#!/usr/bin/env bash # # Silo Host Setup Script # Run this on silo.kindred.internal to prepare for deployment # # Usage: # sudo ./scripts/setup-host.sh # # This script: # 1. Creates the silo system user # 2. Creates required directories # 3. Sets up the environment file template # 4. Configures sudoers for deploy user set -euo pipefail # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' log_info() { echo -e "${GREEN}[INFO]${NC} $*"; } log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } log_error() { echo -e "${RED}[ERROR]${NC} $*" >&2; } # Check root if [[ $EUID -ne 0 ]]; then log_error "This script must be run as root (use sudo)" exit 1 fi log_info "Setting up Silo host..." # Create silo system user (for running the service) if ! id -u silo >/dev/null 2>&1; then log_info "Creating silo user..." useradd -r -m -d /opt/silo -s /sbin/nologin -c "Silo Service" silo log_info "Created user: silo" else log_info "User silo already exists" fi # Create deploy user (for CI/CD deployments) DEPLOY_USER="deploy" if ! id -u "${DEPLOY_USER}" >/dev/null 2>&1; then log_info "Creating deploy user..." useradd -m -s /bin/bash -c "Deployment User" "${DEPLOY_USER}" log_info "Created user: ${DEPLOY_USER}" log_warn "Remember to add SSH public key to /home/${DEPLOY_USER}/.ssh/authorized_keys" else log_info "User ${DEPLOY_USER} already exists" fi # Create directories log_info "Creating directories..." mkdir -p /opt/silo/bin mkdir -p /etc/silo/schemas mkdir -p /var/log/silo # Set ownership chown -R silo:silo /opt/silo chown root:silo /etc/silo chmod 750 /etc/silo chown silo:silo /var/log/silo chmod 750 /var/log/silo log_info "Directories created" # Create environment file if it doesn't exist ENV_FILE="/etc/silo/silod.env" if [[ ! -f "${ENV_FILE}" ]]; then log_info "Creating environment file template..." cat > "${ENV_FILE}" << 'EOF' # Silo daemon environment variables # Fill in the values below # Database credentials (psql.kindred.internal) SILO_DB_PASSWORD= # MinIO credentials (minio.kindred.internal) # User: silouser SILO_MINIO_ACCESS_KEY=silouser SILO_MINIO_SECRET_KEY= # Optional overrides # SILO_SERVER_BASE_URL=http://silo.kindred.internal:8080 EOF chmod 600 "${ENV_FILE}" chown root:silo "${ENV_FILE}" log_warn "Edit ${ENV_FILE} and fill in credentials!" else log_info "Environment file already exists: ${ENV_FILE}" fi # Configure sudoers for deploy user SUDOERS_FILE="/etc/sudoers.d/silo-deploy" log_info "Configuring sudoers for deploy user..." cat > "${SUDOERS_FILE}" << EOF # Allow deploy user to manage silo service without password ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl start silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl stop silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl restart silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl status silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl enable silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl disable silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl is-active silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/systemctl daemon-reload ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/journalctl -u silod * # Allow deploy user to manage silo files ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/mv /tmp/silod.new /opt/silo/bin/silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/mv /tmp/silod /opt/silo/bin/silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/mv /tmp/config.yaml /etc/silo/config.yaml ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/mv /tmp/silod.service /etc/systemd/system/silod.service ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/mv /tmp/silo-schemas/* /etc/silo/schemas/ ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chmod * /opt/silo/bin/silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chmod * /etc/silo/config.yaml ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chmod * /etc/systemd/system/silod.service ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chmod -R * /etc/silo/schemas/* ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chown * /opt/silo/bin/silod ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chown * /etc/silo/config.yaml ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/chown -R * /etc/silo/schemas ${DEPLOY_USER} ALL=(ALL) NOPASSWD: /bin/rm -rf /etc/silo/schemas/* EOF chmod 440 "${SUDOERS_FILE}" # Validate sudoers if visudo -cf "${SUDOERS_FILE}"; then log_info "Sudoers configuration valid" else log_error "Sudoers configuration invalid!" rm -f "${SUDOERS_FILE}" exit 1 fi # Create SSH directory for deploy user DEPLOY_SSH_DIR="/home/${DEPLOY_USER}/.ssh" if [[ ! -d "${DEPLOY_SSH_DIR}" ]]; then mkdir -p "${DEPLOY_SSH_DIR}" touch "${DEPLOY_SSH_DIR}/authorized_keys" chmod 700 "${DEPLOY_SSH_DIR}" chmod 600 "${DEPLOY_SSH_DIR}/authorized_keys" chown -R "${DEPLOY_USER}:${DEPLOY_USER}" "${DEPLOY_SSH_DIR}" log_info "Created SSH directory for deploy user" fi # Summary echo "" log_info "============================================" log_info "Host setup complete!" log_info "============================================" echo "" echo "Next steps:" echo "" echo "1. Edit /etc/silo/silod.env and fill in credentials:" echo " sudo nano /etc/silo/silod.env" echo "" echo "2. Add the CI/CD SSH public key to deploy user:" echo " echo 'ssh-ed25519 AAAA...' >> /home/${DEPLOY_USER}/.ssh/authorized_keys" echo "" echo "3. Verify connectivity from CI/CD server:" echo " ssh ${DEPLOY_USER}@silo.kindred.internal 'echo OK'" echo "" echo "4. Test database connectivity:" echo " psql -h psql.kindred.internal -U silo -d silo -c 'SELECT 1'" echo "" echo "5. Test MinIO connectivity:" echo " curl -I https://minio.kindred.internal:9000/minio/health/live" echo ""