) 28 + } 29 + 30 + if len(opts) == 0 { 31 + return "", fmt.Errorf("no public zones available") 32 + } 33 + 34 + sort.Slice(opts, func(i, j int) bool { 35 + return opts[i].Value < opts[j].Value 36 + }) 37 + 38 + var zone string 39 + err = huh.NewSelect[string](). 40 + Title("Select a zone"). 41 + Options(opts...). 42 + Value(&zone). 43 + Run() 44 + if err != nil { 45 + return "", err 46 + } 47 + 48 + return zone, nil 49 + } 50 + 51 + // pickPlan fetches available plans from the UpCloud API and presents an 52 + // interactive selector. GPU plans are filtered out. 53 + func pickPlan(ctx context.Context, svc *service.Service) (string, error) { 54 + resp, err := svc.GetPlans(ctx) 55 + if err != nil { 56 + return "", fmt.Errorf("fetch plans: %w", err) 57 + } 58 + 59 + var opts []huh.Option[string] 60 + for _, p := range resp.Plans { 61 + if p.GPUAmount > 0 { 62 + continue 63 + } 64 + memGB := p.MemoryAmount / 1024 65 + label := fmt.Sprintf("%s — %d CPU, %d GB RAM, %d GB disk", p.Name, p.CoreNumber, memGB, p.StorageSize) 66 + opts = append(opts, huh.NewOption(label, p.Name)) 67 + } 68 + 69 + if len(opts) == 0 { 70 + return "", fmt.Errorf("no plans available") 71 + } 72 + 73 + sort.Slice(opts, func(i, j int) bool { 74 + return opts[i].Value < opts[j].Value 75 + }) 76 + 77 + var plan string 78 + err = huh.NewSelect[string](). 79 + Title("Select a plan"). 80 + Options(opts...). 81 + Value(&plan). 82 + Run() 83 + if err != nil { 84 + return "", err 85 + } 86 + 87 + return plan, nil 88 + }

+856

deploy/upcloud/provision.go

··· 1 + package main 2 + 3 + import ( 4 + "bufio" 5 + "context" 6 + "crypto/sha256" 7 + "fmt" 8 + "os" 9 + "strings" 10 + "time" 11 + 12 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud" 13 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request" 14 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/service" 15 + "github.com/spf13/cobra" 16 + ) 17 + 18 + var provisionCmd = &cobra.Command{ 19 + Use: "provision", 20 + Short: "Create all infrastructure (servers, network, LB, firewall)", 21 + RunE: func(cmd *cobra.Command, args []string) error { 22 + token, _ := cmd.Root().PersistentFlags().GetString("token") 23 + zone, _ := cmd.Flags().GetString("zone") 24 + plan, _ := cmd.Flags().GetString("plan") 25 + sshKey, _ := cmd.Flags().GetString("ssh-key") 26 + s3Secret, _ := cmd.Flags().GetString("s3-secret") 27 + return cmdProvision(token, zone, plan, sshKey, s3Secret) 28 + }, 29 + } 30 + 31 + func init() { 32 + provisionCmd.Flags().String("zone", "", "UpCloud zone (interactive picker if omitted)") 33 + provisionCmd.Flags().String("plan", "", "Server plan (interactive picker if omitted)") 34 + provisionCmd.Flags().String("ssh-key", "", "Path to SSH public key file (required)") 35 + provisionCmd.Flags().String("s3-secret", "", "S3 secret access key (for existing object storage)") 36 + provisionCmd.MarkFlagRequired("ssh-key") 37 + rootCmd.AddCommand(provisionCmd) 38 + } 39 + 40 + func cmdProvision(token, zone, plan, sshKeyPath, s3Secret string) error { 41 + cfg, err := loadConfig(zone, plan, sshKeyPath, s3Secret) 42 + if err != nil { 43 + return err 44 + } 45 + 46 + naming := cfg.Naming() 47 + 48 + svc, err := newService(token) 49 + if err != nil { 50 + return err 51 + } 52 + 53 + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute) 54 + defer cancel() 55 + 56 + // Load existing state or start fresh 57 + state, err := loadState() 58 + if err != nil { 59 + state = &InfraState{} 60 + } 61 + 62 + // Use zone from state if not provided via flags 63 + if cfg.Zone == "" && state.Zone != "" { 64 + cfg.Zone = state.Zone 65 + } 66 + 67 + // Only need interactive picker if we still need to create resources 68 + needsServers := state.Appview.UUID == "" || state.Hold.UUID == "" 69 + if cfg.Zone == "" || (needsServers && cfg.Plan == "") { 70 + if err := resolveInteractive(ctx, svc, cfg); err != nil { 71 + return err 72 + } 73 + } 74 + 75 + if state.Zone == "" { 76 + state.Zone = cfg.Zone 77 + } 78 + state.ClientName = cfg.ClientName 79 + state.RepoBranch = cfg.RepoBranch 80 + 81 + goVersion, err := requiredGoVersion() 82 + if err != nil { 83 + return err 84 + } 85 + 86 + fmt.Printf("Provisioning %s infrastructure in zone %s...\n", naming.DisplayName(), cfg.Zone) 87 + fmt.Printf("Go version: %s (from go.mod)\n", goVersion) 88 + if needsServers { 89 + fmt.Printf("Server plan: %s\n", cfg.Plan) 90 + } 91 + fmt.Println() 92 + 93 + // S3 secret key — from flag for existing storage, from API for new 94 + s3SecretKey := cfg.S3SecretKey 95 + 96 + // 1. Object storage 97 + if state.ObjectStorage.UUID != "" { 98 + fmt.Printf("Object storage: %s (exists)\n", state.ObjectStorage.UUID) 99 + // Refresh discoverable fields if missing (e.g. pre-seeded UUID only) 100 + if state.ObjectStorage.Endpoint == "" || state.ObjectStorage.Bucket == "" { 101 + fmt.Println(" Discovering endpoint, bucket, access key...") 102 + discovered, err := lookupObjectStorage(ctx, svc, state.ObjectStorage.UUID) 103 + if err != nil { 104 + return err 105 + } 106 + state.ObjectStorage.Endpoint = discovered.Endpoint 107 + state.ObjectStorage.Region = discovered.Region 108 + if discovered.Bucket != "" { 109 + state.ObjectStorage.Bucket = discovered.Bucket 110 + } 111 + if discovered.AccessKeyID != "" { 112 + state.ObjectStorage.AccessKeyID = discovered.AccessKeyID 113 + } 114 + saveState(state) 115 + } 116 + } else { 117 + fmt.Println("Creating object storage...") 118 + objState, secretKey, err := provisionObjectStorage(ctx, svc, cfg.Zone, naming.S3Name()) 119 + if err != nil { 120 + return fmt.Errorf("object storage: %w", err) 121 + } 122 + state.ObjectStorage = objState 123 + s3SecretKey = secretKey 124 + saveState(state) 125 + fmt.Printf(" S3 Secret Key: %s\n", secretKey) 126 + } 127 + 128 + fmt.Printf(" Endpoint: %s\n", state.ObjectStorage.Endpoint) 129 + fmt.Printf(" Region: %s\n", state.ObjectStorage.Region) 130 + fmt.Printf(" Bucket: %s\n", state.ObjectStorage.Bucket) 131 + fmt.Printf(" Access Key: %s\n\n", state.ObjectStorage.AccessKeyID) 132 + 133 + // Hold domain is zone-based (e.g. us-chi1.cove.seamark.dev) 134 + holdDomain := cfg.Zone + ".cove." + cfg.BaseDomain 135 + 136 + // Build config template values 137 + vals := &ConfigValues{ 138 + S3Endpoint: state.ObjectStorage.Endpoint, 139 + S3Region: state.ObjectStorage.Region, 140 + S3Bucket: state.ObjectStorage.Bucket, 141 + S3AccessKey: state.ObjectStorage.AccessKeyID, 142 + S3SecretKey: s3SecretKey, 143 + Zone: cfg.Zone, 144 + HoldDomain: holdDomain, 145 + HoldDid: "did:web:" + holdDomain, 146 + BasePath: naming.BasePath(), 147 + } 148 + 149 + // 2. Private network 150 + if state.Network.UUID != "" { 151 + fmt.Printf("Network: %s (exists)\n", state.Network.UUID) 152 + } else { 153 + fmt.Println("Creating private network...") 154 + network, err := svc.CreateNetwork(ctx, &request.CreateNetworkRequest{ 155 + Name: naming.NetworkName(), 156 + Zone: cfg.Zone, 157 + IPNetworks: upcloud.IPNetworkSlice{ 158 + { 159 + Address: privateNetworkCIDR, 160 + DHCP: upcloud.True, 161 + DHCPDefaultRoute: upcloud.False, 162 + DHCPDns: []string{"8.8.8.8", "1.1.1.1"}, 163 + Family: upcloud.IPAddressFamilyIPv4, 164 + Gateway: "", 165 + }, 166 + }, 167 + }) 168 + if err != nil { 169 + return fmt.Errorf("create network: %w", err) 170 + } 171 + state.Network = StateRef{UUID: network.UUID} 172 + saveState(state) 173 + fmt.Printf(" Network: %s (%s)\n", network.UUID, privateNetworkCIDR) 174 + } 175 + 176 + // Find Debian template (needed for server creation) 177 + templateUUID, err := findDebianTemplate(ctx, svc) 178 + if err != nil { 179 + return err 180 + } 181 + 182 + // 3. Appview server 183 + if state.Appview.UUID != "" { 184 + fmt.Printf("Appview: %s (exists)\n", state.Appview.UUID) 185 + appviewScript, err := generateAppviewCloudInit(cfg, vals, goVersion) 186 + if err != nil { 187 + return err 188 + } 189 + if err := syncCloudInit("appview", state.Appview.PublicIP, appviewScript); err != nil { 190 + return err 191 + } 192 + } else { 193 + fmt.Println("Creating appview server...") 194 + appviewUserData, err := generateAppviewCloudInit(cfg, vals, goVersion) 195 + if err != nil { 196 + return err 197 + } 198 + appview, err := createServer(ctx, svc, cfg, templateUUID, state.Network.UUID, naming.Appview(), appviewUserData) 199 + if err != nil { 200 + return fmt.Errorf("create appview: %w", err) 201 + } 202 + state.Appview = *appview 203 + saveState(state) 204 + fmt.Printf(" Appview: %s (public: %s, private: %s)\n", appview.UUID, appview.PublicIP, appview.PrivateIP) 205 + } 206 + 207 + // 4. Hold server 208 + if state.Hold.UUID != "" { 209 + fmt.Printf("Hold: %s (exists)\n", state.Hold.UUID) 210 + holdScript, err := generateHoldCloudInit(cfg, vals, goVersion) 211 + if err != nil { 212 + return err 213 + } 214 + if err := syncCloudInit("hold", state.Hold.PublicIP, holdScript); err != nil { 215 + return err 216 + } 217 + } else { 218 + fmt.Println("Creating hold server...") 219 + holdUserData, err := generateHoldCloudInit(cfg, vals, goVersion) 220 + if err != nil { 221 + return err 222 + } 223 + hold, err := createServer(ctx, svc, cfg, templateUUID, state.Network.UUID, naming.Hold(), holdUserData) 224 + if err != nil { 225 + return fmt.Errorf("create hold: %w", err) 226 + } 227 + state.Hold = *hold 228 + saveState(state) 229 + fmt.Printf(" Hold: %s (public: %s, private: %s)\n", hold.UUID, hold.PublicIP, hold.PrivateIP) 230 + } 231 + 232 + // 5. Firewall rules (idempotent — replaces all rules) 233 + fmt.Println("Configuring firewall rules...") 234 + for _, s := range []struct { 235 + name string 236 + uuid string 237 + }{ 238 + {"appview", state.Appview.UUID}, 239 + {"hold", state.Hold.UUID}, 240 + } { 241 + if err := createFirewallRules(ctx, svc, s.uuid, privateNetworkCIDR); err != nil { 242 + return fmt.Errorf("firewall %s: %w", s.name, err) 243 + } 244 + } 245 + 246 + // 6. Load balancer 247 + if state.LB.UUID != "" { 248 + fmt.Printf("Load balancer: %s (exists)\n", state.LB.UUID) 249 + } else { 250 + fmt.Println("Creating load balancer (Essentials tier)...") 251 + lb, err := createLoadBalancer(ctx, svc, cfg, naming, state.Network.UUID, state.Appview.PrivateIP, state.Hold.PrivateIP, holdDomain) 252 + if err != nil { 253 + return fmt.Errorf("create LB: %w", err) 254 + } 255 + state.LB = StateRef{UUID: lb.UUID} 256 + saveState(state) 257 + } 258 + 259 + // Always reconcile TLS certs (handles partial failures and re-runs) 260 + tlsDomains := []string{cfg.BaseDomain} 261 + tlsDomains = append(tlsDomains, cfg.RegistryDomains...) 262 + tlsDomains = append(tlsDomains, holdDomain) 263 + if err := ensureLBCertificates(ctx, svc, state.LB.UUID, tlsDomains); err != nil { 264 + return fmt.Errorf("LB certificates: %w", err) 265 + } 266 + 267 + // Fetch LB DNS name for output 268 + lbDNS := "" 269 + if state.LB.UUID != "" { 270 + lb, err := svc.GetLoadBalancer(ctx, &request.GetLoadBalancerRequest{UUID: state.LB.UUID}) 271 + if err == nil { 272 + for _, n := range lb.Networks { 273 + if n.Type == upcloud.LoadBalancerNetworkTypePublic { 274 + lbDNS = n.DNSName 275 + } 276 + } 277 + } 278 + } 279 + 280 + fmt.Println("\n=== Provisioning Complete ===") 281 + fmt.Println() 282 + fmt.Println("DNS records needed:") 283 + if lbDNS != "" { 284 + fmt.Printf(" CNAME %-24s → %s\n", cfg.BaseDomain, lbDNS) 285 + for _, rd := range cfg.RegistryDomains { 286 + fmt.Printf(" CNAME %-24s → %s\n", rd, lbDNS) 287 + } 288 + fmt.Printf(" CNAME %-24s → %s\n", holdDomain, lbDNS) 289 + } else { 290 + fmt.Println(" (LB DNS name not yet available — check 'status' in a few minutes)") 291 + } 292 + fmt.Println() 293 + fmt.Println("SSH access:") 294 + fmt.Printf(" ssh root@%s # appview\n", state.Appview.PublicIP) 295 + fmt.Printf(" ssh root@%s # hold\n", state.Hold.PublicIP) 296 + fmt.Println() 297 + fmt.Println("Next steps:") 298 + fmt.Println(" 1. Wait ~5 min for cloud-init to complete") 299 + fmt.Printf(" 2. systemctl start %s / %s\n", naming.Appview(), naming.Hold()) 300 + fmt.Println(" 3. Configure DNS records above") 301 + 302 + return nil 303 + } 304 + 305 + // provisionObjectStorage creates a new Managed Object Storage with a user, access key, and bucket. 306 + // Returns the state and the secret key separately (only available at creation time). 307 + func provisionObjectStorage(ctx context.Context, svc *service.Service, zone, s3Name string) (ObjectStorageState, string, error) { 308 + // Map compute zone to object storage region (e.g. us-chi1 → us-east-1) 309 + region := objectStorageRegion(zone) 310 + 311 + storage, err := svc.CreateManagedObjectStorage(ctx, &request.CreateManagedObjectStorageRequest{ 312 + Name: s3Name, 313 + Region: region, 314 + ConfiguredStatus: upcloud.ManagedObjectStorageConfiguredStatusStarted, 315 + Networks: []upcloud.ManagedObjectStorageNetwork{ 316 + { 317 + Family: upcloud.IPAddressFamilyIPv4, 318 + Name: "public", 319 + Type: "public", 320 + }, 321 + }, 322 + }) 323 + if err != nil { 324 + return ObjectStorageState{}, "", fmt.Errorf("create storage: %w", err) 325 + } 326 + fmt.Printf(" Created: %s (region: %s)\n", storage.UUID, region) 327 + 328 + // Find endpoint 329 + var endpoint string 330 + for _, ep := range storage.Endpoints { 331 + if ep.DomainName != "" { 332 + endpoint = "https://" + ep.DomainName 333 + break 334 + } 335 + } 336 + 337 + // Create user 338 + _, err = svc.CreateManagedObjectStorageUser(ctx, &request.CreateManagedObjectStorageUserRequest{ 339 + ServiceUUID: storage.UUID, 340 + Username: s3Name, 341 + }) 342 + if err != nil { 343 + return ObjectStorageState{}, "", fmt.Errorf("create user: %w", err) 344 + } 345 + 346 + // Attach admin policy 347 + err = svc.AttachManagedObjectStorageUserPolicy(ctx, &request.AttachManagedObjectStorageUserPolicyRequest{ 348 + ServiceUUID: storage.UUID, 349 + Username: s3Name, 350 + Name: "admin", 351 + }) 352 + if err != nil { 353 + return ObjectStorageState{}, "", fmt.Errorf("attach policy: %w", err) 354 + } 355 + 356 + // Create access key (secret is only returned here) 357 + accessKey, err := svc.CreateManagedObjectStorageUserAccessKey(ctx, &request.CreateManagedObjectStorageUserAccessKeyRequest{ 358 + ServiceUUID: storage.UUID, 359 + Username: s3Name, 360 + }) 361 + if err != nil { 362 + return ObjectStorageState{}, "", fmt.Errorf("create access key: %w", err) 363 + } 364 + 365 + secretKey := "" 366 + if accessKey.SecretAccessKey != nil { 367 + secretKey = *accessKey.SecretAccessKey 368 + } 369 + 370 + // Create bucket 371 + _, err = svc.CreateManagedObjectStorageBucket(ctx, &request.CreateManagedObjectStorageBucketRequest{ 372 + ServiceUUID: storage.UUID, 373 + Name: s3Name, 374 + }) 375 + if err != nil { 376 + return ObjectStorageState{}, "", fmt.Errorf("create bucket: %w", err) 377 + } 378 + 379 + return ObjectStorageState{ 380 + UUID: storage.UUID, 381 + Endpoint: endpoint, 382 + Region: region, 383 + Bucket: s3Name, 384 + AccessKeyID: accessKey.AccessKeyID, 385 + }, secretKey, nil 386 + } 387 + 388 + // objectStorageRegion maps a compute zone to the nearest object storage region. 389 + func objectStorageRegion(zone string) string { 390 + switch { 391 + case strings.HasPrefix(zone, "us-"): 392 + return "us-east-1" 393 + case strings.HasPrefix(zone, "de-"): 394 + return "europe-1" 395 + case strings.HasPrefix(zone, "fi-"): 396 + return "europe-1" 397 + case strings.HasPrefix(zone, "nl-"): 398 + return "europe-1" 399 + case strings.HasPrefix(zone, "es-"): 400 + return "europe-1" 401 + case strings.HasPrefix(zone, "pl-"): 402 + return "europe-1" 403 + case strings.HasPrefix(zone, "se-"): 404 + return "europe-1" 405 + case strings.HasPrefix(zone, "au-"): 406 + return "australia-1" 407 + case strings.HasPrefix(zone, "sg-"): 408 + return "singapore-1" 409 + default: 410 + return "us-east-1" 411 + } 412 + } 413 + 414 + func createServer(ctx context.Context, svc *service.Service, cfg *InfraConfig, templateUUID, networkUUID, title, userData string) (*ServerState, error) { 415 + storageTier := "maxiops" 416 + if strings.HasPrefix(strings.ToUpper(cfg.Plan), "DEV-") { 417 + storageTier = "standard" 418 + } 419 + 420 + // Look up the plan's storage size from the API instead of hardcoding. 421 + diskSize := 25 // fallback 422 + plans, err := svc.GetPlans(ctx) 423 + if err == nil { 424 + for _, p := range plans.Plans { 425 + if p.Name == cfg.Plan { 426 + diskSize = p.StorageSize 427 + break 428 + } 429 + } 430 + } 431 + 432 + details, err := svc.CreateServer(ctx, &request.CreateServerRequest{ 433 + Zone: cfg.Zone, 434 + Title: title, 435 + Hostname: title, 436 + Plan: cfg.Plan, 437 + Metadata: upcloud.True, 438 + UserData: userData, 439 + Firewall: "on", 440 + PasswordDelivery: "none", 441 + StorageDevices: request.CreateServerStorageDeviceSlice{ 442 + { 443 + Action: "clone", 444 + Storage: templateUUID, 445 + Title: title + "-disk", 446 + Size: diskSize, 447 + Tier: storageTier, 448 + }, 449 + }, 450 + Networking: &request.CreateServerNetworking{ 451 + Interfaces: request.CreateServerInterfaceSlice{ 452 + { 453 + Index: 1, 454 + Type: upcloud.IPAddressAccessPublic, 455 + IPAddresses: request.CreateServerIPAddressSlice{ 456 + {Family: upcloud.IPAddressFamilyIPv4}, 457 + }, 458 + }, 459 + { 460 + Index: 2, 461 + Type: upcloud.IPAddressAccessPrivate, 462 + Network: networkUUID, 463 + IPAddresses: request.CreateServerIPAddressSlice{ 464 + {Family: upcloud.IPAddressFamilyIPv4}, 465 + }, 466 + }, 467 + }, 468 + }, 469 + LoginUser: &request.LoginUser{ 470 + CreatePassword: "no", 471 + SSHKeys: request.SSHKeySlice{cfg.SSHPublicKey}, 472 + }, 473 + }) 474 + if err != nil { 475 + return nil, err 476 + } 477 + 478 + fmt.Printf(" Waiting for server %s to start...\n", details.UUID) 479 + details, err = svc.WaitForServerState(ctx, &request.WaitForServerStateRequest{ 480 + UUID: details.UUID, 481 + DesiredState: upcloud.ServerStateStarted, 482 + }) 483 + if err != nil { 484 + return nil, fmt.Errorf("wait for server: %w", err) 485 + } 486 + 487 + s := &ServerState{UUID: details.UUID} 488 + for _, iface := range details.Networking.Interfaces { 489 + for _, addr := range iface.IPAddresses { 490 + if addr.Family == upcloud.IPAddressFamilyIPv4 { 491 + switch iface.Type { 492 + case upcloud.IPAddressAccessPublic: 493 + s.PublicIP = addr.Address 494 + case upcloud.IPAddressAccessPrivate: 495 + s.PrivateIP = addr.Address 496 + } 497 + } 498 + } 499 + } 500 + 501 + return s, nil 502 + } 503 + 504 + func createFirewallRules(ctx context.Context, svc *service.Service, serverUUID, privateCIDR string) error { 505 + networkBase := strings.TrimSuffix(privateCIDR, "/24") 506 + networkBase = strings.TrimSuffix(networkBase, ".0") 507 + 508 + return svc.CreateFirewallRules(ctx, &request.CreateFirewallRulesRequest{ 509 + ServerUUID: serverUUID, 510 + FirewallRules: request.FirewallRuleSlice{ 511 + { 512 + Direction: upcloud.FirewallRuleDirectionIn, 513 + Action: upcloud.FirewallRuleActionAccept, 514 + Family: upcloud.IPAddressFamilyIPv4, 515 + Protocol: upcloud.FirewallRuleProtocolTCP, 516 + DestinationPortStart: "22", 517 + DestinationPortEnd: "22", 518 + Position: 1, 519 + Comment: "Allow SSH", 520 + }, 521 + { 522 + Direction: upcloud.FirewallRuleDirectionIn, 523 + Action: upcloud.FirewallRuleActionAccept, 524 + Family: upcloud.IPAddressFamilyIPv4, 525 + SourceAddressStart: networkBase + ".0", 526 + SourceAddressEnd: networkBase + ".255", 527 + Position: 2, 528 + Comment: "Allow private network", 529 + }, 530 + { 531 + Direction: upcloud.FirewallRuleDirectionIn, 532 + Action: upcloud.FirewallRuleActionDrop, 533 + Position: 3, 534 + Comment: "Drop all other inbound", 535 + }, 536 + }, 537 + }) 538 + } 539 + 540 + func createLoadBalancer(ctx context.Context, svc *service.Service, cfg *InfraConfig, naming Naming, networkUUID, appviewIP, holdIP, holdDomain string) (*upcloud.LoadBalancer, error) { 541 + lb, err := svc.CreateLoadBalancer(ctx, &request.CreateLoadBalancerRequest{ 542 + Name: naming.LBName(), 543 + Plan: "essentials", 544 + Zone: cfg.Zone, 545 + ConfiguredStatus: upcloud.LoadBalancerConfiguredStatusStarted, 546 + Networks: []request.LoadBalancerNetwork{ 547 + { 548 + Name: "public", 549 + Type: upcloud.LoadBalancerNetworkTypePublic, 550 + Family: upcloud.LoadBalancerAddressFamilyIPv4, 551 + }, 552 + { 553 + Name: "private", 554 + Type: upcloud.LoadBalancerNetworkTypePrivate, 555 + Family: upcloud.LoadBalancerAddressFamilyIPv4, 556 + UUID: networkUUID, 557 + }, 558 + }, 559 + Frontends: []request.LoadBalancerFrontend{ 560 + { 561 + Name: "https", 562 + Mode: upcloud.LoadBalancerModeHTTP, 563 + Port: 443, 564 + DefaultBackend: "appview", 565 + Networks: []upcloud.LoadBalancerFrontendNetwork{ 566 + {Name: "public"}, 567 + }, 568 + Rules: []request.LoadBalancerFrontendRule{ 569 + { 570 + Name: "route-hold", 571 + Priority: 10, 572 + Matchers: []upcloud.LoadBalancerMatcher{ 573 + { 574 + Type: upcloud.LoadBalancerMatcherTypeHost, 575 + Host: &upcloud.LoadBalancerMatcherHost{ 576 + Value: holdDomain, 577 + }, 578 + }, 579 + }, 580 + Actions: []upcloud.LoadBalancerAction{ 581 + { 582 + Type: upcloud.LoadBalancerActionTypeUseBackend, 583 + UseBackend: &upcloud.LoadBalancerActionUseBackend{ 584 + Backend: "hold", 585 + }, 586 + }, 587 + }, 588 + }, 589 + }, 590 + }, 591 + { 592 + Name: "http-redirect", 593 + Mode: upcloud.LoadBalancerModeHTTP, 594 + Port: 80, 595 + DefaultBackend: "appview", 596 + Networks: []upcloud.LoadBalancerFrontendNetwork{ 597 + {Name: "public"}, 598 + }, 599 + Rules: []request.LoadBalancerFrontendRule{ 600 + { 601 + Name: "redirect-https", 602 + Priority: 10, 603 + Matchers: []upcloud.LoadBalancerMatcher{ 604 + { 605 + Type: upcloud.LoadBalancerMatcherTypeSrcPort, 606 + SrcPort: &upcloud.LoadBalancerMatcherInteger{ 607 + Method: upcloud.LoadBalancerIntegerMatcherMethodEqual, 608 + Value: 80, 609 + }, 610 + }, 611 + }, 612 + Actions: []upcloud.LoadBalancerAction{ 613 + { 614 + Type: upcloud.LoadBalancerActionTypeHTTPRedirect, 615 + HTTPRedirect: &upcloud.LoadBalancerActionHTTPRedirect{ 616 + Scheme: upcloud.LoadBalancerActionHTTPRedirectSchemeHTTPS, 617 + }, 618 + }, 619 + }, 620 + }, 621 + }, 622 + }, 623 + }, 624 + Resolvers: []request.LoadBalancerResolver{}, 625 + Backends: []request.LoadBalancerBackend{ 626 + { 627 + Name: "appview", 628 + Members: []request.LoadBalancerBackendMember{ 629 + { 630 + Name: "appview-1", 631 + Type: upcloud.LoadBalancerBackendMemberTypeStatic, 632 + IP: appviewIP, 633 + Port: 5000, 634 + Weight: 100, 635 + MaxSessions: 1000, 636 + Enabled: true, 637 + }, 638 + }, 639 + Properties: &upcloud.LoadBalancerBackendProperties{ 640 + HealthCheckType: upcloud.LoadBalancerHealthCheckTypeHTTP, 641 + HealthCheckURL: "/health", 642 + }, 643 + }, 644 + { 645 + Name: "hold", 646 + Members: []request.LoadBalancerBackendMember{ 647 + { 648 + Name: "hold-1", 649 + Type: upcloud.LoadBalancerBackendMemberTypeStatic, 650 + IP: holdIP, 651 + Port: 8080, 652 + Weight: 100, 653 + MaxSessions: 1000, 654 + Enabled: true, 655 + }, 656 + }, 657 + Properties: &upcloud.LoadBalancerBackendProperties{ 658 + HealthCheckType: upcloud.LoadBalancerHealthCheckTypeHTTP, 659 + HealthCheckURL: "/xrpc/_health", 660 + }, 661 + }, 662 + }, 663 + }) 664 + if err != nil { 665 + return nil, err 666 + } 667 + 668 + return lb, nil 669 + } 670 + 671 + // ensureLBCertificates reconciles TLS certificate bundles on the load balancer. 672 + // It skips domains that already have a TLS config attached and creates missing ones. 673 + func ensureLBCertificates(ctx context.Context, svc *service.Service, lbUUID string, tlsDomains []string) error { 674 + lb, err := svc.GetLoadBalancer(ctx, &request.GetLoadBalancerRequest{UUID: lbUUID}) 675 + if err != nil { 676 + return fmt.Errorf("get load balancer: %w", err) 677 + } 678 + 679 + // Build set of existing TLS config names on the "https" frontend 680 + existing := make(map[string]bool) 681 + for _, fe := range lb.Frontends { 682 + if fe.Name == "https" { 683 + for _, tc := range fe.TLSConfigs { 684 + existing[tc.Name] = true 685 + } 686 + } 687 + } 688 + 689 + for _, domain := range tlsDomains { 690 + certName := "tls-" + strings.ReplaceAll(domain, ".", "-") 691 + if existing[certName] { 692 + fmt.Printf(" TLS certificate: %s (exists)\n", domain) 693 + continue 694 + } 695 + 696 + bundle, err := svc.CreateLoadBalancerCertificateBundle(ctx, &request.CreateLoadBalancerCertificateBundleRequest{ 697 + Type: upcloud.LoadBalancerCertificateBundleTypeDynamic, 698 + Name: certName, 699 + KeyType: "ecdsa", 700 + Hostnames: []string{domain}, 701 + }) 702 + if err != nil { 703 + return fmt.Errorf("create TLS cert for %s: %w", domain, err) 704 + } 705 + 706 + _, err = svc.CreateLoadBalancerFrontendTLSConfig(ctx, &request.CreateLoadBalancerFrontendTLSConfigRequest{ 707 + ServiceUUID: lbUUID, 708 + FrontendName: "https", 709 + Config: request.LoadBalancerFrontendTLSConfig{ 710 + Name: certName, 711 + CertificateBundleUUID: bundle.UUID, 712 + }, 713 + }) 714 + if err != nil { 715 + return fmt.Errorf("attach TLS cert %s to frontend: %w", domain, err) 716 + } 717 + fmt.Printf(" TLS certificate: %s\n", domain) 718 + } 719 + 720 + return nil 721 + } 722 + 723 + // lookupObjectStorage discovers details of an existing Managed Object Storage. 724 + func lookupObjectStorage(ctx context.Context, svc *service.Service, uuid string) (ObjectStorageState, error) { 725 + storage, err := svc.GetManagedObjectStorage(ctx, &request.GetManagedObjectStorageRequest{ 726 + UUID: uuid, 727 + }) 728 + if err != nil { 729 + return ObjectStorageState{}, fmt.Errorf("get object storage %s: %w", uuid, err) 730 + } 731 + 732 + var endpoint string 733 + for _, ep := range storage.Endpoints { 734 + if ep.DomainName != "" { 735 + endpoint = "https://" + ep.DomainName 736 + break 737 + } 738 + } 739 + 740 + var bucket string 741 + buckets, err := svc.GetManagedObjectStorageBucketMetrics(ctx, &request.GetManagedObjectStorageBucketMetricsRequest{ 742 + ServiceUUID: uuid, 743 + }) 744 + if err == nil { 745 + for _, b := range buckets { 746 + if !b.Deleted { 747 + bucket = b.Name 748 + break 749 + } 750 + } 751 + } 752 + 753 + var accessKeyID string 754 + users, err := svc.GetManagedObjectStorageUsers(ctx, &request.GetManagedObjectStorageUsersRequest{ 755 + ServiceUUID: uuid, 756 + }) 757 + if err == nil { 758 + for _, u := range users { 759 + for _, k := range u.AccessKeys { 760 + if k.Status == "Active" { 761 + accessKeyID = k.AccessKeyID 762 + break 763 + } 764 + } 765 + if accessKeyID != "" { 766 + break 767 + } 768 + } 769 + } 770 + 771 + return ObjectStorageState{ 772 + UUID: uuid, 773 + Endpoint: endpoint, 774 + Region: storage.Region, 775 + Bucket: bucket, 776 + AccessKeyID: accessKeyID, 777 + }, nil 778 + } 779 + 780 + func findDebianTemplate(ctx context.Context, svc *service.Service) (string, error) { 781 + storages, err := svc.GetStorages(ctx, &request.GetStoragesRequest{ 782 + Type: "template", 783 + }) 784 + if err != nil { 785 + return "", fmt.Errorf("list templates: %w", err) 786 + } 787 + 788 + var debian13, debian12 string 789 + for _, s := range storages.Storages { 790 + title := strings.ToLower(s.Title) 791 + if strings.Contains(title, "debian") { 792 + if strings.Contains(title, "13") || strings.Contains(title, "trixie") { 793 + debian13 = s.UUID 794 + } else if strings.Contains(title, "12") || strings.Contains(title, "bookworm") { 795 + debian12 = s.UUID 796 + } 797 + } 798 + } 799 + 800 + if debian13 != "" { 801 + return debian13, nil 802 + } 803 + if debian12 != "" { 804 + fmt.Println(" Debian 13 not available, using Debian 12") 805 + return debian12, nil 806 + } 807 + 808 + return "", fmt.Errorf("no Debian template found — check UpCloud template list") 809 + } 810 + 811 + const cloudInitPath = "/var/lib/cloud/instance/scripts/part-001" 812 + 813 + // syncCloudInit compares a locally-generated cloud-init script against what's 814 + // on the server. If they differ (or the remote is missing), it prompts the 815 + // user and re-runs the script over SSH. 816 + func syncCloudInit(name, ip, localScript string) error { 817 + // Fetch the remote script 818 + remoteScript, err := runSSH(ip, fmt.Sprintf("cat %s 2>/dev/null || echo '__MISSING__'", cloudInitPath), false) 819 + if err != nil { 820 + fmt.Printf(" cloud-init: could not reach %s (%v)\n", name, err) 821 + return nil 822 + } 823 + remoteScript = strings.TrimSpace(remoteScript) 824 + 825 + if remoteScript == "__MISSING__" { 826 + fmt.Printf(" cloud-init: not found on %s (server may need initial setup)\n", name) 827 + } else { 828 + localHash := fmt.Sprintf("%x", sha256.Sum256([]byte(localScript))) 829 + remoteHash := fmt.Sprintf("%x", sha256.Sum256([]byte(remoteScript))) 830 + if localHash == remoteHash { 831 + fmt.Printf(" cloud-init: up to date\n") 832 + return nil 833 + } 834 + fmt.Printf(" cloud-init: differs from local\n") 835 + } 836 + 837 + fmt.Printf(" Re-run cloud-init on %s? [Y/n] ", name) 838 + scanner := bufio.NewScanner(os.Stdin) 839 + scanner.Scan() 840 + answer := strings.TrimSpace(strings.ToLower(scanner.Text())) 841 + if answer != "" && answer != "y" && answer != "yes" { 842 + fmt.Printf(" Skipped\n") 843 + return nil 844 + } 845 + 846 + fmt.Printf(" Running cloud-init on %s (%s)... (this may take several minutes)\n", name, ip) 847 + output, err := runSSH(ip, localScript, true) 848 + if err != nil { 849 + fmt.Printf(" ERROR: %v\n", err) 850 + fmt.Printf(" Output:\n%s\n", output) 851 + return fmt.Errorf("cloud-init %s failed", name) 852 + } 853 + 854 + fmt.Printf(" %s: cloud-init complete\n", name) 855 + return nil 856 + }

+91

deploy/upcloud/state.go

··· 1 + package main 2 + 3 + import ( 4 + "encoding/json" 5 + "fmt" 6 + "os" 7 + "path/filepath" 8 + "runtime" 9 + ) 10 + 11 + // InfraState persists infrastructure resource UUIDs between commands. 12 + type InfraState struct { 13 + Zone string `json:"zone"` 14 + ClientName string `json:"client_name,omitempty"` 15 + RepoBranch string `json:"repo_branch,omitempty"` 16 + Network StateRef `json:"network"` 17 + Appview ServerState `json:"appview"` 18 + Hold ServerState `json:"hold"` 19 + LB StateRef `json:"loadbalancer"` 20 + ObjectStorage ObjectStorageState `json:"object_storage"` 21 + } 22 + 23 + // Naming returns a Naming helper, defaulting to "seamark" if ClientName is empty. 24 + func (s *InfraState) Naming() Naming { 25 + name := s.ClientName 26 + if name == "" { 27 + name = "seamark" 28 + } 29 + return Naming{ClientName: name} 30 + } 31 + 32 + // Branch returns the repo branch, defaulting to "main" if empty. 33 + func (s *InfraState) Branch() string { 34 + if s.RepoBranch == "" { 35 + return "main" 36 + } 37 + return s.RepoBranch 38 + } 39 + 40 + type StateRef struct { 41 + UUID string `json:"uuid"` 42 + } 43 + 44 + type ServerState struct { 45 + UUID string `json:"server_uuid"` 46 + PublicIP string `json:"public_ip"` 47 + PrivateIP string `json:"private_ip"` 48 + } 49 + 50 + type ObjectStorageState struct { 51 + UUID string `json:"uuid"` 52 + Endpoint string `json:"endpoint"` 53 + Region string `json:"region"` 54 + Bucket string `json:"bucket"` 55 + AccessKeyID string `json:"access_key_id"` 56 + } 57 + 58 + func statePath() string { 59 + _, thisFile, _, _ := runtime.Caller(0) 60 + return filepath.Join(filepath.Dir(thisFile), "state.json") 61 + } 62 + 63 + func loadState() (*InfraState, error) { 64 + data, err := os.ReadFile(statePath()) 65 + if err != nil { 66 + return nil, fmt.Errorf("read state.json: %w (run 'provision' first)", err) 67 + } 68 + var st InfraState 69 + if err := json.Unmarshal(data, &st); err != nil { 70 + return nil, fmt.Errorf("parse state.json: %w", err) 71 + } 72 + return &st, nil 73 + } 74 + 75 + func saveState(st *InfraState) error { 76 + data, err := json.MarshalIndent(st, "", " ") 77 + if err != nil { 78 + return fmt.Errorf("marshal state: %w", err) 79 + } 80 + if err := os.WriteFile(statePath(), data, 0644); err != nil { 81 + return fmt.Errorf("write state.json: %w", err) 82 + } 83 + return nil 84 + } 85 + 86 + func deleteState() error { 87 + if err := os.Remove(statePath()); err != nil && !os.IsNotExist(err) { 88 + return fmt.Errorf("remove state.json: %w", err) 89 + } 90 + return nil 91 + }

+120

deploy/upcloud/status.go

··· 1 + package main 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + "strings" 7 + "time" 8 + 9 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request" 10 + "github.com/spf13/cobra" 11 + ) 12 + 13 + var statusCmd = &cobra.Command{ 14 + Use: "status", 15 + Short: "Show infrastructure state and health", 16 + Args: cobra.NoArgs, 17 + RunE: func(cmd *cobra.Command, args []string) error { 18 + token, _ := cmd.Root().PersistentFlags().GetString("token") 19 + return cmdStatus(token) 20 + }, 21 + } 22 + 23 + func init() { 24 + rootCmd.AddCommand(statusCmd) 25 + } 26 + 27 + func cmdStatus(token string) error { 28 + state, err := loadState() 29 + if err != nil { 30 + return err 31 + } 32 + 33 + naming := state.Naming() 34 + 35 + svc, err := newService(token) 36 + if err != nil { 37 + return err 38 + } 39 + 40 + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) 41 + defer cancel() 42 + 43 + fmt.Printf("Zone: %s\n\n", state.Zone) 44 + 45 + // Server status 46 + for _, s := range []struct { 47 + name string 48 + ss ServerState 49 + serviceName string 50 + healthURL string 51 + }{ 52 + {"Appview", state.Appview, naming.Appview(), "http://localhost:5000/health"}, 53 + {"Hold", state.Hold, naming.Hold(), "http://localhost:8080/xrpc/_health"}, 54 + } { 55 + fmt.Printf("%-8s UUID: %s\n", s.name, s.ss.UUID) 56 + fmt.Printf(" Public: %s\n", s.ss.PublicIP) 57 + fmt.Printf(" Private: %s\n", s.ss.PrivateIP) 58 + 59 + if s.ss.UUID != "" { 60 + details, err := svc.GetServerDetails(ctx, &request.GetServerDetailsRequest{ 61 + UUID: s.ss.UUID, 62 + }) 63 + if err != nil { 64 + fmt.Printf(" State: error (%v)\n", err) 65 + } else { 66 + fmt.Printf(" State: %s\n", details.State) 67 + } 68 + } 69 + 70 + // SSH health check 71 + if s.ss.PublicIP != "" { 72 + output, err := runSSH(s.ss.PublicIP, fmt.Sprintf( 73 + "systemctl is-active %s 2>/dev/null || echo 'inactive'; curl -sf %s > /dev/null 2>&1 && echo 'health:ok' || echo 'health:fail'", 74 + s.serviceName, s.healthURL, 75 + ), false) 76 + if err != nil { 77 + fmt.Printf(" Service: unreachable\n") 78 + } else { 79 + lines := strings.Split(strings.TrimSpace(output), "\n") 80 + for _, line := range lines { 81 + line = strings.TrimSpace(line) 82 + if line == "active" || line == "inactive" { 83 + fmt.Printf(" Service: %s\n", line) 84 + } else if strings.HasPrefix(line, "health:") { 85 + fmt.Printf(" Health: %s\n", strings.TrimPrefix(line, "health:")) 86 + } 87 + } 88 + } 89 + } 90 + fmt.Println() 91 + } 92 + 93 + // LB status 94 + if state.LB.UUID != "" { 95 + fmt.Printf("Load Balancer: %s\n", state.LB.UUID) 96 + lb, err := svc.GetLoadBalancer(ctx, &request.GetLoadBalancerRequest{ 97 + UUID: state.LB.UUID, 98 + }) 99 + if err != nil { 100 + fmt.Printf(" State: error (%v)\n", err) 101 + } else { 102 + fmt.Printf(" State: %s\n", lb.OperationalState) 103 + for _, n := range lb.Networks { 104 + fmt.Printf(" Network (%s): %s\n", n.Type, n.DNSName) 105 + } 106 + } 107 + } 108 + 109 + fmt.Printf("\nNetwork: %s\n", state.Network.UUID) 110 + 111 + if state.ObjectStorage.UUID != "" { 112 + fmt.Printf("\nObject Storage: %s\n", state.ObjectStorage.UUID) 113 + fmt.Printf(" Endpoint: %s\n", state.ObjectStorage.Endpoint) 114 + fmt.Printf(" Region: %s\n", state.ObjectStorage.Region) 115 + fmt.Printf(" Bucket: %s\n", state.ObjectStorage.Bucket) 116 + fmt.Printf(" Access Key: %s\n", state.ObjectStorage.AccessKeyID) 117 + } 118 + 119 + return nil 120 + }

+25

deploy/upcloud/systemd/appview.service.tmpl

··· 1 + [Unit] 2 + Description={{.DisplayName}} AppView (Registry + Web UI) 3 + After=network-online.target 4 + Wants=network-online.target 5 + 6 + [Service] 7 + Type=simple 8 + User={{.User}} 9 + Group={{.User}} 10 + ExecStart={{.BinaryPath}} serve --config {{.ConfigPath}} 11 + Restart=on-failure 12 + RestartSec=5 13 + 14 + ReadWritePaths={{.DataDir}} 15 + ProtectSystem=strict 16 + ProtectHome=yes 17 + NoNewPrivileges=yes 18 + PrivateTmp=yes 19 + 20 + StandardOutput=journal 21 + StandardError=journal 22 + SyslogIdentifier={{.ServiceName}} 23 + 24 + [Install] 25 + WantedBy=multi-user.target

+25

deploy/upcloud/systemd/hold.service.tmpl

··· 1 + [Unit] 2 + Description={{.DisplayName}} Hold (Storage Service) 3 + After=network-online.target 4 + Wants=network-online.target 5 + 6 + [Service] 7 + Type=simple 8 + User={{.User}} 9 + Group={{.User}} 10 + ExecStart={{.BinaryPath}} serve --config {{.ConfigPath}} 11 + Restart=on-failure 12 + RestartSec=5 13 + 14 + ReadWritePaths={{.DataDir}} 15 + ProtectSystem=strict 16 + ProtectHome=yes 17 + NoNewPrivileges=yes 18 + PrivateTmp=yes 19 + 20 + StandardOutput=journal 21 + StandardError=journal 22 + SyslogIdentifier={{.ServiceName}} 23 + 24 + [Install] 25 + WantedBy=multi-user.target

+121

deploy/upcloud/teardown.go

··· 1 + package main 2 + 3 + import ( 4 + "bufio" 5 + "context" 6 + "fmt" 7 + "os" 8 + "strings" 9 + "time" 10 + 11 + "github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request" 12 + "github.com/spf13/cobra" 13 + ) 14 + 15 + var teardownCmd = &cobra.Command{ 16 + Use: "teardown", 17 + Short: "Destroy all infrastructure", 18 + Args: cobra.NoArgs, 19 + RunE: func(cmd *cobra.Command, args []string) error { 20 + token, _ := cmd.Root().PersistentFlags().GetString("token") 21 + return cmdTeardown(token) 22 + }, 23 + } 24 + 25 + func init() { 26 + rootCmd.AddCommand(teardownCmd) 27 + } 28 + 29 + func cmdTeardown(token string) error { 30 + state, err := loadState() 31 + if err != nil { 32 + return err 33 + } 34 + 35 + naming := state.Naming() 36 + 37 + // Confirmation prompt 38 + fmt.Printf("This will DESTROY all %s infrastructure:\n", naming.DisplayName()) 39 + fmt.Printf(" Zone: %s\n", state.Zone) 40 + fmt.Printf(" Appview: %s (%s)\n", state.Appview.UUID, state.Appview.PublicIP) 41 + fmt.Printf(" Hold: %s (%s)\n", state.Hold.UUID, state.Hold.PublicIP) 42 + fmt.Printf(" Network: %s\n", state.Network.UUID) 43 + fmt.Printf(" LB: %s\n", state.LB.UUID) 44 + fmt.Println() 45 + fmt.Print("Type 'yes' to confirm: ") 46 + 47 + scanner := bufio.NewScanner(os.Stdin) 48 + scanner.Scan() 49 + if strings.TrimSpace(scanner.Text()) != "yes" { 50 + fmt.Println("Aborted.") 51 + return nil 52 + } 53 + 54 + svc, err := newService(token) 55 + if err != nil { 56 + return err 57 + } 58 + 59 + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) 60 + defer cancel() 61 + 62 + // Delete LB first (depends on network) 63 + if state.LB.UUID != "" { 64 + fmt.Printf("Deleting load balancer %s...\n", state.LB.UUID) 65 + if err := svc.DeleteLoadBalancer(ctx, &request.DeleteLoadBalancerRequest{ 66 + UUID: state.LB.UUID, 67 + }); err != nil { 68 + fmt.Printf(" Warning: %v\n", err) 69 + } 70 + } 71 + 72 + // Stop and delete servers (must stop before delete, and delete storage) 73 + for _, s := range []struct { 74 + name string 75 + uuid string 76 + }{ 77 + {"appview", state.Appview.UUID}, 78 + {"hold", state.Hold.UUID}, 79 + } { 80 + if s.uuid == "" { 81 + continue 82 + } 83 + fmt.Printf("Stopping server %s (%s)...\n", s.name, s.uuid) 84 + _, err := svc.StopServer(ctx, &request.StopServerRequest{ 85 + UUID: s.uuid, 86 + }) 87 + if err != nil { 88 + fmt.Printf(" Warning (stop): %v\n", err) 89 + } else { 90 + svc.WaitForServerState(ctx, &request.WaitForServerStateRequest{ 91 + UUID: s.uuid, 92 + DesiredState: "stopped", 93 + }) 94 + } 95 + 96 + fmt.Printf("Deleting server %s...\n", s.name) 97 + if err := svc.DeleteServerAndStorages(ctx, &request.DeleteServerAndStoragesRequest{ 98 + UUID: s.uuid, 99 + }); err != nil { 100 + fmt.Printf(" Warning (delete): %v\n", err) 101 + } 102 + } 103 + 104 + // Delete network (after servers are gone) 105 + if state.Network.UUID != "" { 106 + fmt.Printf("Deleting network %s...\n", state.Network.UUID) 107 + if err := svc.DeleteNetwork(ctx, &request.DeleteNetworkRequest{ 108 + UUID: state.Network.UUID, 109 + }); err != nil { 110 + fmt.Printf(" Warning: %v\n", err) 111 + } 112 + } 113 + 114 + // Remove state file 115 + if err := deleteState(); err != nil { 116 + return err 117 + } 118 + 119 + fmt.Println("\nTeardown complete. All infrastructure destroyed.") 120 + return nil 121 + }

+197

deploy/upcloud/update.go

··· 1 + package main 2 + 3 + import ( 4 + "bytes" 5 + "fmt" 6 + "io" 7 + "os" 8 + "os/exec" 9 + "strings" 10 + "time" 11 + 12 + "github.com/spf13/cobra" 13 + ) 14 + 15 + var updateCmd = &cobra.Command{ 16 + Use: "update [target]", 17 + Short: "Deploy updates to servers", 18 + Args: cobra.MaximumNArgs(1), 19 + ValidArgs: []string{"all", "appview", "hold"}, 20 + RunE: func(cmd *cobra.Command, args []string) error { 21 + target := "all" 22 + if len(args) > 0 { 23 + target = args[0] 24 + } 25 + return cmdUpdate(target) 26 + }, 27 + } 28 + 29 + var sshCmd = &cobra.Command{ 30 + Use: "ssh <target>", 31 + Short: "SSH into a server", 32 + Args: cobra.ExactArgs(1), 33 + ValidArgs: []string{"appview", "hold"}, 34 + RunE: func(cmd *cobra.Command, args []string) error { 35 + return cmdSSH(args[0]) 36 + }, 37 + } 38 + 39 + func init() { 40 + rootCmd.AddCommand(updateCmd) 41 + rootCmd.AddCommand(sshCmd) 42 + } 43 + 44 + func cmdUpdate(target string) error { 45 + state, err := loadState() 46 + if err != nil { 47 + return err 48 + } 49 + 50 + naming := state.Naming() 51 + branch := state.Branch() 52 + 53 + goVersion, err := requiredGoVersion() 54 + if err != nil { 55 + return err 56 + } 57 + 58 + targets := map[string]struct { 59 + ip string 60 + binaryName string 61 + buildCmd string 62 + serviceName string 63 + healthURL string 64 + }{ 65 + "appview": { 66 + ip: state.Appview.PublicIP, 67 + binaryName: naming.Appview(), 68 + buildCmd: "appview", 69 + serviceName: naming.Appview(), 70 + healthURL: "http://localhost:5000/health", 71 + }, 72 + "hold": { 73 + ip: state.Hold.PublicIP, 74 + binaryName: naming.Hold(), 75 + buildCmd: "hold", 76 + serviceName: naming.Hold(), 77 + healthURL: "http://localhost:8080/xrpc/_health", 78 + }, 79 + } 80 + 81 + var toUpdate []string 82 + switch target { 83 + case "all": 84 + toUpdate = []string{"appview", "hold"} 85 + case "appview", "hold": 86 + toUpdate = []string{target} 87 + default: 88 + return fmt.Errorf("unknown target: %s (use: all, appview, hold)", target) 89 + } 90 + 91 + for _, name := range toUpdate { 92 + t := targets[name] 93 + fmt.Printf("Updating %s (%s)...\n", name, t.ip) 94 + 95 + updateScript := fmt.Sprintf(`set -euo pipefail 96 + export PATH=$PATH:/usr/local/go/bin 97 + 98 + # Update Go if needed 99 + CURRENT_GO=$(go version 2>/dev/null | grep -oP 'go\K[0-9.]+' || echo "none") 100 + REQUIRED_GO="%s" 101 + if [ "$CURRENT_GO" != "$REQUIRED_GO" ]; then 102 + echo "Updating Go: $CURRENT_GO -> $REQUIRED_GO" 103 + rm -rf /usr/local/go 104 + curl -fsSL https://go.dev/dl/go${REQUIRED_GO}.linux-amd64.tar.gz | tar -C /usr/local -xz 105 + fi 106 + 107 + cd %s 108 + git pull origin %s 109 + npm ci 110 + go generate ./... 111 + CGO_ENABLED=1 go build \ 112 + -ldflags="-s -w -linkmode external -extldflags '-static'" \ 113 + -tags sqlite_omit_load_extension -trimpath \ 114 + -o bin/%s ./cmd/%s 115 + systemctl restart %s 116 + 117 + sleep 2 118 + curl -sf %s > /dev/null && echo "HEALTH_OK" || echo "HEALTH_FAIL" 119 + `, goVersion, naming.InstallDir(), branch, t.binaryName, t.buildCmd, t.serviceName, t.healthURL) 120 + 121 + output, err := runSSH(t.ip, updateScript, true) 122 + if err != nil { 123 + fmt.Printf(" ERROR: %v\n", err) 124 + fmt.Printf(" Output: %s\n", output) 125 + return fmt.Errorf("update %s failed", name) 126 + } 127 + 128 + if strings.Contains(output, "HEALTH_OK") { 129 + fmt.Printf(" %s: updated and healthy\n", name) 130 + } else if strings.Contains(output, "HEALTH_FAIL") { 131 + fmt.Printf(" %s: updated but health check failed!\n", name) 132 + fmt.Printf(" Check: ssh root@%s journalctl -u %s -n 50\n", t.ip, t.serviceName) 133 + } else { 134 + fmt.Printf(" %s: updated (health check inconclusive)\n", name) 135 + } 136 + } 137 + 138 + return nil 139 + } 140 + 141 + func cmdSSH(target string) error { 142 + state, err := loadState() 143 + if err != nil { 144 + return err 145 + } 146 + 147 + var ip string 148 + switch target { 149 + case "appview": 150 + ip = state.Appview.PublicIP 151 + case "hold": 152 + ip = state.Hold.PublicIP 153 + default: 154 + return fmt.Errorf("unknown target: %s (use: appview, hold)", target) 155 + } 156 + 157 + fmt.Printf("Connecting to %s (%s)...\n", target, ip) 158 + cmd := exec.Command("ssh", 159 + "-o", "StrictHostKeyChecking=accept-new", 160 + "root@"+ip, 161 + ) 162 + cmd.Stdin = os.Stdin 163 + cmd.Stdout = os.Stdout 164 + cmd.Stderr = os.Stderr 165 + return cmd.Run() 166 + } 167 + 168 + func runSSH(ip, script string, stream bool) (string, error) { 169 + cmd := exec.Command("ssh", 170 + "-o", "StrictHostKeyChecking=accept-new", 171 + "-o", "ConnectTimeout=10", 172 + "root@"+ip, 173 + "bash -s", 174 + ) 175 + cmd.Stdin = strings.NewReader(script) 176 + 177 + var buf bytes.Buffer 178 + if stream { 179 + cmd.Stdout = io.MultiWriter(os.Stdout, &buf) 180 + cmd.Stderr = io.MultiWriter(os.Stderr, &buf) 181 + } else { 182 + cmd.Stdout = &buf 183 + cmd.Stderr = &buf 184 + } 185 + 186 + // Give builds up to 10 minutes 187 + done := make(chan error, 1) 188 + go func() { done <- cmd.Run() }() 189 + 190 + select { 191 + case err := <-done: 192 + return buf.String(), err 193 + case <-time.After(10 * time.Minute): 194 + cmd.Process.Kill() 195 + return buf.String(), fmt.Errorf("SSH command timed out after 10 minutes") 196 + } 197 + }

+6 -3

go.mod

··· 17 17 github.com/goki/freetype v1.0.5 18 18 github.com/golang-jwt/jwt/v5 v5.3.1 19 19 github.com/google/uuid v1.6.0 20 - github.com/gorilla/websocket v1.5.3 20 + github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 21 21 github.com/ipfs/go-block-format v0.2.3 22 22 github.com/ipfs/go-cid v0.6.0 23 23 github.com/ipfs/go-datastore v0.9.0 ··· 48 48 ) 49 49 50 50 require ( 51 + github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect 51 52 github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b // indirect 52 53 github.com/ajg/form v1.6.1 // indirect 53 54 github.com/antlr4-go/antlr/v4 v4.13.0 // indirect ··· 73 74 github.com/cenkalti/backoff/v5 v5.0.3 // indirect 74 75 github.com/cespare/xxhash/v2 v2.3.0 // indirect 75 76 github.com/coreos/go-systemd/v22 v22.7.0 // indirect 76 - github.com/davecgh/go-spew v1.1.1 // indirect 77 + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 77 78 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect 78 79 github.com/docker/docker-credential-helpers v0.9.5 // indirect 79 80 github.com/docker/go-events v0.0.0-20250808211157-605354379745 // indirect 80 81 github.com/docker/go-metrics v0.0.1 // indirect 82 + github.com/fatih/color v1.18.0 // indirect 81 83 github.com/felixge/httpsnoop v1.0.4 // indirect 82 84 github.com/fsnotify/fsnotify v1.9.0 // indirect 83 85 github.com/gammazero/chanqueue v1.1.1 // indirect ··· 115 117 github.com/jmespath/go-jmespath v0.4.0 // indirect 116 118 github.com/klauspost/cpuid/v2 v2.3.0 // indirect 117 119 github.com/libsql/sqlite-antlr4-parser v0.0.0-20240327125255-dbf53b6cbf06 // indirect 120 + github.com/mattn/go-colorable v0.1.14 // indirect 118 121 github.com/mattn/go-isatty v0.0.20 // indirect 119 122 github.com/minio/sha256-simd v1.0.1 // indirect 120 123 github.com/mr-tron/base58 v1.2.0 // indirect ··· 127 130 github.com/opencontainers/image-spec v1.1.1 // indirect 128 131 github.com/opentracing/opentracing-go v1.2.0 // indirect 129 132 github.com/pelletier/go-toml/v2 v2.2.4 // indirect 130 - github.com/pmezard/go-difflib v1.0.0 // indirect 133 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 131 134 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect 132 135 github.com/prometheus/client_golang v1.23.2 // indirect 133 136 github.com/prometheus/client_model v0.6.2 // indirect

+6 -12

go.sum

··· 1 - github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8 h1:d+pBUmsteW5tM87xmVXHZ4+LibHRFn40SPAoZJOg2ak= 2 - github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8/go.mod h1:i9fr2JpcEcY/IHEvzCM3qXUZYOQHgR89dt4es1CgMhc= 1 + github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= 3 2 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 4 3 github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b h1:5/++qT1/z812ZqBvqQt6ToRswSuPZ/B33m6xVHRzADU= 5 4 github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b/go.mod h1:4+EPqMRApwwE/6yo6CxiHoSnBzjRr3jsqer7frxP8y4= ··· 76 75 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= 77 76 github.com/cskr/pubsub v1.0.2 h1:vlOzMhl6PFn60gRlTQQsIfVwaPB/B/8MziK8FhEPt/0= 78 77 github.com/cskr/pubsub v1.0.2/go.mod h1:/8MzYXk/NJAz782G8RPkFzXTZVu63VotefPnR9TIRis= 79 - github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= 80 - github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= 81 78 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 82 - github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 83 79 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 80 + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= 84 81 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc= 85 82 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40= 86 83 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= ··· 97 94 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= 98 95 github.com/earthboundkid/versioninfo/v2 v2.24.1 h1:SJTMHaoUx3GzjjnUO1QzP3ZXK6Ee/nbWyCm58eY3oUg= 99 96 github.com/earthboundkid/versioninfo/v2 v2.24.1/go.mod h1:VcWEooDEuyUJnMfbdTh0uFN4cfEIg+kHMuWB2CDCLjw= 100 - github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= 101 - github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= 97 + github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= 102 98 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= 103 99 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= 104 100 github.com/filecoin-project/go-clock v0.1.0 h1:SFbYIM75M8NnFm1yMHhN9Ahy3W5bEZV9gd6MPfXbKVU= ··· 164 160 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= 165 161 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= 166 162 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= 167 - github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= 168 - github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= 163 + github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= 169 164 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 h1:X+2YciYSxvMQK0UZ7sg45ZVabVZBeBuvMkmuI2V3Fak= 170 165 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7/go.mod h1:lW34nIZuQ8UDPdkon5fmfp2l3+ZkQ2me/+oecHYLOII= 171 166 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= ··· 295 290 github.com/libp2p/go-netroute v0.4.0/go.mod h1:Nkd5ShYgSMS5MUKy/MU2T57xFoOKvvLR92Lic48LEyA= 296 291 github.com/libsql/sqlite-antlr4-parser v0.0.0-20240327125255-dbf53b6cbf06 h1:JLvn7D+wXjH9g4Jsjo+VqmzTUpl/LX7vfr6VOfSWTdM= 297 292 github.com/libsql/sqlite-antlr4-parser v0.0.0-20240327125255-dbf53b6cbf06/go.mod h1:FUkZ5OHjlGPjnM2UyGJz9TypXQFgYqw6AFNO1UiROTM= 298 - github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= 299 - github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= 293 + github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE= 300 294 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 301 295 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 302 296 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= ··· 349 343 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 350 344 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 351 345 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 352 - github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 353 346 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 347 + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= 354 348 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f h1:VXTQfuJj9vKR4TCkEuWIckKvdHFeJH/huIFJ9/cXOB0= 355 349 github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f/go.mod h1:/zvteZs/GwLtCgZ4BL6CBsk9IKIlexP43ObX9AxTqTw= 356 350 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=

+1

go.work

··· 2 2 3 3 use ( 4 4 . 5 + ./deploy/upcloud 5 6 ./scanner 6 7 )

+7 -1

go.work.sum

··· 173 173 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= 174 174 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= 175 175 github.com/charmbracelet/harmonica v0.2.0/go.mod h1:KSri/1RMQOZLbw7AHqgcBycp8pgJnQMYYT8QZRqZ1Ao= 176 + github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q= 177 + github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs= 176 178 github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U= 177 179 github.com/checkpoint-restore/checkpointctl v1.4.0/go.mod h1:ynQ52zQBazgcTZuxpwTFzRinIcAf0haDTC1X1LA/FKA= 178 180 github.com/checkpoint-restore/go-criu/v7 v7.2.0/go.mod h1:u0LCWLg0w4yqqu14aXhiB4YD3a1qd8EcCEg7vda5dwo= 179 181 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= 180 182 github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= 183 + github.com/clipperhouse/uax29/v2 v2.2.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM= 181 184 github.com/cockroachdb/errors v1.11.3/go.mod h1:m4UIW4CDjx+R5cybPsNrRbreomiFqt8o1h1wUVazSd8= 182 185 github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce/go.mod h1:9/y3cnZ5GKakj/H4y9r9GTjCvAFta7KLgSHPJJYc52M= 183 186 github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b/go.mod h1:Vz9DsVWQQhf3vs21MhPMZpMGSht7O/2vFW2xusFUVOs= ··· 451 454 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 452 455 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 453 456 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 457 + golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 454 458 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 459 + golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 455 460 golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 461 + golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= 456 462 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= 457 463 golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8= 458 - golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 464 + golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= 459 465 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= 460 466 golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= 461 467 golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=

+5 -5

pkg/appview/config.go

··· 57 57 // Short name used in page titles and browser tabs. 58 58 ClientShortName string `yaml:"client_short_name" comment:"Short name used in page titles and browser tabs."` 59 59 60 - // Separate domain for OCI registry API. 61 - RegistryDomain string `yaml:"registry_domain" comment:"Separate domain for OCI registry API (e.g. \"buoy.cr\"). Browser visits redirect to BaseURL."` 60 + // Separate domains for OCI registry API. First entry is the primary (used for JWT service name and UI display). 61 + RegistryDomains []string `yaml:"registry_domains" comment:"Separate domains for OCI registry API (e.g. [\"buoy.cr\"]). First is primary. Browser visits redirect to BaseURL."` 62 62 } 63 63 64 64 // UIConfig defines web UI settings ··· 145 145 v.SetDefault("server.client_name", "AT Container Registry") 146 146 v.SetDefault("server.client_short_name", "ATCR") 147 147 v.SetDefault("server.oauth_key_path", "/var/lib/atcr/oauth/client.key") 148 - v.SetDefault("server.registry_domain", "") 148 + v.SetDefault("server.registry_domains", []string{}) 149 149 150 150 // UI defaults 151 151 v.SetDefault("ui.database_path", "/var/lib/atcr/ui.db") ··· 241 241 242 242 // deriveServiceName extracts the JWT service name from the config. 243 243 func deriveServiceName(cfg *Config) string { 244 - if cfg.Server.RegistryDomain != "" { 245 - return cfg.Server.RegistryDomain 244 + if len(cfg.Server.RegistryDomains) > 0 { 245 + return cfg.Server.RegistryDomains[0] 246 246 } 247 247 return getServiceName(cfg.Server.BaseURL) 248 248 }

+2

pkg/appview/db/hold_store_test.go

··· 87 87 } 88 88 // Limit to single connection to avoid race conditions in tests 89 89 db.SetMaxOpenConns(1) 90 + // Clean slate: shared-cache in-memory DB may retain data from prior subtests 91 + db.Exec("DELETE FROM hold_captain_records") 90 92 t.Cleanup(func() { db.Close() }) 91 93 return db 92 94 }

+25 -9

pkg/appview/server.go

··· 240 240 mainRouter.Use(routes.CORSMiddleware()) 241 241 242 242 // Registry domain redirect middleware 243 - if cfg.Server.RegistryDomain != "" { 244 - mainRouter.Use(RegistryDomainRedirect(cfg.Server.RegistryDomain, cfg.Server.BaseURL)) 243 + if len(cfg.Server.RegistryDomains) > 0 { 244 + mainRouter.Use(RegistryDomainRedirect(cfg.Server.RegistryDomains, cfg.Server.BaseURL)) 245 245 slog.Info("Registry domain redirect enabled", 246 - "registry_domain", cfg.Server.RegistryDomain, 246 + "registry_domains", cfg.Server.RegistryDomains, 247 247 "ui_base_url", cfg.Server.BaseURL) 248 248 } 249 249 ··· 263 263 OAuthStore: s.OAuthStore, 264 264 Refresher: s.Refresher, 265 265 BaseURL: baseURL, 266 - RegistryDomain: cfg.Server.RegistryDomain, 266 + RegistryDomain: primaryRegistryDomain(cfg.Server.RegistryDomains), 267 267 DeviceStore: s.DeviceStore, 268 268 HealthChecker: s.HealthChecker, 269 269 ReadmeFetcher: s.ReadmeFetcher, ··· 499 499 mainRouter.Get("/health", func(w http.ResponseWriter, r *http.Request) { 500 500 w.Header().Set("Content-Type", "application/json") 501 501 w.WriteHeader(http.StatusOK) 502 - json.NewEncoder(w).Encode(map[string]string{"status": "ok"}) 502 + if err := json.NewEncoder(w).Encode(map[string]string{"status": "ok"}); err != nil { 503 + http.Error(w, "encode error", http.StatusInternalServerError) 504 + return 505 + } 503 506 }) 504 507 505 508 // Register credential helper version API (public endpoint) ··· 577 580 ) 578 581 } 579 582 580 - // RegistryDomainRedirect redirects all non-registry requests from the registry 581 - // domain to the UI domain. Only /v2 and /v2/* pass through for Docker clients. 583 + // RegistryDomainRedirect redirects all non-registry requests from registry 584 + // domains to the UI domain. Only /v2 and /v2/* pass through for Docker clients. 582 585 // Uses 307 (Temporary Redirect) to preserve POST method/body. 583 - func RegistryDomainRedirect(registryDomain, uiBaseURL string) func(http.Handler) http.Handler { 586 + func RegistryDomainRedirect(registryDomains []string, uiBaseURL string) func(http.Handler) http.Handler { 587 + domains := make(map[string]bool, len(registryDomains)) 588 + for _, d := range registryDomains { 589 + domains[d] = true 590 + } 591 + 584 592 return func(next http.Handler) http.Handler { 585 593 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 586 594 host := r.Host ··· 588 596 host = host[:idx] 589 597 } 590 598 591 - if host == registryDomain { 599 + if domains[host] { 592 600 path := r.URL.Path 593 601 if path == "/v2" || path == "/v2/" || strings.HasPrefix(path, "/v2/") { 594 602 next.ServeHTTP(w, r) ··· 603 611 next.ServeHTTP(w, r) 604 612 }) 605 613 } 614 + } 615 + 616 + // primaryRegistryDomain returns the first registry domain, or empty string if none. 617 + func primaryRegistryDomain(domains []string) string { 618 + if len(domains) > 0 { 619 + return domains[0] 620 + } 621 + return "" 606 622 } 607 623 608 624 // initializeJetstream initializes the Jetstream workers for real-time events and backfill.

+16

pkg/config/marshal.go

··· 131 131 return mapToNode(v) 132 132 } 133 133 134 + // Slice → yaml sequence 135 + if v.Kind() == reflect.Slice { 136 + seq := &yaml.Node{ 137 + Kind: yaml.SequenceNode, 138 + Tag: "!!seq", 139 + } 140 + for i := 0; i < v.Len(); i++ { 141 + elemNode, err := valueToNode(v.Index(i)) 142 + if err != nil { 143 + return nil, fmt.Errorf("slice index %d: %w", i, err) 144 + } 145 + seq.Content = append(seq.Content, elemNode) 146 + } 147 + return seq, nil 148 + } 149 + 134 150 // Scalar types 135 151 node := &yaml.Node{Kind: yaml.ScalarNode} 136 152 switch v.Kind() {

+1 -1

pkg/hold/billing/handlers.go

··· 114 114 stats, err := h.pdsServer.GetQuotaForUserWithTier(r.Context(), userDID, h.manager.quotaMgr) 115 115 if err == nil { 116 116 info.CurrentUsage = stats.TotalSize 117 - info.CrewTier = stats.Tier // tier from local crew record (what's actually enforced) 117 + info.CrewTier = stats.Tier // tier from local crew record (what's actually enforced) 118 118 info.CurrentLimit = stats.Limit 119 119 120 120 // If no subscription but crew has a tier, show that as current

+7 -8

pkg/hold/db/sqlite_store.go

··· 1 - // Package db contains a vendored from github.com/bluesky-social/indigo/carstore/sqlite_store.go 1 + // Package db contains a vendored from github.com/bluesky-social/indigo/carstore/sqlite_store.go 2 2 // Source: github.com/bluesky-social/indigo@v0.0.0-20260203235305-a86f3ae1f8ec/carstore/ 3 3 // Reason: indigo's carstore hardcodes mattn/go-sqlite3, which conflicts with go-libsql 4 4 // (both bundle SQLite C libraries and cannot coexist in the same binary). 5 5 // 6 6 // This package replaces the mattn driver with go-libsql and removes Prometheus metrics. 7 7 // Once upstream accepts a driver-agnostic constructor, this vendored copy can be removed. 8 - // Modifications: 9 - // - Replaced mattn/go-sqlite3 driver with go-libsql 10 - // - Removed all Prometheus metric counters and .Inc() calls 11 - // - Changed package from 'carstore' to 'db' 12 - // - Added NewSQLiteStoreWithDB constructor for injecting an existing *sql.DB 13 - // - Changed sql.Open("sqlite3", path) to sql.Open("libsql", ...) with proper DSN 14 - 8 + // Modifications: 9 + // - Replaced mattn/go-sqlite3 driver with go-libsql 10 + // - Removed all Prometheus metric counters and .Inc() calls 11 + // - Changed package from 'carstore' to 'db' 12 + // - Added NewSQLiteStoreWithDB constructor for injecting an existing *sql.DB 13 + // - Changed sql.Open("sqlite3", path) to sql.Open("libsql", ...) with proper DSN 15 14 package db 16 15 17 16 import (

Configure Feed

Configure Feed