direxio-deployer 0.1.8 → 0.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/README.md +1 -1
- package/README_zh.md +1 -1
- package/SKILL.md +6 -6
- package/agents/README.md +5 -5
- package/agents/openai.yaml +3 -3
- package/package.json +1 -1
- package/references/architecture.md +4 -4
- package/references/bug-history.md +2 -2
- package/references/deployment-lessons.md +5 -5
- package/references/deployment-workflow.md +12 -12
- package/references/iam-policy.json +1 -1
- package/references/state-machine.md +1 -1
- package/references/tooling.md +2 -2
- package/references/user-journey.md +1 -1
- package/references/verification-recovery.md +2 -2
- package/references/voip-turn-runbook.md +2 -2
- package/scripts/cloud-init/docker-compose.yml +7 -7
- package/scripts/cloud-init/init-tokens.sh +4 -4
- package/scripts/destroy.ps1 +3 -3
- package/scripts/destroy.sh +9 -9
- package/scripts/lib/paths.sh +1 -3
- package/scripts/lib/state.sh +9 -9
- package/scripts/orchestrate.ps1 +3 -3
- package/scripts/orchestrate.sh +16 -17
- package/scripts/phases/s2_domain.sh +4 -4
- package/scripts/phases/s3_provision.sh +6 -6
- package/scripts/phases/s5_init_tokens.sh +1 -1
- package/scripts/reset-app-data.sh +1 -1
package/LICENSE
CHANGED
package/README.md
CHANGED
|
@@ -167,7 +167,7 @@ Reset application data while preserving EC2, DNS, fixed IP, and Caddy TLS:
|
|
|
167
167
|
|
|
168
168
|
```bash
|
|
169
169
|
DIREXIO_RESET_APP_DATA_CONFIRM=1 DOMAIN=<domain> bash scripts/reset-app-data.sh
|
|
170
|
-
|
|
170
|
+
DIREXIO_EXISTING_STATE_ACTION=continue DOMAIN=<domain> bash scripts/orchestrate.sh
|
|
171
171
|
```
|
|
172
172
|
|
|
173
173
|
Application data reset clears server-side app volumes, so the follow-up
|
package/README_zh.md
CHANGED
|
@@ -164,7 +164,7 @@ DOMAIN=<domain> MESSAGE_SERVER_IMAGE=direxio/message-server:latest bash scripts/
|
|
|
164
164
|
|
|
165
165
|
```bash
|
|
166
166
|
DIREXIO_RESET_APP_DATA_CONFIRM=1 DOMAIN=<domain> bash scripts/reset-app-data.sh
|
|
167
|
-
|
|
167
|
+
DIREXIO_EXISTING_STATE_ACTION=continue DOMAIN=<domain> bash scripts/orchestrate.sh
|
|
168
168
|
```
|
|
169
169
|
|
|
170
170
|
清理应用数据卷后,后续 orchestrate 会重新生成本地 credentials/MCP 配置,
|
package/SKILL.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: direxio-deployer
|
|
3
|
-
description: Deploy, resume, verify, destroy, and locally wire a production
|
|
3
|
+
description: Deploy, resume, verify, destroy, and locally wire a production Direxio message server on AWS for any connent/connect-supported local agent runtime. Use when installing or updating this skill itself; install the versioned npm package `direxio-deployer` and use its CLI to place the skill in the runtime-specific global path from references/agent-targets.md unless the user explicitly asks for a project-local installation.
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
# Direxio Deployer
|
|
@@ -49,7 +49,7 @@ when it is safe and does not overwrite local edits. If the clone has local
|
|
|
49
49
|
changes, do not discard them; report the divergence and continue from the local
|
|
50
50
|
copy unless the user approves a specific update action.
|
|
51
51
|
|
|
52
|
-
Do not fall back to older
|
|
52
|
+
Do not fall back to older pre-Direxio skill repositories or unmanaged copied skill bundles unless the user explicitly asks for one of those repositories. Never print or commit AWS credentials, initialization codes, agent tokens, or local credential files while refreshing the Skill.
|
|
53
53
|
|
|
54
54
|
## Cloud Account And Domain Onboarding
|
|
55
55
|
|
|
@@ -357,7 +357,7 @@ Use a Git clone only for development or local patching of this deployer, not as
|
|
|
357
357
|
|
|
358
358
|
## Agent Recognition
|
|
359
359
|
|
|
360
|
-
Use this skill when the user asks to deploy, resume, verify, destroy, repair, or wire a
|
|
360
|
+
Use this skill when the user asks to deploy, resume, verify, destroy, repair, or wire a Direxio message server. The instructions are runtime-neutral and can be followed by any agent that can run shell commands and read files. The local bridge target must be one of the connent/connect agents unless the user explicitly supplies compatible custom TOML. OpenClaw and Hermes are host runtimes that S6 wires through the generic connent/connect `acp` agent.
|
|
361
361
|
|
|
362
362
|
For local agent integration after deployment, S6 writes service-specific credentials and environment files under `~/.direxio/nodes/<service_id>/`, where `service_id` is derived from the deployed domain. It also writes MCP client snippets under `~/.direxio/nodes/<service_id>/mcp/` for MCP-capable hosts such as Codex, OpenClaw, and Hermes. It does not write root-level compatibility credentials, shell profiles, Windows user environment variables, or mutate each host's global MCP config.
|
|
363
363
|
|
|
@@ -588,7 +588,7 @@ for the current service before giving advice. The status output includes a
|
|
|
588
588
|
and may still be billing.
|
|
589
589
|
- Resume safety: whether rerunning the same command is safe, or whether the
|
|
590
590
|
operator must preserve `state.json` and continue with
|
|
591
|
-
`
|
|
591
|
+
`DIREXIO_EXISTING_STATE_ACTION=continue`.
|
|
592
592
|
- Local refresh: if `agent_install_status=refresh_pending`, reset/redeploy
|
|
593
593
|
cleared old credentials, user confirmations, runtime checks, bridge install
|
|
594
594
|
proof, and MCP install proof; the next action is to rerun the deployment workflow to refresh S4-S7, local credentials, MCP snippets, automatic installs, and runtime checks.
|
|
@@ -686,7 +686,7 @@ identity is allowed when the operator explicitly chose root credentials. Prefer
|
|
|
686
686
|
using the same temporary `DirexioDeployer` IAM user/profile for teardown when
|
|
687
687
|
that was used for provisioning.
|
|
688
688
|
|
|
689
|
-
If an operator needs to preserve local state files for debugging, run destroy with `
|
|
689
|
+
If an operator needs to preserve local state files for debugging, run destroy with `DIREXIO_KEEP_WORKDIR=1` and explicitly report that the stale service directory remains.
|
|
690
690
|
|
|
691
691
|
### Full reset / "treat me as a brand new user"
|
|
692
692
|
|
|
@@ -783,7 +783,7 @@ security : delete or disable any temporary DirexioDeployer access key after
|
|
|
783
783
|
report : <operation-report.json path>
|
|
784
784
|
```
|
|
785
785
|
|
|
786
|
-
Mention that AWS resources keep billing until destroyed. User-managed DNS and purchased domains are not removed by destroy. After destroy, report which `~/.direxio/nodes/<service_id>` service directory was removed or, if `
|
|
786
|
+
Mention that AWS resources keep billing until destroyed. User-managed DNS and purchased domains are not removed by destroy. After destroy, report which `~/.direxio/nodes/<service_id>` service directory was removed or, if `DIREXIO_KEEP_WORKDIR=1` was used, which local directory remains.
|
|
787
787
|
|
|
788
788
|
If `DIREXIO_AGENT_INSTALL=auto` was not used, or if it recorded `install_failed`, give the manual command:
|
|
789
789
|
|
package/agents/README.md
CHANGED
|
@@ -10,12 +10,12 @@ When an agent runtime supports skill metadata, point it at `SKILL.md` and use `s
|
|
|
10
10
|
|
|
11
11
|
Recognition keywords:
|
|
12
12
|
|
|
13
|
-
- deploy
|
|
14
|
-
- resume
|
|
15
|
-
- verify
|
|
16
|
-
- destroy
|
|
13
|
+
- deploy Direxio
|
|
14
|
+
- resume Direxio deployment
|
|
15
|
+
- verify Direxio message server
|
|
16
|
+
- destroy Direxio AWS resources
|
|
17
17
|
- wire Direxio MCP/plugin
|
|
18
|
-
- refresh
|
|
18
|
+
- refresh Direxio agent token
|
|
19
19
|
|
|
20
20
|
Required capabilities:
|
|
21
21
|
|
package/agents/openai.yaml
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
display_name: Direxio Deployer
|
|
2
|
-
short_description: Deploy, resume, verify, destroy, and wire Direxio MCP/plugin access for a production
|
|
3
|
-
default_prompt: Deploy a
|
|
2
|
+
short_description: Deploy, resume, verify, destroy, and wire Direxio MCP/plugin access for a production Direxio message server on AWS.
|
|
3
|
+
default_prompt: Deploy a Direxio message server using my production domain, following SKILL.md and scripts/orchestrate.sh.
|
|
4
4
|
entrypoint: ../SKILL.md
|
|
5
5
|
runtime_notes:
|
|
6
6
|
- Read SKILL.md before running deployment commands.
|
|
7
7
|
- When installing or updating this skill itself, read references/agent-targets.md and use the runtime-specific project-local Git clone path before any global fallback.
|
|
8
8
|
- Use scripts/orchestrate.sh from the repository root.
|
|
9
9
|
- Use scripts/destroy.sh for teardown.
|
|
10
|
-
- S6 writes DIREXIO_DOMAIN, DIREXIO_AGENT_TOKEN, and DIREXIO_AGENT_ROOM_ID, then records runtime-specific skill and MCP/config targets for direxio-mcp and
|
|
10
|
+
- S6 writes DIREXIO_DOMAIN, DIREXIO_AGENT_TOKEN, and DIREXIO_AGENT_ROOM_ID, then records runtime-specific skill and MCP/config targets for direxio-mcp and Direxio agent plugins.
|
|
11
11
|
- Ask before mutating the current agent runtime's plugin or MCP configuration.
|
|
12
12
|
- The instructions are compatible with Claude, Codex/OpenAI, Gemini, Cursor, Copilot, OpenClaw, Hermes, and other shell-capable agent runtimes.
|
package/package.json
CHANGED
|
@@ -17,7 +17,7 @@ coturn -> TURN 3478 + 49160-49200/udp
|
|
|
17
17
|
```
|
|
18
18
|
|
|
19
19
|
- **message-server**: `direxio/message-server:latest`,同时承载 Matrix homeserver 和 `/_p2p/query`/`/_p2p/command`。
|
|
20
|
-
- **PostgreSQL 18**: Matrix 与
|
|
20
|
+
- **PostgreSQL 18**: Matrix 与 Direxio 业务表共库持久化,compose 使用 `/var/lib/postgresql`。
|
|
21
21
|
- **Caddy**: 唯一 HTTP/TLS 入口,自动签发 Let's Encrypt。
|
|
22
22
|
- **coturn**: WebRTC TURN relay,Direxio message-server 通过 shared-secret 动态签发 TURN 凭证。
|
|
23
23
|
|
|
@@ -25,17 +25,17 @@ coturn -> TURN 3478 + 49160-49200/udp
|
|
|
25
25
|
|
|
26
26
|
1. `postgres` healthy。
|
|
27
27
|
2. `message-init` 生成 `/etc/direxio-message-server/message-server.yaml` 和 signing key,并写入 TURN 配置。
|
|
28
|
-
3. `message-server` 启动,加载 Matrix +
|
|
28
|
+
3. `message-server` 启动,加载 Matrix + Direxio 业务,读取 `P2P_PORTAL_PASSWORD` 和 `P2P_PORTAL_CREDENTIALS_FILE`。
|
|
29
29
|
4. `init-tokens.sh` 调用 `portal.bootstrap`,从容器复制凭据到宿主 `/opt/p2p/bootstrap.json`。如果最新服务端没有写入 `agent_room_id`,脚本会通过 Matrix Client API 创建真实 agent room、邀请并加入 `@agent:<server>`,再把 `agent_room_id` 回写到宿主和容器凭据文件。
|
|
30
30
|
5. `init-tokens.sh` 生成 `/opt/p2p/wellknown/owner.json`。
|
|
31
|
-
6. `caddy` 对外服务 Matrix、
|
|
31
|
+
6. `caddy` 对外服务 Matrix、Direxio API 和 well-known。
|
|
32
32
|
|
|
33
33
|
## 凭据模型
|
|
34
34
|
|
|
35
35
|
`/opt/p2p/bootstrap.json` 会包含:
|
|
36
36
|
|
|
37
37
|
- `password`: 后端字段名;对用户展示时是八位 App 初始化码。
|
|
38
|
-
- `access_token`: 当前用户的统一 bearer token,可用于 Matrix `/_matrix/client/*` 和需要用户身份的
|
|
38
|
+
- `access_token`: 当前用户的统一 bearer token,可用于 Matrix `/_matrix/client/*` 和需要用户身份的 Direxio 调用。
|
|
39
39
|
- `agent_token`: 本地服务凭据中的 agent bearer token;`direxio-connect` 对话桥接使用 S6 创建的 `@agent:<server>` Matrix session。
|
|
40
40
|
- `agent_room_id`: 真实 Matrix 房间 ID。部署脚本拒绝旧式 `!agent:<domain>` 伪房间。
|
|
41
41
|
|
|
@@ -3,12 +3,12 @@
|
|
|
3
3
|
部署链路上所有真实踩过的坑。**已全部修进 `scripts/` 下的部署文件**,新部署不会再撞;
|
|
4
4
|
列在这里是为了:① 理解每个设计决策的来由;② 若有人改坏了哪处,能快速定位回退点。
|
|
5
5
|
|
|
6
|
-
##
|
|
6
|
+
## Legacy pre-Direxio message-server 仓库
|
|
7
7
|
|
|
8
8
|
### AS PR #4 — 镜像多架构
|
|
9
9
|
- **症状**:ARM 架构 EC2(t4g 系列)`docker pull` 后 `exec format error`。
|
|
10
10
|
- **根因**:镜像只 build 了 amd64。
|
|
11
|
-
- **修复**:CI 用 buildx 出 `amd64+arm64`
|
|
11
|
+
- **修复**:CI 用 buildx 出 `amd64+arm64` 多架构镜像。legacy pre-Direxio AS 镜像已是多架构。
|
|
12
12
|
|
|
13
13
|
### AS PR #5 — 容器化体验
|
|
14
14
|
- **卷权限**:命名卷默认 root:700,AS 降权到 asd(UID 10001)后打不开 sqlite → `SQLITE_CANTOPEN`。
|
|
@@ -15,7 +15,7 @@ S5_INIT_TOKENS failed: read bootstrap.json timed out
|
|
|
15
15
|
|
|
16
16
|
Cause:
|
|
17
17
|
|
|
18
|
-
Current
|
|
18
|
+
Current Direxio message-server builds initialize on service startup and write
|
|
19
19
|
`/opt/p2p/bootstrap.json` with the login `password`, `agent_token`, and owner
|
|
20
20
|
metadata. Calling the old bootstrap HTTP endpoint or scraping logs is no longer
|
|
21
21
|
part of the deploy path.
|
|
@@ -80,7 +80,7 @@ Fix now in ops:
|
|
|
80
80
|
the local `timeout` command is available.
|
|
81
81
|
- If a deployment was interrupted, inspect `scripts/orchestrate.sh status`,
|
|
82
82
|
stop only leftover local `orchestrate.sh`/`curl`/`ssh` children for that run,
|
|
83
|
-
and resume with `
|
|
83
|
+
and resume with `DIREXIO_EXISTING_STATE_ACTION=continue`.
|
|
84
84
|
- If SSH to the instance is blocked but AWS access still works, attach a
|
|
85
85
|
temporary SSM role and use SSM Run Command to read `/opt/p2p/bootstrap.json`
|
|
86
86
|
without printing secrets. Remove or audit the temporary role after recovery.
|
|
@@ -94,7 +94,7 @@ resolves correctly. This avoids Caddy and Let's Encrypt racing DNS propagation.
|
|
|
94
94
|
When rerunning after a resource was created, set:
|
|
95
95
|
|
|
96
96
|
```bash
|
|
97
|
-
|
|
97
|
+
DIREXIO_EXISTING_STATE_ACTION=continue
|
|
98
98
|
```
|
|
99
99
|
|
|
100
100
|
This is deliberate. It prevents accidental duplicate EC2/EIP creation or unsafe
|
|
@@ -136,7 +136,7 @@ Fix procedure:
|
|
|
136
136
|
2. Delegate those NS servers at the current registrar, or use the provider API
|
|
137
137
|
if credentials are available.
|
|
138
138
|
3. Wait for authoritative NS and A-record propagation.
|
|
139
|
-
4. Re-run `scripts/orchestrate.sh` with `
|
|
139
|
+
4. Re-run `scripts/orchestrate.sh` with `DIREXIO_EXISTING_STATE_ACTION=continue`.
|
|
140
140
|
|
|
141
141
|
DNS propagation of new NS records can take minutes to hours. After the user
|
|
142
142
|
confirms the change, verify with `nslookup -type=NS <DOMAIN>` or
|
|
@@ -186,7 +186,7 @@ Workaround (use when the health check is the only blocker and the rate limit is
|
|
|
186
186
|
|
|
187
187
|
4. Resume orchestrate.sh with:
|
|
188
188
|
```bash
|
|
189
|
-
|
|
189
|
+
DIREXIO_EXISTING_STATE_ACTION=continue bash scripts/orchestrate.sh
|
|
190
190
|
```
|
|
191
191
|
|
|
192
192
|
5. **After deployment completes**, restore the original Caddyfile (remove `tls internal`) and restart Caddy. Caddy will retry the production Let's Encrypt cert when the rate limit resets. The self-signed cert is a temporary bridge; HTTPS will show a browser warning until the production cert is obtained.
|
|
@@ -31,8 +31,8 @@ DOMAIN=__DOMAIN__ bash scripts/orchestrate.sh status
|
|
|
31
31
|
If state has resources, require one:
|
|
32
32
|
|
|
33
33
|
```bash
|
|
34
|
-
|
|
35
|
-
|
|
34
|
+
DIREXIO_EXISTING_STATE_ACTION=continue
|
|
35
|
+
DIREXIO_EXISTING_STATE_ACTION=destroy
|
|
36
36
|
DOMAIN=<different-domain>
|
|
37
37
|
```
|
|
38
38
|
|
|
@@ -102,14 +102,14 @@ Destroy allows root AWS access-key identity when the operator explicitly chose
|
|
|
102
102
|
root credentials. Use the same deployment profile for teardown that was used
|
|
103
103
|
for provisioning.
|
|
104
104
|
|
|
105
|
-
Use `
|
|
105
|
+
Use `DIREXIO_KEEP_WORKDIR=1 DOMAIN=__DOMAIN__ bash scripts/destroy.sh` on POSIX, or set `$env:DIREXIO_KEEP_WORKDIR = "1"` before `.\scripts\destroy.ps1` on Windows, only when preserving local state files for debugging; if used, report that the service directory still exists.
|
|
106
106
|
|
|
107
107
|
## Run
|
|
108
108
|
|
|
109
109
|
From the repository root:
|
|
110
110
|
|
|
111
111
|
```bash
|
|
112
|
-
AWS_PROFILE=
|
|
112
|
+
AWS_PROFILE=direxio-deployer \
|
|
113
113
|
AWS_DEFAULT_REGION=us-east-1 \
|
|
114
114
|
DOMAIN=__DOMAIN__ \
|
|
115
115
|
DOMAIN_MODE=user \
|
|
@@ -208,7 +208,7 @@ data:
|
|
|
208
208
|
|
|
209
209
|
```bash
|
|
210
210
|
DOMAIN=__DOMAIN__ MESSAGE_SERVER_IMAGE=direxio/message-server:latest bash scripts/update.sh
|
|
211
|
-
|
|
211
|
+
DIREXIO_EXISTING_STATE_ACTION=continue DOMAIN=__DOMAIN__ bash scripts/orchestrate.sh
|
|
212
212
|
```
|
|
213
213
|
|
|
214
214
|
`update.sh` SSHes to the recorded EC2 instance, runs Docker Compose pull/up,
|
|
@@ -225,7 +225,7 @@ TLS volumes:
|
|
|
225
225
|
|
|
226
226
|
```bash
|
|
227
227
|
DIREXIO_RESET_APP_DATA_CONFIRM=1 DOMAIN=__DOMAIN__ bash scripts/reset-app-data.sh
|
|
228
|
-
|
|
228
|
+
DIREXIO_EXISTING_STATE_ACTION=continue DOMAIN=__DOMAIN__ bash scripts/orchestrate.sh
|
|
229
229
|
```
|
|
230
230
|
|
|
231
231
|
`reset-app-data.sh` removes only `postgres-data`, `message-config`, and
|
|
@@ -261,9 +261,9 @@ If rate-limited, the log shows `retry after <timestamp> UTC`.
|
|
|
261
261
|
```
|
|
262
262
|
Once the endpoint returns 200, re-run orchestrate.sh to complete:
|
|
263
263
|
```bash
|
|
264
|
-
|
|
264
|
+
DIREXIO_EXISTING_STATE_ACTION=continue \
|
|
265
265
|
DNS_READY=1 \
|
|
266
|
-
AWS_PROFILE=
|
|
266
|
+
AWS_PROFILE=direxio-deployer \
|
|
267
267
|
AWS_DEFAULT_REGION=us-east-1 \
|
|
268
268
|
DOMAIN=<DOMAIN> \
|
|
269
269
|
DOMAIN_MODE=route53 \
|
|
@@ -298,7 +298,7 @@ that the old IP is safe to replace:
|
|
|
298
298
|
|
|
299
299
|
```bash
|
|
300
300
|
DIREXIO_CONFIRM_DNS_OVERWRITE=1 \
|
|
301
|
-
|
|
301
|
+
DIREXIO_EXISTING_STATE_ACTION=continue \
|
|
302
302
|
DOMAIN=__DOMAIN__ \
|
|
303
303
|
DOMAIN_MODE=route53 \
|
|
304
304
|
CONFIRM_DOMAIN_BINDING=1 \
|
|
@@ -315,7 +315,7 @@ node scripts/json.mjs get ~/.direxio/nodes/<service_id>/state.json resources
|
|
|
315
315
|
After authoritative DNS returns the new IP, continue with the same state:
|
|
316
316
|
|
|
317
317
|
```bash
|
|
318
|
-
|
|
318
|
+
DIREXIO_EXISTING_STATE_ACTION=continue \
|
|
319
319
|
DOMAIN=__DOMAIN__ \
|
|
320
320
|
DOMAIN_MODE=route53 \
|
|
321
321
|
CONFIRM_DOMAIN_BINDING=1 \
|
|
@@ -341,14 +341,14 @@ After authoritative DNS returns the new IP:
|
|
|
341
341
|
|
|
342
342
|
```bash
|
|
343
343
|
DNS_READY=1 \
|
|
344
|
-
AWS_PROFILE=
|
|
344
|
+
AWS_PROFILE=direxio-deployer \
|
|
345
345
|
AWS_DEFAULT_REGION=us-east-1 \
|
|
346
346
|
DOMAIN=__DOMAIN__ \
|
|
347
347
|
DOMAIN_MODE=user \
|
|
348
348
|
CONFIRM_DOMAIN_BINDING=1 \
|
|
349
349
|
INSTANCE_TYPE=t3.small \
|
|
350
350
|
MESSAGE_SERVER_IMAGE=direxio/message-server:latest \
|
|
351
|
-
|
|
351
|
+
DIREXIO_EXISTING_STATE_ACTION=continue \
|
|
352
352
|
bash scripts/orchestrate.sh
|
|
353
353
|
```
|
|
354
354
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"Version": "2012-10-17",
|
|
3
|
-
"Comment": "
|
|
3
|
+
"Comment": "Direxio 一键部署所需的最小 IAM 权限。用户建 IAM 用户时附加此策略,再为其生成 AK/SK 交给 agent。比给 AdministratorAccess 安全得多。",
|
|
4
4
|
"Statement": [
|
|
5
5
|
{
|
|
6
6
|
"Sid": "Preflight",
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
|
|
18
18
|
- `postgres`: PostgreSQL 18,数据卷 `/var/lib/postgresql`。
|
|
19
19
|
- `message-init`: 生成 Direxio message-server 配置和 TURN 配置。
|
|
20
|
-
- `message-server`: 运行 Matrix +
|
|
20
|
+
- `message-server`: 运行 Matrix + Direxio 统一后端,公开容器内 8008。
|
|
21
21
|
- `caddy`: 对外 80/443,反代 `/_matrix/*` 和 `/_p2p/*`。
|
|
22
22
|
- `coturn`: TURN relay。
|
|
23
23
|
|
package/references/tooling.md
CHANGED
|
@@ -99,8 +99,8 @@ Existing profiles can still be used, including root profiles when the operator
|
|
|
99
99
|
explicitly chooses root credentials:
|
|
100
100
|
|
|
101
101
|
```bash
|
|
102
|
-
aws configure --profile
|
|
103
|
-
export AWS_PROFILE=
|
|
102
|
+
aws configure --profile direxio-deployer
|
|
103
|
+
export AWS_PROFILE=direxio-deployer
|
|
104
104
|
export AWS_DEFAULT_REGION=us-east-1
|
|
105
105
|
aws sts get-caller-identity
|
|
106
106
|
```
|
|
@@ -47,7 +47,7 @@ Rerun the same command after fixing the blocker; state resumes from the first un
|
|
|
47
47
|
|
|
48
48
|
After S3, do not reset or delete state just to silence an error. If EC2, public
|
|
49
49
|
IPv4/EIP, or other AWS resources are recorded, preserve `state.json`, repair the
|
|
50
|
-
blocker, and rerun with `
|
|
50
|
+
blocker, and rerun with `DIREXIO_EXISTING_STATE_ACTION=continue`; or destroy first
|
|
51
51
|
if the user wants to stop billing.
|
|
52
52
|
|
|
53
53
|
## Destroy
|
|
@@ -75,7 +75,7 @@ remain outside automatic destroy scope.
|
|
|
75
75
|
After `scripts/reset-app-data.sh`, rerun:
|
|
76
76
|
|
|
77
77
|
```bash
|
|
78
|
-
|
|
78
|
+
DIREXIO_EXISTING_STATE_ACTION=continue DOMAIN=__DOMAIN__ bash scripts/orchestrate.sh
|
|
79
79
|
```
|
|
80
80
|
|
|
81
81
|
The reset script intentionally marks S4-S7 pending and clears stale local secret
|
|
@@ -58,7 +58,7 @@ skill 不部署 coturn,只把服务商给的 `uris + username/password` 写进 D
|
|
|
58
58
|
# DOMAIN/PUBLIC_IP/TURN_SECRET 由 .env 注入(user-data 写)。
|
|
59
59
|
coturn:
|
|
60
60
|
image: coturn/coturn:latest
|
|
61
|
-
network_mode: host # relay 必须;不要放进
|
|
61
|
+
network_mode: host # relay 必须;不要放进 direxio-net 桥接网络
|
|
62
62
|
restart: unless-stopped
|
|
63
63
|
command:
|
|
64
64
|
- -n
|
|
@@ -74,7 +74,7 @@ skill 不部署 coturn,只把服务商给的 `uris + username/password` 写进 D
|
|
|
74
74
|
- --no-tls
|
|
75
75
|
- --no-dtls
|
|
76
76
|
```
|
|
77
|
-
> 注:`network_mode: host` 与现有 `networks: [
|
|
77
|
+
> 注:`network_mode: host` 与现有 `networks: [direxio-net]` 不兼容,coturn 单独用 host 网络。
|
|
78
78
|
> 其余服务不变。
|
|
79
79
|
|
|
80
80
|
### 2. `phases/s3_provision.sh` — 安全组加 TURN 端口
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
# docker-compose.yml - cloud-side Direxio message-server stack.
|
|
2
2
|
#
|
|
3
|
-
# Layers: Caddy (public 443/TLS) -> Direxio message-server (Matrix +
|
|
4
|
-
# PostgreSQL 18 persists Matrix and
|
|
3
|
+
# Layers: Caddy (public 443/TLS) -> Direxio message-server (Matrix + Direxio API).
|
|
4
|
+
# PostgreSQL 18 persists Matrix and Direxio business tables. The local agent bridge
|
|
5
5
|
# process is not started in the cloud by default.
|
|
6
6
|
|
|
7
7
|
networks:
|
|
8
|
-
|
|
8
|
+
direxio-net:
|
|
9
9
|
|
|
10
10
|
volumes:
|
|
11
11
|
postgres-data:
|
|
@@ -17,7 +17,7 @@ volumes:
|
|
|
17
17
|
services:
|
|
18
18
|
postgres:
|
|
19
19
|
image: postgres:18-alpine
|
|
20
|
-
networks: [
|
|
20
|
+
networks: [direxio-net]
|
|
21
21
|
environment:
|
|
22
22
|
POSTGRES_USER: direxio_message_server
|
|
23
23
|
POSTGRES_PASSWORD: direxio_message_server
|
|
@@ -33,7 +33,7 @@ services:
|
|
|
33
33
|
|
|
34
34
|
message-init:
|
|
35
35
|
image: ${MESSAGE_SERVER_IMAGE}
|
|
36
|
-
networks: [
|
|
36
|
+
networks: [direxio-net]
|
|
37
37
|
depends_on:
|
|
38
38
|
postgres:
|
|
39
39
|
condition: service_healthy
|
|
@@ -58,7 +58,7 @@ services:
|
|
|
58
58
|
|
|
59
59
|
message-server:
|
|
60
60
|
image: ${MESSAGE_SERVER_IMAGE}
|
|
61
|
-
networks: [
|
|
61
|
+
networks: [direxio-net]
|
|
62
62
|
depends_on:
|
|
63
63
|
postgres:
|
|
64
64
|
condition: service_healthy
|
|
@@ -86,7 +86,7 @@ services:
|
|
|
86
86
|
|
|
87
87
|
caddy:
|
|
88
88
|
image: caddy:2
|
|
89
|
-
networks: [
|
|
89
|
+
networks: [direxio-net]
|
|
90
90
|
depends_on:
|
|
91
91
|
message-server:
|
|
92
92
|
condition: service_healthy
|
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
# init-tokens.sh - wait for message-server bootstrap credentials after compose is up.
|
|
3
3
|
set -euo pipefail
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
COMPOSE="docker compose -f ${
|
|
5
|
+
DIREXIO_DIR=${DIREXIO_DIR:-/opt/p2p}
|
|
6
|
+
COMPOSE="docker compose -f ${DIREXIO_DIR}/docker-compose.yml --env-file ${DIREXIO_DIR}/.env"
|
|
7
7
|
DOMAIN=${DOMAIN:?DOMAIN is required (e.g. __DOMAIN__)}
|
|
8
8
|
CONTAINER_BOOTSTRAP_FILE=${CONTAINER_BOOTSTRAP_FILE:-/var/direxio-message-server/p2p/bootstrap.json}
|
|
9
9
|
BOOTSTRAP_FILE=${BOOTSTRAP_FILE:-/opt/p2p/bootstrap.json}
|
|
@@ -13,7 +13,7 @@ log() { echo "[init-tokens] $*" >&2; }
|
|
|
13
13
|
|
|
14
14
|
env_string() {
|
|
15
15
|
local key=$1
|
|
16
|
-
grep -E "^${key}=" "${
|
|
16
|
+
grep -E "^${key}=" "${DIREXIO_DIR}/.env" 2>/dev/null \
|
|
17
17
|
| tail -1 \
|
|
18
18
|
| cut -d= -f2- \
|
|
19
19
|
|| true
|
|
@@ -94,7 +94,7 @@ bootstrap_portal() {
|
|
|
94
94
|
password=${P2P_PORTAL_PASSWORD:-}
|
|
95
95
|
[ -n "$password" ] || password=$(env_string P2P_PORTAL_PASSWORD)
|
|
96
96
|
if [ -z "$password" ]; then
|
|
97
|
-
log "FATAL: P2P_PORTAL_PASSWORD is missing from environment and ${
|
|
97
|
+
log "FATAL: P2P_PORTAL_PASSWORD is missing from environment and ${DIREXIO_DIR}/.env"
|
|
98
98
|
return 1
|
|
99
99
|
fi
|
|
100
100
|
tmp=$(mktemp)
|
package/scripts/destroy.ps1
CHANGED
|
@@ -35,9 +35,9 @@ $env:DIREXIO_WINDOWS_HOME = $windowsDirexioHome
|
|
|
35
35
|
$env:DIREXIO_HOME = ConvertTo-GitBashPath $windowsDirexioHome
|
|
36
36
|
$env:DIREXIO_LOCAL_PATH_STYLE = 'windows'
|
|
37
37
|
|
|
38
|
-
if ($env:
|
|
39
|
-
$env:
|
|
40
|
-
$env:
|
|
38
|
+
if ($env:DIREXIO_WORKDIR) {
|
|
39
|
+
$env:DIREXIO_WORKDIR_WINDOWS = $env:DIREXIO_WORKDIR
|
|
40
|
+
$env:DIREXIO_WORKDIR = ConvertTo-GitBashPath $env:DIREXIO_WORKDIR
|
|
41
41
|
}
|
|
42
42
|
|
|
43
43
|
$repoRootForBash = ConvertTo-GitBashPath $RepoRoot
|
package/scripts/destroy.sh
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# destroy.sh - remove AWS resources recorded by deployment state.
|
|
3
3
|
#
|
|
4
4
|
# Source:
|
|
5
|
-
# 1. $
|
|
5
|
+
# 1. $DIREXIO_WORKDIR/state.json written by orchestrate.sh; by default
|
|
6
6
|
# DOMAIN=__DOMAIN__ maps to ~/.direxio/nodes/<service_id>/state.json.
|
|
7
7
|
# 2. explicit argument: bash destroy.sh /path/to/state.json
|
|
8
8
|
#
|
|
@@ -18,7 +18,7 @@ source "$HERE/lib/paths.sh"
|
|
|
18
18
|
source "$HERE/lib/aws.sh"
|
|
19
19
|
# shellcheck disable=SC1090
|
|
20
20
|
source "$HERE/lib/operation_report.sh"
|
|
21
|
-
|
|
21
|
+
DIREXIO_WORKDIR=$(direxio_default_workdir)
|
|
22
22
|
|
|
23
23
|
log() { echo -e "\033[33m[destroy]\033[0m $*"; }
|
|
24
24
|
|
|
@@ -162,12 +162,12 @@ verify_key_pair_deleted() {
|
|
|
162
162
|
# Resolve source and load INSTANCE_ID/EIP_ID/SG_ID/KEY_NAME/KEY_FILE/REGION.
|
|
163
163
|
SRC=${1:-}
|
|
164
164
|
if [ -z "$SRC" ]; then
|
|
165
|
-
if [ -f "$
|
|
166
|
-
else echo "state.json not found; set DOMAIN=<service domain> or
|
|
165
|
+
if [ -f "$DIREXIO_WORKDIR/state.json" ]; then SRC="$DIREXIO_WORKDIR/state.json"
|
|
166
|
+
else echo "state.json not found; set DOMAIN=<service domain> or DIREXIO_WORKDIR=<service dir> to destroy a specific deployment."; exit 1
|
|
167
167
|
fi
|
|
168
168
|
fi
|
|
169
169
|
[ -f "$SRC" ] || { echo "$SRC not found."; exit 1; }
|
|
170
|
-
|
|
170
|
+
DIREXIO_ROOT=$(cd "${DIREXIO_HOME:-$HOME/.direxio}" 2>/dev/null && pwd -P || printf '%s' "${DIREXIO_HOME:-$HOME/.direxio}")
|
|
171
171
|
|
|
172
172
|
REGION=$(json_get "$SRC" region)
|
|
173
173
|
INSTANCE_ID=$(json_get "$SRC" resources.instance_id)
|
|
@@ -245,7 +245,7 @@ delete_route53_record() {
|
|
|
245
245
|
change_file=$(mktemp)
|
|
246
246
|
cat > "$change_file" <<EOF
|
|
247
247
|
{
|
|
248
|
-
"Comment": "
|
|
248
|
+
"Comment": "Direxio destroy",
|
|
249
249
|
"Changes": [
|
|
250
250
|
{
|
|
251
251
|
"Action": "DELETE",
|
|
@@ -470,8 +470,8 @@ stop_current_cc_connect_daemon() {
|
|
|
470
470
|
cleanup_local_service_dir() {
|
|
471
471
|
local service_dir=$1 root=$2 nodes_root src_real nodes_real src_norm nodes_norm name
|
|
472
472
|
|
|
473
|
-
if [ "${
|
|
474
|
-
log "keeping local service dir because
|
|
473
|
+
if [ "${DIREXIO_KEEP_WORKDIR:-0}" = "1" ]; then
|
|
474
|
+
log "keeping local service dir because DIREXIO_KEEP_WORKDIR=1: $service_dir"
|
|
475
475
|
return 0
|
|
476
476
|
fi
|
|
477
477
|
|
|
@@ -567,4 +567,4 @@ if REPORT_PATH=$(operation_report_write destroy destroy_processed "$SRC" 2>/dev/
|
|
|
567
567
|
else
|
|
568
568
|
log "operation report was not written; keep destroy logs for audit"
|
|
569
569
|
fi
|
|
570
|
-
cleanup_local_service_dir "$CURRENT_SERVICE_DIR" "$
|
|
570
|
+
cleanup_local_service_dir "$CURRENT_SERVICE_DIR" "$DIREXIO_ROOT"
|
package/scripts/lib/paths.sh
CHANGED
|
@@ -23,9 +23,7 @@ direxio_service_dir() {
|
|
|
23
23
|
}
|
|
24
24
|
|
|
25
25
|
direxio_default_workdir() {
|
|
26
|
-
if [ -n "${
|
|
27
|
-
printf '%s\n' "$P2P_WORKDIR"
|
|
28
|
-
elif [ -n "${DIREXIO_WORKDIR:-}" ]; then
|
|
26
|
+
if [ -n "${DIREXIO_WORKDIR:-}" ]; then
|
|
29
27
|
printf '%s\n' "$DIREXIO_WORKDIR"
|
|
30
28
|
elif [ -n "${DOMAIN:-}" ]; then
|
|
31
29
|
direxio_service_dir "$DOMAIN"
|
package/scripts/lib/state.sh
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
# Sourced by orchestrate.sh and phases/*.sh. All state.json reads/writes go
|
|
5
5
|
# through this file to keep structure and fields consistent. Requires Node.js.
|
|
6
6
|
#
|
|
7
|
-
# state.json path: $
|
|
7
|
+
# state.json path: $DIREXIO_WORKDIR/state.json.
|
|
8
8
|
# By default, DOMAIN=__DOMAIN__ maps to ~/.direxio/nodes/<service_id>/state.json.
|
|
9
9
|
#
|
|
10
10
|
# PHASES order is the state-machine execution order.
|
|
@@ -28,17 +28,17 @@ PHASES=(
|
|
|
28
28
|
)
|
|
29
29
|
|
|
30
30
|
# Paths.
|
|
31
|
-
|
|
32
|
-
STATE_JSON="$
|
|
31
|
+
DIREXIO_WORKDIR=$(direxio_default_workdir)
|
|
32
|
+
STATE_JSON="$DIREXIO_WORKDIR/state.json"
|
|
33
33
|
|
|
34
34
|
# Timestamp helper.
|
|
35
35
|
_now() { date -u +%Y-%m-%dT%H:%M:%SZ; }
|
|
36
36
|
|
|
37
37
|
# Shared logging helpers.
|
|
38
|
-
log() { echo -e "\033[36m[
|
|
39
|
-
ok() { echo -e "\033[32m[
|
|
40
|
-
warn() { echo -e "\033[33m[
|
|
41
|
-
fail() { echo -e "\033[31m[
|
|
38
|
+
log() { echo -e "\033[36m[direxio]\033[0m $*" >&2; }
|
|
39
|
+
ok() { echo -e "\033[32m[direxio]\033[0m $*" >&2; }
|
|
40
|
+
warn() { echo -e "\033[33m[direxio]\033[0m $*" >&2; }
|
|
41
|
+
fail() { echo -e "\033[31m[direxio][FATAL]\033[0m $*" >&2; exit 1; }
|
|
42
42
|
is_yes() {
|
|
43
43
|
case "$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')" in
|
|
44
44
|
y|yes|true|1) return 0 ;;
|
|
@@ -88,8 +88,8 @@ _windows_current_user() {
|
|
|
88
88
|
|
|
89
89
|
# Initialize state.json for a new deployment.
|
|
90
90
|
state_init() {
|
|
91
|
-
mkdir -p "$
|
|
92
|
-
local run_id=${RUN_ID:-
|
|
91
|
+
mkdir -p "$DIREXIO_WORKDIR"
|
|
92
|
+
local run_id=${RUN_ID:-direxio-$(date -u +%Y%m%d-%H%M%S)}
|
|
93
93
|
: > "$STATE_JSON"
|
|
94
94
|
json_mutate "$STATE_JSON" state-init "$run_id" "${AWS_DEFAULT_REGION:-${AWS_REGION:-}}" "$(_now)" "${PHASES[@]}"
|
|
95
95
|
log "Initialized state.json -> $STATE_JSON (run_id=$run_id)"
|
package/scripts/orchestrate.ps1
CHANGED
|
@@ -75,9 +75,9 @@ if (-not $env:DIREXIO_AGENT_WORKSPACE) {
|
|
|
75
75
|
$env:DIREXIO_AGENT_WORKSPACE_WINDOWS = (Get-Location).ProviderPath
|
|
76
76
|
}
|
|
77
77
|
|
|
78
|
-
if ($env:
|
|
79
|
-
$env:
|
|
80
|
-
$env:
|
|
78
|
+
if ($env:DIREXIO_WORKDIR) {
|
|
79
|
+
$env:DIREXIO_WORKDIR_WINDOWS = $env:DIREXIO_WORKDIR
|
|
80
|
+
$env:DIREXIO_WORKDIR = ConvertTo-GitBashPath $env:DIREXIO_WORKDIR
|
|
81
81
|
}
|
|
82
82
|
|
|
83
83
|
if (-not $env:DIREXIO_CODEX_COMMAND) {
|
package/scripts/orchestrate.sh
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
#!/usr/bin/env bash
|
|
2
|
-
# orchestrate.sh -
|
|
2
|
+
# orchestrate.sh - Direxio deployment state-machine engine.
|
|
3
3
|
#
|
|
4
|
-
# Turns "one AWS credential -> working
|
|
5
|
-
# (S0..S7). State is persisted to $
|
|
4
|
+
# Turns "one AWS credential -> working Direxio server -> local direxio-connect bridge" into 8 phases
|
|
5
|
+
# (S0..S7). State is persisted to $DIREXIO_WORKDIR/state.json and supports:
|
|
6
6
|
# - resume: continue from the first unfinished phase
|
|
7
7
|
# - checkpoints: wait for user/AWS actions without losing progress
|
|
8
8
|
# - destroy: every AWS resource is recorded for destroy.sh
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
set -uo pipefail
|
|
22
22
|
|
|
23
23
|
HERE=$(cd "$(dirname "$0")" && pwd)
|
|
24
|
-
|
|
24
|
+
DIREXIO_INSTALL_SCRIPTS_DIR="$HERE"
|
|
25
25
|
|
|
26
26
|
# Prefer workspace-local tools when present.
|
|
27
27
|
REPO_ROOT=$(cd "$HERE/.." && pwd)
|
|
@@ -30,7 +30,6 @@ if [ -d "$REPO_ROOT/.tools/bin" ]; then
|
|
|
30
30
|
export PATH
|
|
31
31
|
fi
|
|
32
32
|
|
|
33
|
-
P2P_WORKDIR_WAS_SET=${P2P_WORKDIR+x}
|
|
34
33
|
DIREXIO_WORKDIR_WAS_SET=${DIREXIO_WORKDIR+x}
|
|
35
34
|
|
|
36
35
|
source "$HERE/lib/state.sh"
|
|
@@ -67,8 +66,8 @@ check_deps() {
|
|
|
67
66
|
warn "Install AWS CLI v2 and configure credentials first:"
|
|
68
67
|
warn " macOS: curl 'https://awscli.amazonaws.com/AWSCLIV2.pkg' -o AWSCLIV2.pkg && sudo installer -pkg ./AWSCLIV2.pkg -target /"
|
|
69
68
|
warn " Linux x86_64: curl 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -o awscliv2.zip && unzip awscliv2.zip && sudo ./aws/install"
|
|
70
|
-
warn " Configure: aws configure --profile
|
|
71
|
-
warn " Use: export AWS_PROFILE=
|
|
69
|
+
warn " Configure: aws configure --profile direxio-deployer"
|
|
70
|
+
warn " Use: export AWS_PROFILE=direxio-deployer AWS_DEFAULT_REGION=<region>"
|
|
72
71
|
warn "See references/user-journey.md for the AWS CLI setup guide."
|
|
73
72
|
;;
|
|
74
73
|
esac
|
|
@@ -184,7 +183,7 @@ status_resume_safety() {
|
|
|
184
183
|
local current=$1 billable
|
|
185
184
|
billable=$(recorded_billable_resources)
|
|
186
185
|
if [ -n "$billable" ] || phase_at_or_after_s3 "$current"; then
|
|
187
|
-
echo "do not reset state; fix the issue and rerun with
|
|
186
|
+
echo "do not reset state; fix the issue and rerun with DIREXIO_EXISTING_STATE_ACTION=continue"
|
|
188
187
|
else
|
|
189
188
|
echo "safe to rerun the same command after the next action is complete"
|
|
190
189
|
fi
|
|
@@ -257,12 +256,12 @@ print_recovery_summary() {
|
|
|
257
256
|
|
|
258
257
|
cmd_status() {
|
|
259
258
|
if [ ! -f "$STATE_JSON" ]; then
|
|
260
|
-
if [ -z "${DOMAIN:-}" ] && [ -z "$
|
|
259
|
+
if [ -z "${DOMAIN:-}" ] && [ -z "$DIREXIO_WORKDIR_WAS_SET" ]; then
|
|
261
260
|
cmd_status_inventory
|
|
262
261
|
return 0
|
|
263
262
|
fi
|
|
264
263
|
warn "state.json not found: $STATE_JSON"
|
|
265
|
-
warn "Set DOMAIN=<service domain> or explicit
|
|
264
|
+
warn "Set DOMAIN=<service domain> or explicit DIREXIO_WORKDIR=<service dir> to inspect a specific deployment."
|
|
266
265
|
return 0
|
|
267
266
|
fi
|
|
268
267
|
echo "run_id : $(state_get run_id)"
|
|
@@ -426,7 +425,7 @@ precheck_new_deploy_domain_env() {
|
|
|
426
425
|
return 2
|
|
427
426
|
fi
|
|
428
427
|
if [ -z "$domain" ]; then
|
|
429
|
-
warn "Deployment blocked: DOMAIN is missing.
|
|
428
|
+
warn "Deployment blocked: DOMAIN is missing. Direxio requires a confirmed production Matrix server_name."
|
|
430
429
|
warn "Use this skill to prepare domain/DNS, then rerun:"
|
|
431
430
|
warn " DOMAIN=__DOMAIN__ DOMAIN_MODE=user CONFIRM_DOMAIN_BINDING=1 bash $0"
|
|
432
431
|
return 2
|
|
@@ -473,7 +472,7 @@ ensure_production_domain_selected() {
|
|
|
473
472
|
return 2
|
|
474
473
|
fi
|
|
475
474
|
if [ -z "$domain" ]; then
|
|
476
|
-
warn "Deployment blocked: DOMAIN is missing.
|
|
475
|
+
warn "Deployment blocked: DOMAIN is missing. Direxio requires a confirmed production Matrix server_name."
|
|
477
476
|
warn "Use this skill to prepare domain/DNS, then rerun:"
|
|
478
477
|
warn " DOMAIN=__DOMAIN__ DOMAIN_MODE=user CONFIRM_DOMAIN_BINDING=1 bash $0"
|
|
479
478
|
return 2
|
|
@@ -501,14 +500,14 @@ guard_existing_state() {
|
|
|
501
500
|
if [ "$(json_get "$STATE_JSON" domain_mode)" = "ec2" ]; then
|
|
502
501
|
warn "Found legacy temporary-domain deployment state (domain_mode=ec2). Production deployment no longer supports resuming this mode."
|
|
503
502
|
warn "Destroy and rebuild, or use a new service directory:"
|
|
504
|
-
warn "
|
|
503
|
+
warn " DIREXIO_EXISTING_STATE_ACTION=destroy bash $0"
|
|
505
504
|
warn " DOMAIN=__DOMAIN__ DOMAIN_MODE=user CONFIRM_DOMAIN_BINDING=1 bash $0"
|
|
506
505
|
return 2
|
|
507
506
|
fi
|
|
508
507
|
confirmed=$(json_get "$STATE_JSON" existing_state_confirmed false)
|
|
509
508
|
[ "$confirmed" = "true" ] && return 0
|
|
510
509
|
|
|
511
|
-
action=${
|
|
510
|
+
action=${DIREXIO_EXISTING_STATE_ACTION:-}
|
|
512
511
|
if [ -z "$action" ] && [ -t 0 ]; then
|
|
513
512
|
warn "Found existing deployment state with recorded AWS resources:"
|
|
514
513
|
json_entries "$STATE_JSON" resources | sed 's/^/ /' >&2
|
|
@@ -529,12 +528,12 @@ guard_existing_state() {
|
|
|
529
528
|
return 0 ;;
|
|
530
529
|
""|abort)
|
|
531
530
|
warn "Existing service state must be handled explicitly to avoid accidental reuse or duplicate EC2 creation."
|
|
532
|
-
warn "Resume:
|
|
533
|
-
warn "Rebuild:
|
|
531
|
+
warn "Resume: DIREXIO_EXISTING_STATE_ACTION=continue bash $0"
|
|
532
|
+
warn "Rebuild: DIREXIO_EXISTING_STATE_ACTION=destroy bash $0"
|
|
534
533
|
warn "New service: DOMAIN=__DOMAIN__ DOMAIN_MODE=user CONFIRM_DOMAIN_BINDING=1 bash $0"
|
|
535
534
|
return 2 ;;
|
|
536
535
|
*)
|
|
537
|
-
warn "Unknown
|
|
536
|
+
warn "Unknown DIREXIO_EXISTING_STATE_ACTION=$action (expected continue|destroy|abort)."
|
|
538
537
|
return 2 ;;
|
|
539
538
|
esac
|
|
540
539
|
}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env bash
|
|
2
2
|
# S2 DOMAIN_DECISION — validate the production Matrix server_name.
|
|
3
3
|
#
|
|
4
|
-
#
|
|
4
|
+
# Direxio production deployments require a real, long-lived domain. Temporary
|
|
5
5
|
# sslip.io/public-IP domains are intentionally not part of this interface.
|
|
6
6
|
#
|
|
7
7
|
# Supported modes:
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
# DOMAIN_MODE=route53 Route53 hosted zone; ops manages the A record
|
|
10
10
|
#
|
|
11
11
|
# If DOMAIN_MODE is omitted but DOMAIN is present, user mode is assumed.
|
|
12
|
-
#
|
|
12
|
+
# DIREXIO_ASSUME_DEFAULTS never chooses a domain.
|
|
13
13
|
|
|
14
14
|
S2_PHASE_DIR=$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")/.." && pwd)
|
|
15
15
|
source "$S2_PHASE_DIR/lib/domain.sh"
|
|
@@ -24,7 +24,7 @@ run_phase() {
|
|
|
24
24
|
if [ -n "$domain" ]; then
|
|
25
25
|
mode=user
|
|
26
26
|
elif [ -t 0 ]; then
|
|
27
|
-
warn "
|
|
27
|
+
warn "Direxio requires a production domain as the Matrix server_name."
|
|
28
28
|
warn "Changing the domain is effectively a new homeserver identity; temporary sslip.io defaults are not supported."
|
|
29
29
|
printf "Enter the final domain (for example __DOMAIN__): " >&2
|
|
30
30
|
read -r domain
|
|
@@ -36,7 +36,7 @@ run_phase() {
|
|
|
36
36
|
mode=user
|
|
37
37
|
else
|
|
38
38
|
phase_set S2_DOMAIN waiting_user "waiting for production domain"
|
|
39
|
-
warn "Deployment blocked: DOMAIN is missing.
|
|
39
|
+
warn "Deployment blocked: DOMAIN is missing. Direxio no longer supports temporary sslip.io defaults."
|
|
40
40
|
warn "Prepare a production domain such as __DOMAIN__. Matrix server_name binds to that domain; changing it later is effectively a new homeserver identity."
|
|
41
41
|
warn "Example:"
|
|
42
42
|
warn " DOMAIN=__DOMAIN__ DOMAIN_MODE=user CONFIRM_DOMAIN_BINDING=1 bash scripts/orchestrate.sh"
|
|
@@ -18,7 +18,7 @@ run_phase() {
|
|
|
18
18
|
if [ -z "$instance_type" ]; then
|
|
19
19
|
instance_type=${INSTANCE_TYPE:-}
|
|
20
20
|
if [ -z "$instance_type" ]; then
|
|
21
|
-
if [ "${
|
|
21
|
+
if [ "${DIREXIO_ASSUME_DEFAULTS:-0}" = "1" ]; then
|
|
22
22
|
instance_type=t3.small
|
|
23
23
|
elif [ -t 0 ]; then
|
|
24
24
|
warn "Default EC2 instance type is t3.small (2 vCPU / 2GB). Do you need a larger instance?"
|
|
@@ -50,10 +50,10 @@ run_phase() {
|
|
|
50
50
|
vpc=$(res_get vpc_id)
|
|
51
51
|
local message_server_image
|
|
52
52
|
message_server_image=${MESSAGE_SERVER_IMAGE:-direxio/message-server:latest}
|
|
53
|
-
local scripts_dir=${
|
|
53
|
+
local scripts_dir=${DIREXIO_INSTALL_SCRIPTS_DIR:-${HERE:-$S3_PHASE_DIR}}
|
|
54
54
|
|
|
55
55
|
# 1) Key pair (idempotent).
|
|
56
|
-
local keyfile="$
|
|
56
|
+
local keyfile="$DIREXIO_WORKDIR/${name}.pem"
|
|
57
57
|
if [ -z "$(res_get key_name)" ]; then
|
|
58
58
|
log "Creating key pair $name ..."
|
|
59
59
|
aws ec2 create-key-pair --key-name "$name" --query KeyMaterial --output text > "$keyfile"
|
|
@@ -69,7 +69,7 @@ run_phase() {
|
|
|
69
69
|
warn "Security group opens 22/80/443, TURN 3478 tcp/udp, and 49160-49200/udp to 0.0.0.0/0."
|
|
70
70
|
warn "Keep the SSH private key, AWS credentials, and password secure."
|
|
71
71
|
sg=$(aws ec2 create-security-group --group-name "$name" \
|
|
72
|
-
--description "
|
|
72
|
+
--description "direxio $name" --vpc-id "$vpc" --query GroupId --output text)
|
|
73
73
|
res_set sg_id "$sg"
|
|
74
74
|
local p
|
|
75
75
|
for p in 22 80 443; do
|
|
@@ -95,7 +95,7 @@ run_phase() {
|
|
|
95
95
|
warn "S3 requires a production DOMAIN. Complete S2_DOMAIN first."
|
|
96
96
|
return 2
|
|
97
97
|
fi
|
|
98
|
-
local userdata="$
|
|
98
|
+
local userdata="$DIREXIO_WORKDIR/user-data.yaml"
|
|
99
99
|
log "Rendering cloud-init (domain_mode=$domain_mode)..."
|
|
100
100
|
bash "$scripts_dir/render/render-userdata.sh" \
|
|
101
101
|
--domain "$domain" \
|
|
@@ -215,7 +215,7 @@ _upsert_route53_record() {
|
|
|
215
215
|
change_file=$(mktemp)
|
|
216
216
|
cat > "$change_file" <<EOF
|
|
217
217
|
{
|
|
218
|
-
"Comment": "
|
|
218
|
+
"Comment": "Direxio deployment",
|
|
219
219
|
"Changes": [
|
|
220
220
|
{
|
|
221
221
|
"Action": "UPSERT",
|
|
@@ -8,7 +8,7 @@ run_phase() {
|
|
|
8
8
|
domain=$(state_get domain)
|
|
9
9
|
pubip=$(res_get public_ip)
|
|
10
10
|
keyfile=$(res_get key_file)
|
|
11
|
-
local out="$
|
|
11
|
+
local out="$DIREXIO_WORKDIR/outputs.json" raw
|
|
12
12
|
raw=$(mktemp)
|
|
13
13
|
trap 'rm -f "${raw:-}"; trap - RETURN' RETURN
|
|
14
14
|
|
|
@@ -36,5 +36,5 @@ echo "Application data reset complete on the existing node."
|
|
|
36
36
|
echo "Caddy TLS storage was preserved."
|
|
37
37
|
echo "Old user confirmations and runtime checks were cleared."
|
|
38
38
|
echo "$bridge_stop_message"
|
|
39
|
-
echo "Local S4-S7 gates were reset; rerun orchestrate with
|
|
39
|
+
echo "Local S4-S7 gates were reset; rerun orchestrate with DIREXIO_EXISTING_STATE_ACTION=continue."
|
|
40
40
|
echo "operation report: $report"
|