refactor(scripts): parameterize hostnames in deployment scripts

- setup-host.sh: add SILO_DB_HOST and SILO_MINIO_HOST env var
  overrides, update Go version from 1.23 to 1.24, expand generated
  silod.env template with session secret and admin password fields
- deploy.sh: add SILO_DEPLOY_TARGET and SILO_DB_HOST env var
  overrides for target host and database host
- setup-ipa-nginx.sh: replace hardcoded hostname with SILO_HOSTNAME
  env var (default: silo.example.internal), parameterize SILO_PORT,
  use variable substitution in nginx config template

All scripts retain backward-compatible defaults.

scripts/deploy.sh

@@ -1,18 +1,23 @@
 #!/bin/bash
-# Deploy Silo to silo.example.internal
+# Deploy Silo to a target host
 #
 # Usage: ./scripts/deploy.sh [host]
-#   host defaults to silo.example.internal
+#   host defaults to SILO_DEPLOY_TARGET env var, or silo.example.internal
 #
 # Prerequisites:
 #   - SSH access to the target host
 #   - /etc/silo/silod.env must exist on target with credentials filled in
-#   - PostgreSQL reachable from target at psql.example.internal
-#   - MinIO reachable from target at minio.example.internal
+#   - PostgreSQL reachable from target (set SILO_DB_HOST to override)
+#   - MinIO reachable from target (set SILO_MINIO_HOST to override)
+#
+# Environment variables:
+#   SILO_DEPLOY_TARGET  - target host (default: silo.example.internal)
+#   SILO_DB_HOST        - PostgreSQL host (default: psql.example.internal)
 
 set -euo pipefail
 
-TARGET="${1:-silo.example.internal}"
+TARGET="${1:-${SILO_DEPLOY_TARGET:-silo.example.internal}}"
+DB_HOST="${SILO_DB_HOST:-psql.example.internal}"
 DEPLOY_DIR="/opt/silo"
 CONFIG_DIR="/etc/silo"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -104,7 +109,7 @@ echo "  Files installed to $DEPLOY_DIR"
 REMOTE
 
 echo "[6/6] Running migrations and starting service..."
-ssh "$TARGET" bash -s <<'REMOTE'
+ssh "$TARGET" DB_HOST="$DB_HOST" bash -s <<'REMOTE'
 set -euo pipefail
 
 DEPLOY_DIR="/opt/silo"
@@ -123,14 +128,14 @@ if command -v psql &>/dev/null && [ -n "${SILO_DB_PASSWORD:-}" ]; then
     for f in "$DEPLOY_DIR/migrations/"*.sql; do
         echo "    $(basename "$f")"
         PGPASSWORD="$SILO_DB_PASSWORD" psql \
-            -h psql.example.internal -p 5432 \
+            -h "$DB_HOST" -p 5432 \
             -U silo -d silo \
             -f "$f" -q 2>&1 | grep -v "already exists" || true
     done
     echo "  Migrations complete."
 else
     echo "  WARNING: psql not available or SILO_DB_PASSWORD not set, skipping migrations."
-    echo "  Run migrations manually: PGPASSWORD=... psql -h psql.example.internal -U silo -d silo -f /opt/silo/migrations/NNN_name.sql"
+    echo "  Run migrations manually: PGPASSWORD=... psql -h $DB_HOST -U silo -d silo -f /opt/silo/migrations/NNN_name.sql"
 fi
 
 # Start service

scripts/setup-host.sh

@@ -28,7 +28,9 @@ REPO_URL="${SILO_REPO_URL:-https://git.kindred-systems.com/kindred/silo.git}"
 REPO_BRANCH="${SILO_BRANCH:-main}"
 INSTALL_DIR="/opt/silo"
 CONFIG_DIR="/etc/silo"
-GO_VERSION="1.23.0"
+GO_VERSION="1.24.0"
+DB_HOST="${SILO_DB_HOST:-psql.example.internal}"
+MINIO_HOST="${SILO_MINIO_HOST:-minio.example.internal}"
 
 log_info() { echo -e "${BLUE}[INFO]${NC} $*"; }
 log_success() { echo -e "${GREEN}[OK]${NC} $*"; }
@@ -155,21 +157,28 @@ log_success "Directories created"
 ENV_FILE="${CONFIG_DIR}/silod.env"
 if [[ ! -f "${ENV_FILE}" ]]; then
     log_info "Creating environment file..."
-    cat > "${ENV_FILE}" << 'EOF'
+    cat > "${ENV_FILE}" << EOF
 # Silo daemon environment variables
 # Fill in the values below
 
-# Database credentials (psql.example.internal)
+# Database credentials (${DB_HOST})
 # Database: silo, User: silo
 SILO_DB_PASSWORD=
 
-# MinIO credentials (minio.example.internal)
+# MinIO credentials (${MINIO_HOST})
 # User: silouser
 SILO_MINIO_ACCESS_KEY=silouser
 SILO_MINIO_SECRET_KEY=
 
+# Authentication
+# Session secret (required when auth is enabled)
+SILO_SESSION_SECRET=
+# Default admin account (created on first startup if both are set)
+SILO_ADMIN_USERNAME=admin
+SILO_ADMIN_PASSWORD=
+
 # Optional overrides
-# SILO_SERVER_BASE_URL=http://silo.example.internal:8080
+# SILO_SERVER_BASE_URL=http://\$(hostname -f):8080
 EOF
     chmod 600 "${ENV_FILE}"
     chown root:silo "${ENV_FILE}"
@@ -214,10 +223,10 @@ echo "1. Edit ${ENV_FILE} and fill in credentials:"
 echo "   sudo nano ${ENV_FILE}"
 echo ""
 echo "2. Verify database connectivity:"
-echo "   psql -h psql.example.internal -U silo -d silo -c 'SELECT 1'"
+echo "   psql -h ${DB_HOST} -U silo -d silo -c 'SELECT 1'"
 echo ""
 echo "3. Verify MinIO connectivity:"
-echo "   curl -I http://minio.example.internal:9000/minio/health/live"
+echo "   curl -I http://${MINIO_HOST}:9000/minio/health/live"
 echo ""
 echo "4. Run the deployment:"
 echo "   sudo ${INSTALL_DIR}/src/scripts/deploy.sh"

scripts/setup-ipa-nginx.sh

@@ -8,7 +8,7 @@
 #
 # Prerequisites:
 #   - FreeIPA server at ipa.example.internal
-#   - DNS configured for silo.example.internal
+#   - DNS configured for the silo host (set SILO_HOSTNAME to override default)
 #   - Admin credentials for IPA enrollment
 
 set -euo pipefail
@@ -24,9 +24,9 @@ NC='\033[0m'
 IPA_SERVER="${IPA_SERVER:-ipa.example.internal}"
 IPA_DOMAIN="${IPA_DOMAIN:-example.internal}"
 IPA_REALM="${IPA_REALM:-KINDRED.INTERNAL}"
-HOSTNAME="silo.example.internal"
+SILO_HOSTNAME="${SILO_HOSTNAME:-silo.example.internal}"
 CERT_DIR="/etc/ssl/silo"
-SILO_PORT=8080
+SILO_PORT="${SILO_PORT:-8080}"
 
 log_info() { echo -e "${BLUE}[INFO]${NC} $*"; }
 log_success() { echo -e "${GREEN}[OK]${NC} $*"; }
@@ -77,8 +77,8 @@ log_success "Packages installed"
 #
 # Step 2: Set hostname
 #
-log_info "Setting hostname to ${HOSTNAME}..."
-hostnamectl set-hostname "${HOSTNAME}"
+log_info "Setting hostname to ${SILO_HOSTNAME}..."
+hostnamectl set-hostname "${SILO_HOSTNAME}"
 log_success "Hostname set"
 
 #
@@ -95,7 +95,7 @@ else
         --server="${IPA_SERVER}" \
         --domain="${IPA_DOMAIN}" \
         --realm="${IPA_REALM}" \
-        --hostname="${HOSTNAME}" \
+        --hostname="${SILO_HOSTNAME}" \
         --mkhomedir \
         --enable-dns-updates \
         --unattended \
@@ -105,7 +105,7 @@ else
                 --server="${IPA_SERVER}" \
                 --domain="${IPA_DOMAIN}" \
                 --realm="${IPA_REALM}" \
-                --hostname="${HOSTNAME}" \
+                --hostname="${SILO_HOSTNAME}" \
                 --mkhomedir \
                 --enable-dns-updates
         }
@@ -135,9 +135,9 @@ else
     ipa-getcert request \
         -f "${CERT_DIR}/silo.crt" \
         -k "${CERT_DIR}/silo.key" \
-        -K "HTTP/${HOSTNAME}" \
-        -D "${HOSTNAME}" \
-        -N "CN=${HOSTNAME}" \
+        -K "HTTP/${SILO_HOSTNAME}" \
+        -D "${SILO_HOSTNAME}" \
+        -N "CN=${SILO_HOSTNAME}" \
         -C "systemctl reload nginx"
 
     log_info "Waiting for certificate to be issued..."
@@ -186,14 +186,14 @@ if [[ -f /etc/nginx/sites-enabled/default ]]; then
 fi
 
 # Create silo nginx config
-cat > /etc/nginx/sites-available/silo << 'NGINX_EOF'
+cat > /etc/nginx/sites-available/silo << NGINX_EOF
 # Silo API Server - Nginx Reverse Proxy Configuration
 
 # Redirect HTTP to HTTPS
 server {
     listen 80;
     listen [::]:80;
-    server_name silo.example.internal;
+    server_name ${SILO_HOSTNAME};
 
     # Allow certmonger/ACME challenges
     location /.well-known/ {
@@ -201,7 +201,7 @@ server {
     }
 
     location / {
-        return 301 https://$server_name$request_uri;
+        return 301 https://\\$server_name\\$request_uri;
     }
 }
 
@@ -209,11 +209,11 @@ server {
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name silo.example.internal;
+    server_name ${SILO_HOSTNAME};
 
     # SSL certificates (managed by certmonger/IPA)
-    ssl_certificate /etc/ssl/silo/silo.crt;
-    ssl_certificate_key /etc/ssl/silo/silo.key;
+    ssl_certificate ${CERT_DIR}/silo.crt;
+    ssl_certificate_key ${CERT_DIR}/silo.key;
 
     # SSL configuration
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -226,7 +226,7 @@ server {
     # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/ssl/silo/ca.crt;
+    ssl_trusted_certificate ${CERT_DIR}/ca.crt;
 
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
@@ -240,19 +240,19 @@ server {
 
     # Proxy settings
     location / {
-        proxy_pass http://127.0.0.1:8080;
+        proxy_pass http://127.0.0.1:${SILO_PORT};
         proxy_http_version 1.1;
 
         # Headers
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header Host \\$host;
+        proxy_set_header X-Real-IP \\$remote_addr;
+        proxy_set_header X-Forwarded-For \\$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \\$scheme;
+        proxy_set_header X-Forwarded-Host \\$host;
+        proxy_set_header X-Forwarded-Port \\$server_port;
 
         # WebSocket support (for future use)
-        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Upgrade \\$http_upgrade;
         proxy_set_header Connection "upgrade";
 
         # Timeouts
@@ -343,14 +343,14 @@ echo "   getcert list"
 echo ""
 echo "2. Update silo config to use correct base URL:"
 echo "   sudo nano /etc/silo/config.yaml"
-echo "   # Change base_url to: https://silo.example.internal"
+echo "   # Change base_url to: https://${SILO_HOSTNAME}"
 echo ""
 echo "3. Restart silo service:"
 echo "   sudo systemctl restart silod"
 echo ""
 echo "4. Test the setup:"
-echo "   curl -k https://silo.example.internal/health"
-echo "   curl https://silo.example.internal/health  # after trusting IPA CA"
+echo "   curl -k https://${SILO_HOSTNAME}/health"
+echo "   curl https://${SILO_HOSTNAME}/health  # after trusting IPA CA"
 echo ""
 echo "5. Trust IPA CA on client machines:"
 echo "   # The CA cert is at: ${CERT_DIR}/ca.crt"