@rizom/ops 0.2.0-alpha.8 → 0.2.0-alpha.81
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -3
- package/dist/age-key-bootstrap.d.ts +17 -0
- package/dist/brains-ops.js +279 -156
- package/dist/cert-bootstrap.d.ts +3 -3
- package/dist/content-repo.d.ts +13 -0
- package/dist/default-user-runner.d.ts +1 -1
- package/dist/deploy.js +3 -170
- package/dist/entries/deploy.d.ts +2 -2
- package/dist/index.d.ts +4 -0
- package/dist/index.js +279 -156
- package/dist/load-registry.d.ts +22 -3
- package/dist/observed-status.d.ts +1 -1
- package/dist/onboard-user.d.ts +2 -2
- package/dist/origin-ca.d.ts +1 -1
- package/dist/parse-args.d.ts +2 -0
- package/dist/push-secrets.d.ts +1 -1
- package/dist/reconcile-all.d.ts +2 -2
- package/dist/reconcile-cohort.d.ts +2 -2
- package/dist/reconcile-lib.d.ts +4 -2
- package/dist/run-command.d.ts +1 -2
- package/dist/run-subprocess.d.ts +1 -0
- package/dist/schema.d.ts +107 -0
- package/dist/secrets-encrypt.d.ts +29 -0
- package/dist/secrets-push.d.ts +1 -1
- package/dist/ssh-key-bootstrap.d.ts +1 -1
- package/dist/user-add.d.ts +15 -0
- package/dist/user-runner.d.ts +5 -0
- package/dist/verify-user.d.ts +19 -0
- package/package.json +7 -3
- package/templates/rover-pilot/.env.schema +16 -2
- package/templates/rover-pilot/.github/workflows/build.yml +13 -5
- package/templates/rover-pilot/.github/workflows/deploy.yml +73 -20
- package/templates/rover-pilot/.github/workflows/reconcile.yml +16 -2
- package/templates/rover-pilot/README.md +6 -3
- package/templates/rover-pilot/deploy/scripts/decrypt-user-secrets.ts +78 -0
- package/templates/rover-pilot/deploy/scripts/provision-server.ts +1 -1
- package/templates/rover-pilot/deploy/scripts/resolve-deploy-handles.ts +15 -4
- package/templates/rover-pilot/deploy/scripts/resolve-user-config.ts +12 -12
- package/templates/rover-pilot/deploy/scripts/sync-content-repo.ts +179 -0
- package/templates/rover-pilot/deploy/scripts/update-dns.ts +14 -4
- package/templates/rover-pilot/docs/onboarding-checklist.md +40 -14
- package/templates/rover-pilot/docs/operator-playbook.md +129 -10
- package/templates/rover-pilot/docs/user-onboarding.md +182 -199
- package/templates/rover-pilot/package.json +3 -0
- package/templates/rover-pilot/pilot.yaml +3 -0
- package/templates/rover-pilot/users/alice.yaml +5 -1
- package/dist/user-secret-names.d.ts +0 -6
- package/templates/rover-pilot/.kamal/hooks/pre-deploy +0 -9
- package/templates/rover-pilot/deploy/Caddyfile +0 -66
- package/templates/rover-pilot/deploy/Dockerfile +0 -38
- package/templates/rover-pilot/deploy/kamal/deploy.yml +0 -40
|
@@ -1,66 +0,0 @@
|
|
|
1
|
-
# Internal Caddy — path-based routing to brain services.
|
|
2
|
-
# kamal-proxy terminates TLS externally; this runs inside the container.
|
|
3
|
-
:80 {
|
|
4
|
-
@preview host preview.*
|
|
5
|
-
handle @preview {
|
|
6
|
-
reverse_proxy localhost:4321
|
|
7
|
-
|
|
8
|
-
header {
|
|
9
|
-
X-Frame-Options "SAMEORIGIN"
|
|
10
|
-
X-Content-Type-Options "nosniff"
|
|
11
|
-
Referrer-Policy "strict-origin-when-cross-origin"
|
|
12
|
-
}
|
|
13
|
-
}
|
|
14
|
-
|
|
15
|
-
# MCP endpoint
|
|
16
|
-
handle /mcp* {
|
|
17
|
-
reverse_proxy localhost:3333
|
|
18
|
-
|
|
19
|
-
header {
|
|
20
|
-
X-Content-Type-Options "nosniff"
|
|
21
|
-
Access-Control-Allow-Origin "*"
|
|
22
|
-
Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"
|
|
23
|
-
Access-Control-Allow-Headers "Content-Type, Authorization, MCP-Session-Id"
|
|
24
|
-
}
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
# A2A endpoints
|
|
28
|
-
handle /.well-known/agent-card.json {
|
|
29
|
-
reverse_proxy localhost:3334
|
|
30
|
-
}
|
|
31
|
-
|
|
32
|
-
handle /a2a {
|
|
33
|
-
reverse_proxy localhost:3334
|
|
34
|
-
|
|
35
|
-
header {
|
|
36
|
-
X-Content-Type-Options "nosniff"
|
|
37
|
-
Access-Control-Allow-Origin "*"
|
|
38
|
-
Access-Control-Allow-Methods "GET, POST, OPTIONS"
|
|
39
|
-
Access-Control-Allow-Headers "Content-Type, Authorization"
|
|
40
|
-
}
|
|
41
|
-
}
|
|
42
|
-
|
|
43
|
-
# Plugin API routes
|
|
44
|
-
handle /api/* {
|
|
45
|
-
reverse_proxy localhost:3335
|
|
46
|
-
}
|
|
47
|
-
|
|
48
|
-
# Production site: proxy to webserver if running, otherwise serve
|
|
49
|
-
# a minimal static fallback so the healthcheck and bare-domain
|
|
50
|
-
# requests succeed even on the core preset (no webserver).
|
|
51
|
-
handle {
|
|
52
|
-
reverse_proxy localhost:8080
|
|
53
|
-
|
|
54
|
-
header {
|
|
55
|
-
X-Frame-Options "SAMEORIGIN"
|
|
56
|
-
X-Content-Type-Options "nosniff"
|
|
57
|
-
Referrer-Policy "strict-origin-when-cross-origin"
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
|
|
61
|
-
handle_errors {
|
|
62
|
-
root * /srv/fallback
|
|
63
|
-
try_files /index.html
|
|
64
|
-
file_server
|
|
65
|
-
}
|
|
66
|
-
}
|
|
@@ -1,38 +0,0 @@
|
|
|
1
|
-
ARG BUN_VERSION=1.3.10
|
|
2
|
-
FROM oven/bun:${BUN_VERSION}-slim AS runtime
|
|
3
|
-
|
|
4
|
-
WORKDIR /app
|
|
5
|
-
|
|
6
|
-
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
7
|
-
curl ca-certificates git gnupg debian-keyring debian-archive-keyring apt-transport-https \
|
|
8
|
-
&& curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg \
|
|
9
|
-
&& curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list \
|
|
10
|
-
&& apt-get update && apt-get install -y --no-install-recommends caddy libcap2-bin \
|
|
11
|
-
&& setcap cap_net_bind_service=+ep $(which caddy) \
|
|
12
|
-
&& rm -rf /var/lib/apt/lists/*
|
|
13
|
-
|
|
14
|
-
COPY deploy/Caddyfile /etc/caddy/Caddyfile
|
|
15
|
-
|
|
16
|
-
RUN mkdir -p /srv/fallback && \
|
|
17
|
-
printf '<!doctype html><html><head><meta charset="utf-8"><title>brain</title></head><body></body></html>\n' \
|
|
18
|
-
> /srv/fallback/index.html
|
|
19
|
-
|
|
20
|
-
ENV XDG_DATA_HOME=/data
|
|
21
|
-
ENV XDG_CONFIG_HOME=/config
|
|
22
|
-
RUN mkdir -p /app/data /app/cache /app/brain-data && \
|
|
23
|
-
chmod -R 777 /app/data /app/cache /app/brain-data
|
|
24
|
-
|
|
25
|
-
CMD ["sh", "-c", "caddy start --config /etc/caddy/Caddyfile && exec ./node_modules/.bin/brain start"]
|
|
26
|
-
|
|
27
|
-
# --- standalone: bake full project into image (brain-cli deploy) ---
|
|
28
|
-
FROM runtime AS standalone
|
|
29
|
-
COPY package.json ./package.json
|
|
30
|
-
RUN bun install --production --ignore-scripts
|
|
31
|
-
COPY . .
|
|
32
|
-
|
|
33
|
-
# --- fleet: install published brain at pinned version (ops deploy) ---
|
|
34
|
-
FROM runtime AS fleet
|
|
35
|
-
ARG BRAIN_VERSION
|
|
36
|
-
RUN test -n "$BRAIN_VERSION" \
|
|
37
|
-
&& printf '{"name":"rover-pilot-runtime","private":true}\n' > package.json \
|
|
38
|
-
&& bun add @rizom/brain@$BRAIN_VERSION
|
|
@@ -1,40 +0,0 @@
|
|
|
1
|
-
service: rover
|
|
2
|
-
image: <%= ENV['IMAGE_REPOSITORY'] %>
|
|
3
|
-
|
|
4
|
-
servers:
|
|
5
|
-
web:
|
|
6
|
-
hosts:
|
|
7
|
-
- <%= ENV['SERVER_IP'] %>
|
|
8
|
-
|
|
9
|
-
proxy:
|
|
10
|
-
ssl:
|
|
11
|
-
certificate_pem: CERTIFICATE_PEM
|
|
12
|
-
private_key_pem: PRIVATE_KEY_PEM
|
|
13
|
-
hosts:
|
|
14
|
-
- <%= ENV['BRAIN_DOMAIN'] %>
|
|
15
|
-
- preview.<%= ENV['BRAIN_DOMAIN'] %>
|
|
16
|
-
app_port: 80
|
|
17
|
-
healthcheck:
|
|
18
|
-
path: /health
|
|
19
|
-
|
|
20
|
-
registry:
|
|
21
|
-
server: ghcr.io
|
|
22
|
-
username: <%= ENV['REGISTRY_USERNAME'] %>
|
|
23
|
-
password:
|
|
24
|
-
- KAMAL_REGISTRY_PASSWORD
|
|
25
|
-
|
|
26
|
-
builder:
|
|
27
|
-
arch: amd64
|
|
28
|
-
|
|
29
|
-
env:
|
|
30
|
-
clear:
|
|
31
|
-
NODE_ENV: production
|
|
32
|
-
secret:
|
|
33
|
-
- AI_API_KEY
|
|
34
|
-
- GIT_SYNC_TOKEN
|
|
35
|
-
- MCP_AUTH_TOKEN
|
|
36
|
-
- DISCORD_BOT_TOKEN
|
|
37
|
-
|
|
38
|
-
volumes:
|
|
39
|
-
- /opt/brain-data:/app/brain-data
|
|
40
|
-
- /opt/brain.yaml:/app/brain.yaml
|