GoSec_Cloud/gsc-ops-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
66bfb4ebfaf5927db2da4d552f6db97e00bedfd6
gsc-ops-api/scripts/install.sh
Claude (gsc-ops-api init) 3847eb2036 Initial import — snapshot from admin host /srv/gosec/gsc-ops-api 
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.

The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.

Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.

Future changes go through PRs against this repo — no more bin-only
deploys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 20:06:02 +02:00

106 lines
2.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -euo pipefail
APP_NAME="gsc-ops-api"
APP_USER="gsc-ops-api"
INSTALL_DIR="/srv/gosec/${APP_NAME}"
CONFIG_DIR="/etc/${APP_NAME}"
TLS_DIR="${CONFIG_DIR}/tls"
BIN_DIR="${INSTALL_DIR}/bin"
echo "=== Installing ${APP_NAME} ==="
# Create system user
if ! id "${APP_USER}" &>/dev/null; then
useradd -r -s /sbin/nologin -d "${INSTALL_DIR}" "${APP_USER}"
echo "Created system user: ${APP_USER}"
fi
# Create directories
mkdir -p "${BIN_DIR}" "${CONFIG_DIR}" "${TLS_DIR}"
# Copy binary
if [ -f "${INSTALL_DIR}/bin/${APP_NAME}" ]; then
echo "Binary found at ${BIN_DIR}/${APP_NAME}"
else
echo "WARNING: Binary not found. Build with 'make build' first."
fi
# Copy config if not exists
if [ ! -f "${CONFIG_DIR}/config.yaml" ]; then
cp "${INSTALL_DIR}/configs/config.yaml" "${CONFIG_DIR}/config.yaml"
echo "Config installed to ${CONFIG_DIR}/config.yaml"
else
echo "Config already exists, skipping"
fi
# Set permissions
chown -R root:${APP_USER} "${CONFIG_DIR}"
chmod 750 "${CONFIG_DIR}"
chmod 640 "${CONFIG_DIR}/config.yaml"
chmod 750 "${TLS_DIR}"
if [ -f "${CONFIG_DIR}/.infisical" ]; then
chown root:${APP_USER} "${CONFIG_DIR}/.infisical"
chmod 640 "${CONFIG_DIR}/.infisical"
fi
chown root:${APP_USER} "${BIN_DIR}"
if [ -f "${BIN_DIR}/${APP_NAME}" ]; then
chmod 750 "${BIN_DIR}/${APP_NAME}"
fi
# Install systemd service
cat > /etc/systemd/system/${APP_NAME}.service << 'SYSTEMD_EOF'
[Unit]
Description=GSC Operations API Server
Documentation=https://wiki.gosec.internal/infrastructure/gsc-ops-api
After=network-online.target postgresql.service
Wants=network-online.target
[Service]
Type=simple
User=gsc-ops-api
Group=gsc-ops-api
ExecStart=/srv/gosec/gsc-ops-api/bin/gsc-ops-api
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=gsc-ops-api
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictNamespaces=true
ReadOnlyPaths=/etc/gsc-ops-api
ReadWritePaths=/srv/gosec/gsc-ops-api/bin
# Environment
Environment=GSC_OPS_API_CONFIG=/etc/gsc-ops-api/config.yaml
[Install]
WantedBy=multi-user.target
SYSTEMD_EOF
systemctl daemon-reload
echo "Systemd service installed"
echo ""
echo "=== Installation complete ==="
echo ""
echo "Next steps:"
echo " 1. Copy TLS certificates to ${TLS_DIR}/"
echo " 2. Copy Infisical token to ${CONFIG_DIR}/.infisical"
echo " 3. Edit config: ${CONFIG_DIR}/config.yaml"
echo " 4. Start service: systemctl enable --now ${APP_NAME}"
echo " 5. Check status: systemctl status ${APP_NAME}"
echo " 6. View logs: journalctl -u ${APP_NAME} -f"
Reference in New Issue View Git Blame Copy Permalink