sisyphi 1.1.19 → 1.1.24

package/deploy/aws/main.tf

@@ -0,0 +1,121 @@
+locals {
+  default_sizes = {
+    arm = "t4g.medium"
+    x86 = "t3.medium"
+  }
+  resolved_size = var.size != "" ? var.size : local.default_sizes[var.arch]
+
+  ami_arch = var.arch == "arm" ? "arm64" : "amd64"
+
+  user_data = templatefile("${path.module}/../shared/cloud-init.yaml.tpl", {
+    ssh_pubkey         = var.ssh_pubkey
+    ts_authkey         = var.ts_authkey
+    hostname           = var.name
+    sisyphus_version   = var.sisyphus_version
+    with_chromium      = var.with_chromium
+    enable_auto_update = var.enable_auto_update
+    sisyphusd_unit     = file("${path.module}/../shared/sisyphusd.service.tpl")
+    tmux_osc52_conf    = file("${path.module}/../shared/tmux-osc52.conf")
+    pbcopy_shim        = file("${path.module}/../shared/bin/pbcopy-shim")
+    pbpaste_shim       = file("${path.module}/../shared/bin/pbpaste-shim")
+  })
+}
+
+# Canonical Ubuntu 24.04 LTS AMI matching the requested arch.
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  owners      = ["099720109477"] # Canonical
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-${local.ami_arch}-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+# Default VPC + subnet when not overridden.
+data "aws_vpc" "selected" {
+  count   = var.vpc_id == "" ? 1 : 0
+  default = true
+}
+
+data "aws_subnets" "selected" {
+  count = var.vpc_id == "" && var.subnet_id == "" ? 1 : 0
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.selected[0].id]
+  }
+  filter {
+    name   = "default-for-az"
+    values = ["true"]
+  }
+}
+
+locals {
+  effective_vpc_id    = var.vpc_id == "" ? data.aws_vpc.selected[0].id : var.vpc_id
+  effective_subnet_id = var.subnet_id != "" ? var.subnet_id : data.aws_subnets.selected[0].ids[0]
+}
+
+resource "aws_key_pair" "this" {
+  key_name   = "${var.name}-deploy"
+  public_key = var.ssh_pubkey
+}
+
+resource "aws_security_group" "this" {
+  name        = "${var.name}-sisyphus"
+  description = "sisyphus deploy: deny public 22, allow Tailscale UDP 41641 + ICMP"
+  vpc_id      = local.effective_vpc_id
+
+  # Tailscale WireGuard endpoint discovery. SG only sees public traffic
+  # on eth0; tailscale0 traffic is userspace and bypasses the SG.
+  ingress {
+    from_port   = 41641
+    to_port     = 41641
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Tailscale WireGuard"
+  }
+
+  ingress {
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "ICMP for ping debugging"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    "managed-by" = "sisyphus-deploy"
+  }
+}
+
+resource "aws_instance" "this" {
+  ami                         = data.aws_ami.ubuntu.id
+  instance_type               = local.resolved_size
+  subnet_id                   = local.effective_subnet_id
+  vpc_security_group_ids      = [aws_security_group.this.id]
+  key_name                    = aws_key_pair.this.key_name
+  associate_public_ip_address = true
+  user_data                   = local.user_data
+
+  root_block_device {
+    volume_size = 30
+    volume_type = "gp3"
+  }
+
+  tags = {
+    Name         = var.name
+    "managed-by" = "sisyphus-deploy"
+  }
+}

package/deploy/aws/outputs.tf

@@ -0,0 +1,18 @@
+output "ipv4" {
+  value       = aws_instance.this.public_ip
+  description = "Public IPv4 (firewalled — only Tailscale UDP + ICMP reach the box)."
+}
+
+output "tailscale_hostname" {
+  value       = var.name
+  description = "Tailscale node name. The full MagicDNS hostname is <name>.<your-tailnet>.ts.net once the node joins."
+}
+
+output "ssh_command" {
+  value       = "ssh sisyphus@${var.name}"
+  description = "SSH command via Tailscale MagicDNS (works once the node has joined the tailnet)."
+}
+
+output "instance_type" {
+  value = aws_instance.this.instance_type
+}

package/deploy/aws/variables.tf

@@ -0,0 +1,69 @@
+variable "name" {
+  type        = string
+  default     = "sisyphus"
+  description = "Hostname / Tailscale node name. Also used for tagging."
+}
+
+variable "region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region (e.g. us-east-1, eu-west-1)."
+}
+
+variable "arch" {
+  type        = string
+  default     = "arm"
+  description = "CPU arch family: 'arm' (default t4g.medium) or 'x86' (default t3.medium). Drives AMI selection."
+
+  validation {
+    condition     = contains(["arm", "x86"], var.arch)
+    error_message = "arch must be 'arm' or 'x86'."
+  }
+}
+
+variable "size" {
+  type        = string
+  default     = ""
+  description = "EC2 instance type. If empty, picks t4g.medium for arm / t3.medium for x86."
+}
+
+variable "ssh_pubkey" {
+  type        = string
+  description = "SSH public key to authorize."
+}
+
+variable "ts_authkey" {
+  type        = string
+  sensitive   = true
+  description = "Tailscale auth key (ephemeral, single-use, tagged) — minted by sisyphus deploy runner."
+}
+
+variable "sisyphus_version" {
+  type        = string
+  default     = "latest"
+  description = "npm dist-tag or version of sisyphi to install."
+}
+
+variable "with_chromium" {
+  type        = bool
+  default     = true
+  description = "Install headless Chromium + Playwright deps."
+}
+
+variable "enable_auto_update" {
+  type        = bool
+  default     = true
+  description = "Enable daily auto-update systemd timer."
+}
+
+variable "vpc_id" {
+  type        = string
+  default     = ""
+  description = "VPC ID. Empty → use the account's default VPC."
+}
+
+variable "subnet_id" {
+  type        = string
+  default     = ""
+  description = "Subnet ID. Empty → pick the first default subnet in the VPC."
+}

package/deploy/aws/versions.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.70"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+  # AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars are loaded by the
+  # sisyphus deploy runner from ~/.sisyphus/deploy/aws.env.
+}

package/deploy/hetzner/.terraform.lock.hcl

@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.62.0"
+  constraints = "~> 1.48"
+  hashes = [
+    "h1:DxU9137L3RD43MlvGD+NQelGCnB02Mv8dtQsBtAzZlw=",
+    "zh:2077f1655b6a7e26ae6d8ce3b5f35a6a65728416deb16dbd5165115da7534f37",
+    "zh:2234db7b84efa489b8e5f29f756cfed4a5bab760985f62d38c4b9ed2b3d6b4b6",
+    "zh:4abee7212fd15bcbf22b156ff18933f3975f2b1153fd3e93a1cacf31b9d35137",
+    "zh:5d7a63a8d4c73babea715c0c7a5dc04a08b5076e2f1f59855bf61f2393017bf0",
+    "zh:5ef15b4367c139b18167b2169421cb1f760d485db42f05ef292bd63eadcfa802",
+    "zh:62b432d918815812ea35ceca252d0ea833a8e1dbbc72c6b2d410369d7b8b0d85",
+    "zh:63fd3d3803a86447f9a1c0c49bffe704168fbc907ea3688cfd847e1dd012e9ff",
+    "zh:6a84f7125dad475f939afb58a1f0ec089e835d1b30ca64f467d85565a89f7508",
+    "zh:834c2ddcaa986323ecb7aa2baa3fd7b1888c2aec249f296822e53a4bc46be66e",
+    "zh:887e503de3720894eb756bcfc67b3d8ceb68564f9f8bb2a115d7398f0b5990b7",
+    "zh:976216f9aa89a466a1d97ae776c4df2edbac4a9ab29ff9850884060d15024570",
+    "zh:c3d7fc02e0fdf1bbee3a07c9171281a59d79ad9df2ec04342a81f3875709171c",
+    "zh:e0165f404357f2c1f89524165f38c88f643fb518483adfbf7817a6033a83f4d8",
+  ]
+}

package/deploy/hetzner/main.tf

@@ -0,0 +1,69 @@
+locals {
+  default_sizes = {
+    arm = "cax11"
+    x86 = "cx22"
+  }
+  resolved_size = var.size != "" ? var.size : local.default_sizes[var.arch]
+
+  # Hetzner image names: ubuntu-24.04 covers both arch families; the API
+  # picks the matching arch based on the server type.
+  image = "ubuntu-24.04"
+
+  user_data = templatefile("${path.module}/../shared/cloud-init.yaml.tpl", {
+    ssh_pubkey         = var.ssh_pubkey
+    ts_authkey         = var.ts_authkey
+    hostname           = var.name
+    sisyphus_version   = var.sisyphus_version
+    with_chromium      = var.with_chromium
+    enable_auto_update = var.enable_auto_update
+    sisyphusd_unit     = file("${path.module}/../shared/sisyphusd.service.tpl")
+    tmux_osc52_conf    = file("${path.module}/../shared/tmux-osc52.conf")
+    pbcopy_shim        = file("${path.module}/../shared/bin/pbcopy-shim")
+    pbpaste_shim       = file("${path.module}/../shared/bin/pbpaste-shim")
+  })
+}
+
+resource "hcloud_ssh_key" "this" {
+  name       = var.name
+  public_key = var.ssh_pubkey
+}
+
+resource "hcloud_firewall" "this" {
+  name = "${var.name}-public"
+
+  # Tailscale runs over WireGuard (UDP 41641) — must reach the public
+  # internet to hand off to peers. Once tailnet is up, all sisyphus
+  # traffic flows over tailscale0; the box is otherwise unreachable.
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "41641"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  # ICMP for ping debugging (optional; keep it open).
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = ["0.0.0.0/0", "::/0"]
+  }
+}
+
+resource "hcloud_server" "this" {
+  name         = var.name
+  server_type  = local.resolved_size
+  image        = local.image
+  location     = var.region
+  ssh_keys     = [hcloud_ssh_key.this.id]
+  firewall_ids = [hcloud_firewall.this.id]
+  user_data    = local.user_data
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+
+  labels = {
+    managed-by = "sisyphus-deploy"
+  }
+}

package/deploy/hetzner/outputs.tf

@@ -0,0 +1,18 @@
+output "ipv4" {
+  value       = hcloud_server.this.ipv4_address
+  description = "Public IPv4 (firewalled — only Tailscale + WireGuard handshake reach the box)."
+}
+
+output "tailscale_hostname" {
+  value       = var.name
+  description = "Tailscale node name. The full MagicDNS hostname is <name>.<your-tailnet>.ts.net once the node joins."
+}
+
+output "ssh_command" {
+  value       = "ssh sisyphus@${var.name}"
+  description = "SSH command via Tailscale MagicDNS (works once the node has joined the tailnet)."
+}
+
+output "instance_type" {
+  value = hcloud_server.this.server_type
+}

package/deploy/hetzner/variables.tf

@@ -0,0 +1,57 @@
+variable "name" {
+  type        = string
+  default     = "sisyphus"
+  description = "Hostname / Tailscale node name."
+}
+
+variable "region" {
+  type        = string
+  default     = "nbg1"
+  description = "Hetzner location (nbg1, fsn1, hel1, ash, hil)."
+}
+
+variable "arch" {
+  type        = string
+  default     = "arm"
+  description = "CPU arch family: 'arm' (default cax11) or 'x86' (default cx22). Ignored if size is set explicitly."
+
+  validation {
+    condition     = contains(["arm", "x86"], var.arch)
+    error_message = "arch must be 'arm' or 'x86'."
+  }
+}
+
+variable "size" {
+  type        = string
+  default     = ""
+  description = "Hetzner server type. If empty, picks cax11 for arm / cx22 for x86."
+}
+
+variable "ssh_pubkey" {
+  type        = string
+  description = "SSH public key to authorize for root and sisyphus users."
+}
+
+variable "ts_authkey" {
+  type        = string
+  sensitive   = true
+  description = "Tailscale auth key (ephemeral, single-use, tagged) — minted by sisyphus deploy runner."
+}
+
+variable "sisyphus_version" {
+  type        = string
+  default     = "latest"
+  description = "npm dist-tag or version of sisyphi to install."
+}
+
+variable "with_chromium" {
+  type        = bool
+  default     = true
+  description = "Install headless Chromium + Playwright deps."
+}
+
+variable "enable_auto_update" {
+  type        = bool
+  default     = true
+  description = "Enable daily systemd timer that runs `npm i -g sisyphi@latest` and restarts the daemon."
+}

package/deploy/hetzner/versions.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.48"
+    }
+  }
+}
+
+provider "hcloud" {
+  # HCLOUD_TOKEN env var is loaded by sisyphus deploy runner from
+  # ~/.sisyphus/deploy/hetzner.env before invoking terraform.
+}

package/deploy/shared/bin/pbcopy-shim

@@ -0,0 +1,5 @@
+#!/bin/sh
+# pbcopy compatibility shim for Linux. Loads stdin into the tmux paste
+# buffer and pushes via OSC 52 (-w) so the selection escapes out to the
+# user's local terminal clipboard. Requires an active tmux session.
+exec tmux load-buffer -w -

package/deploy/shared/bin/pbpaste-shim

@@ -0,0 +1,4 @@
+#!/bin/sh
+# pbpaste compatibility shim for Linux. Emits the current tmux paste
+# buffer to stdout. Requires an active tmux session.
+exec tmux save-buffer -

package/deploy/shared/cloud-init.yaml.tpl

@@ -0,0 +1,122 @@
+#cloud-config
+# Provisioned by `sisyphus deploy` — turns a clean Ubuntu 24.04 box into
+# a Tailscale-only sisyphus host. See specs/deploy.md.
+
+hostname: ${hostname}
+fqdn: ${hostname}
+preserve_hostname: false
+
+users:
+  - name: sisyphus
+    groups: [sudo]
+    shell: /bin/bash
+    sudo: 'ALL=(ALL) NOPASSWD:ALL'
+    ssh_authorized_keys:
+      - ${ssh_pubkey}
+  - name: root
+    ssh_authorized_keys:
+      - ${ssh_pubkey}
+
+write_files:
+  - path: /etc/systemd/user/sisyphusd.service
+    permissions: '0644'
+    content: |
+      ${indent(6, sisyphusd_unit)}
+
+  - path: /etc/sisyphus/tmux-osc52.conf
+    permissions: '0644'
+    content: |
+      ${indent(6, tmux_osc52_conf)}
+
+  - path: /usr/local/bin/pbcopy
+    permissions: '0755'
+    content: |
+      ${indent(6, pbcopy_shim)}
+
+  - path: /usr/local/bin/pbpaste
+    permissions: '0755'
+    content: |
+      ${indent(6, pbpaste_shim)}
+
+  - path: /etc/systemd/system/sisyphusd-update.service
+    permissions: '0644'
+    content: |
+      [Unit]
+      Description=Sisyphus auto-update
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      Type=oneshot
+      ExecStart=/bin/sh -c 'npm i -g sisyphi@latest && sudo -u sisyphus XDG_RUNTIME_DIR=/run/user/$(id -u sisyphus) systemctl --user restart sisyphusd'
+
+  - path: /etc/systemd/system/sisyphusd-update.timer
+    permissions: '0644'
+    content: |
+      [Unit]
+      Description=Sisyphus auto-update daily
+
+      [Timer]
+      OnCalendar=daily
+      Persistent=true
+      RandomizedDelaySec=30min
+
+      [Install]
+      WantedBy=timers.target
+
+runcmd:
+  # 1. Base packages.
+  - apt-get update
+  - DEBIAN_FRONTEND=noninteractive apt-get install -y curl git tmux fzf neovim build-essential ufw mosh ca-certificates gnupg
+
+  # 2. Node 22 via NodeSource. /usr/bin/node, /usr/bin/npm.
+  - curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+  - DEBIAN_FRONTEND=noninteractive apt-get install -y nodejs
+
+  # 3. Tailscale. We deliberately do NOT pass --ssh: Tailscale SSH would
+  # intercept port 22 on the tailscale0 interface and require a browser-
+  # based check (per the user's tailnet ACL), blocking key-based access.
+  # System OpenSSH on tailscale0 with the user's pubkey is simpler.
+  - curl -fsSL https://tailscale.com/install.sh | sh
+  - tailscale up --authkey='${ts_authkey}' --hostname='${hostname}'
+
+  # 4. Firewall. Public 22 stays denied; tailscale0 fully open.
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow in on tailscale0
+  - ufw --force enable
+
+  # 5. Sisyphus user — linger so user systemd survives logout.
+  - loginctl enable-linger sisyphus
+  - install -d -o sisyphus -g sisyphus -m 0755 /home/sisyphus/.config/systemd/user
+  - install -d -o sisyphus -g sisyphus -m 0755 /home/sisyphus/.sisyphus
+  - cp /etc/systemd/user/sisyphusd.service /home/sisyphus/.config/systemd/user/sisyphusd.service
+  - chown -R sisyphus:sisyphus /home/sisyphus/.config
+
+  # 6. Sisyphus install (root → /usr/bin/sisyphusd symlink).
+  - npm i -g sisyphi@${sisyphus_version}
+
+  # 7. Daemon as systemd user service.
+  - sudo -u sisyphus XDG_RUNTIME_DIR=/run/user/$(id -u sisyphus) systemctl --user daemon-reload
+  - sudo -u sisyphus XDG_RUNTIME_DIR=/run/user/$(id -u sisyphus) systemctl --user enable --now sisyphusd
+
+  # 8. Auto-update timer (system-level so npm i -g has root; restarts user daemon).
+%{ if enable_auto_update ~}
+  - systemctl daemon-reload
+  - systemctl enable --now sisyphusd-update.timer
+%{ endif ~}
+
+  # 9. Tmux config (OSC 52 + pbcopy/pbpaste shims already written above).
+  - sudo -u sisyphus bash -c 'printf "source-file /etc/sisyphus/tmux-osc52.conf\n" > /home/sisyphus/.tmux.conf'
+  - chown sisyphus:sisyphus /home/sisyphus/.tmux.conf
+
+  # 10. Keybinds. Runs after pbcopy/pbpaste are on PATH so popup scripts resolve them.
+  - sudo -u sisyphus -i sisyphus admin setup-keybind || true
+
+  # 11. Chromium for Playwright/capture (gated).
+%{ if with_chromium ~}
+  - DEBIAN_FRONTEND=noninteractive apt-get install -y chromium-browser libxss1 libnss3 libgbm1 libxkbcommon0 libasound2t64 || DEBIAN_FRONTEND=noninteractive apt-get install -y chromium libxss1 libnss3 libgbm1 libxkbcommon0 libasound2
+%{ endif ~}
+
+  # Done — marker for `sisyphus deploy <provider> up` polling loop.
+  - echo "sisyphus cloud-init done" >> /var/log/cloud-init-output.log

package/deploy/shared/sisyphusd.service.tpl

@@ -0,0 +1,17 @@
+[Unit]
+Description=Sisyphus Daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/sisyphusd
+Restart=always
+RestartSec=5
+StandardOutput=append:%h/.sisyphus/daemon.log
+StandardError=append:%h/.sisyphus/daemon.log
+Environment=PATH=/usr/local/bin:/usr/bin:/bin
+Environment=HOME=%h
+WorkingDirectory=%h
+
+[Install]
+WantedBy=default.target

package/deploy/shared/tmux-osc52.conf

@@ -0,0 +1,10 @@
+# OSC 52 clipboard round-trip — selections inside tmux escape out to the
+# user's local terminal clipboard via OSC 52, so copy/paste works without
+# any agent on the box. Sourced from ~/.tmux.conf on sisyphus deploy boxes.
+set -g set-clipboard on
+set -ga terminal-overrides ',*:Ms=\E]52;c;%p2%s\7'
+
+# Vi-mode copy bindings push to the OSC 52 buffer.
+setw -g mode-keys vi
+bind-key -T copy-mode-vi y send-keys -X copy-pipe-and-cancel "tmux load-buffer -w -"
+bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "tmux load-buffer -w -"