Make deploy.sh data-source agnostic with --scripts-only flag
- Add --scripts-only flag for quick script/docs deployment without restart - Replace hardcoded Keboola env vars with generic loop over all known vars (supports Keboola, BigQuery, OpenMetadata, and optional services) - Make data directories conditional (Jira, notifications, corporate memory created only when relevant code/config exists) - Enable timers only when their .timer files exist on disk - Use root:data-ops ownership (works without deploy user)
This commit is contained in:
Petr
parent
c2681ccc86
commit
4206b06d92
1 changed files with 219 additions and 215 deletions
434
server/deploy.sh
434
server/deploy.sh
|
|
@ -1,6 +1,13 @@
|
|||
#!/bin/bash
|
||||
# Deploy script for Data Analyst application
|
||||
# This script is called by GitHub Actions or manually to deploy updates
|
||||
# This script is called by GitHub Actions or manually to deploy updates.
|
||||
#
|
||||
# Works with any data source (Keboola, BigQuery, etc.) — instance-specific
|
||||
# configuration comes from instance.yaml and GHA secrets, not from this script.
|
||||
#
|
||||
# Usage:
|
||||
# bash server/deploy.sh # Full deploy (from GHA or manually)
|
||||
# bash server/deploy.sh --scripts-only # Only update /data/scripts and /data/docs
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
|
|
@ -10,6 +17,14 @@ VENV_DIR="${APP_DIR}/.venv"
|
|||
LOG_DIR="${APP_DIR}/logs"
|
||||
DEPLOY_LOG="${LOG_DIR}/deploy.log"
|
||||
|
||||
# Parse arguments
|
||||
SCRIPTS_ONLY=false
|
||||
for arg in "$@"; do
|
||||
case "$arg" in
|
||||
--scripts-only) SCRIPTS_ONLY=true ;;
|
||||
esac
|
||||
done
|
||||
|
||||
log() {
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$DEPLOY_LOG"
|
||||
}
|
||||
|
|
@ -31,36 +46,41 @@ cd "$REPO_DIR" || error "Cannot cd to $REPO_DIR"
|
|||
# Ensure git trusts this directory
|
||||
git config --global --add safe.directory "$REPO_DIR" 2>/dev/null || true
|
||||
|
||||
# Pull latest changes
|
||||
log "Pulling latest changes from origin/main..."
|
||||
git fetch origin
|
||||
git reset --hard origin/main
|
||||
if [[ "$SCRIPTS_ONLY" == false ]]; then
|
||||
# Pull latest changes
|
||||
log "Pulling latest changes from origin/main..."
|
||||
git fetch origin
|
||||
git reset --hard origin/main
|
||||
|
||||
# Update Python dependencies if requirements.txt changed
|
||||
if git diff HEAD@{1} --name-only 2>/dev/null | grep -q "requirements.txt"; then
|
||||
log "requirements.txt changed, updating dependencies..."
|
||||
source "${VENV_DIR}/bin/activate"
|
||||
pip install -q -r requirements.txt
|
||||
deactivate
|
||||
# Update Python dependencies if requirements.txt changed
|
||||
if git diff HEAD@{1} --name-only 2>/dev/null | grep -q "requirements.txt"; then
|
||||
log "requirements.txt changed, updating dependencies..."
|
||||
source "${VENV_DIR}/bin/activate"
|
||||
pip install -q -r requirements.txt
|
||||
deactivate
|
||||
fi
|
||||
fi
|
||||
|
||||
# Update server management scripts
|
||||
# --- Core: scripts and docs (always runs) ---
|
||||
|
||||
# Update server management scripts (add-analyst, list-analysts, etc.)
|
||||
log "Updating server management scripts..."
|
||||
for script in "${REPO_DIR}"/server/bin/*; do
|
||||
if [[ -f "$script" ]]; then
|
||||
script_name=$(basename "$script")
|
||||
sudo /usr/bin/cp "$script" "/usr/local/bin/${script_name}"
|
||||
sudo /usr/bin/chmod 755 "/usr/local/bin/${script_name}"
|
||||
log " Updated /usr/local/bin/${script_name}"
|
||||
fi
|
||||
done
|
||||
if compgen -G "${REPO_DIR}/server/bin/*" > /dev/null 2>&1; then
|
||||
for script in "${REPO_DIR}"/server/bin/*; do
|
||||
if [[ -f "$script" ]]; then
|
||||
script_name=$(basename "$script")
|
||||
sudo /usr/bin/cp "$script" "/usr/local/bin/${script_name}"
|
||||
sudo /usr/bin/chmod 755 "/usr/local/bin/${script_name}"
|
||||
log " Updated /usr/local/bin/${script_name}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Update sudoers configurations
|
||||
log "Updating sudoers configurations..."
|
||||
for sudoers_file in "${REPO_DIR}"/server/sudoers-*; do
|
||||
if [[ -f "$sudoers_file" ]]; then
|
||||
sudoers_name=$(basename "$sudoers_file" | sed 's/sudoers-//')
|
||||
# Validate before installing
|
||||
if sudo /usr/sbin/visudo -cf "$sudoers_file" 2>/dev/null; then
|
||||
sudo /usr/bin/cp "$sudoers_file" "/etc/sudoers.d/${sudoers_name}"
|
||||
sudo /usr/bin/chmod 440 "/etc/sudoers.d/${sudoers_name}"
|
||||
|
|
@ -71,123 +91,132 @@ for sudoers_file in "${REPO_DIR}"/server/sudoers-*; do
|
|||
fi
|
||||
done
|
||||
|
||||
# Update user scripts in /data/scripts
|
||||
# Update user-facing scripts in /data/scripts
|
||||
# These are synced to analyst machines via sync_data.sh
|
||||
log "Updating scripts in /data/scripts/..."
|
||||
sudo /usr/bin/mkdir -p /data/scripts
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/setup_views.sh /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/duckdb_manager.py /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/sync_data.sh /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/activate_venv.sh /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/README.md /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/sync_jira.sh /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/generate_user_sync_configs.py /data/scripts/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/scripts/collect_session.py /data/scripts/
|
||||
for script_file in setup_views.sh duckdb_manager.py sync_data.sh activate_venv.sh \
|
||||
README.md generate_user_sync_configs.py collect_session.py; do
|
||||
if [[ -f "${REPO_DIR}/scripts/${script_file}" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/scripts/${script_file}" /data/scripts/
|
||||
fi
|
||||
done
|
||||
# Copy connector-specific sync scripts (e.g. sync_jira.sh) if they exist
|
||||
for sync_script in "${REPO_DIR}"/connectors/*/scripts/sync_*.sh "${REPO_DIR}"/scripts/sync_*.sh; do
|
||||
if [[ -f "$sync_script" ]]; then
|
||||
sudo /usr/bin/cp "$sync_script" /data/scripts/
|
||||
fi
|
||||
done
|
||||
sudo /usr/bin/chmod -R 755 /data/scripts
|
||||
sudo /usr/bin/chown -R deploy:data-ops /data/scripts
|
||||
sudo /usr/bin/chown -R root:data-ops /data/scripts
|
||||
log " Scripts updated in /data/scripts/"
|
||||
|
||||
# Update documentation in /data/docs
|
||||
log "Updating documentation..."
|
||||
sudo /usr/bin/mkdir -p /data/docs/setup
|
||||
if [[ -f "${REPO_DIR}/docs/data_description.md" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/data_description.md /data/docs/
|
||||
fi
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/GETTING_STARTED.md /data/docs/
|
||||
if [[ -f "${REPO_DIR}/docs/notifications.md" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/notifications.md /data/docs/
|
||||
fi
|
||||
if [[ -f "${REPO_DIR}/docs/jira_schema.md" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/jira_schema.md /data/docs/
|
||||
fi
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/setup/bootstrap.yaml /data/docs/setup/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/setup/claude_md_template.txt /data/docs/setup/
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/setup/claude_settings.json /data/docs/setup/
|
||||
# Core docs (copy if they exist)
|
||||
for doc_file in data_description.md GETTING_STARTED.md notifications.md jira_schema.md schema.yml; do
|
||||
if [[ -f "${REPO_DIR}/docs/${doc_file}" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/docs/${doc_file}" /data/docs/
|
||||
fi
|
||||
done
|
||||
# Setup docs
|
||||
for setup_file in bootstrap.yaml claude_md_template.txt claude_settings.json; do
|
||||
if [[ -f "${REPO_DIR}/docs/setup/${setup_file}" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/docs/setup/${setup_file}" /data/docs/setup/
|
||||
fi
|
||||
done
|
||||
# Metrics definitions
|
||||
if [[ -d "${REPO_DIR}/docs/metrics" ]]; then
|
||||
sudo /usr/bin/cp -r "${REPO_DIR}"/docs/metrics /data/docs/
|
||||
fi
|
||||
# Note: schema.yml files are generated directly to DOCS_OUTPUT_DIR by data_sync.py
|
||||
# Here we only copy static *.md files from datasets/
|
||||
# Dataset documentation
|
||||
if [[ -d "${REPO_DIR}/docs/datasets" ]]; then
|
||||
sudo /usr/bin/mkdir -p /data/docs/datasets
|
||||
# Copy only .md files (glob expands before sudo)
|
||||
if compgen -G "${REPO_DIR}/docs/datasets/*.md" > /dev/null; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}"/docs/datasets/*.md /data/docs/datasets/
|
||||
fi
|
||||
log " Dataset docs (*.md) copied to /data/docs/datasets/"
|
||||
log " Dataset docs copied to /data/docs/datasets/"
|
||||
fi
|
||||
sudo /usr/bin/chmod -R 775 /data/docs
|
||||
sudo /usr/bin/chown -R deploy:data-ops /data/docs
|
||||
sudo /usr/bin/chown -R root:data-ops /data/docs
|
||||
log " Documentation updated in /data/docs/"
|
||||
|
||||
# Deploy notify-runner to /usr/local/bin
|
||||
log "Deploying notify-runner..."
|
||||
if [[ -f "${REPO_DIR}/server/bin/notify-runner" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/server/bin/notify-runner" /usr/local/bin/notify-runner
|
||||
sudo /usr/bin/chmod 755 /usr/local/bin/notify-runner
|
||||
log " Updated /usr/local/bin/notify-runner"
|
||||
# Deploy examples (notifications, queries, etc.)
|
||||
log "Deploying examples..."
|
||||
if [[ -d "${REPO_DIR}/examples" ]]; then
|
||||
sudo /usr/bin/mkdir -p /data/examples
|
||||
sudo /usr/bin/cp -r "${REPO_DIR}"/examples/* /data/examples/ 2>/dev/null || true
|
||||
sudo /usr/bin/chmod -R 755 /data/examples
|
||||
sudo /usr/bin/chown -R root:data-ops /data/examples
|
||||
fi
|
||||
|
||||
# Deploy notify-scripts helper to /usr/local/bin
|
||||
log "Deploying notify-scripts..."
|
||||
if [[ -f "${REPO_DIR}/server/bin/notify-scripts" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/server/bin/notify-scripts" /usr/local/bin/notify-scripts
|
||||
sudo /usr/bin/chmod 755 /usr/local/bin/notify-scripts
|
||||
log " Updated /usr/local/bin/notify-scripts"
|
||||
if [[ "$SCRIPTS_ONLY" == true ]]; then
|
||||
log "Scripts-only deployment completed successfully!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Create notifications data directory
|
||||
log "Setting up notifications directory..."
|
||||
sudo /usr/bin/mkdir -p /data/notifications
|
||||
sudo /usr/bin/chown deploy:data-ops /data/notifications
|
||||
sudo /usr/bin/chmod 2770 /data/notifications # setgid, no others access (socket is in /run/notify-bot/)
|
||||
# --- Optional: server management scripts ---
|
||||
|
||||
# Ensure deploy user is in dataread group (needed for notify-bot socket group ownership)
|
||||
if ! id -nG deploy | grep -qw dataread; then
|
||||
sudo /usr/sbin/usermod -a -G dataread deploy
|
||||
log " Added deploy user to dataread group"
|
||||
# Deploy helper binaries to /usr/local/bin (notify-runner, notify-scripts, etc.)
|
||||
for bin_file in "${REPO_DIR}"/server/bin/*; do
|
||||
if [[ -f "$bin_file" ]]; then
|
||||
bin_name=$(basename "$bin_file")
|
||||
sudo /usr/bin/cp "$bin_file" "/usr/local/bin/${bin_name}"
|
||||
sudo /usr/bin/chmod 755 "/usr/local/bin/${bin_name}"
|
||||
log " Updated /usr/local/bin/${bin_name}"
|
||||
fi
|
||||
done
|
||||
|
||||
# --- Optional: data directories (created only if relevant features exist) ---
|
||||
|
||||
# Notifications directory
|
||||
if [[ -f "${REPO_DIR}/server/bin/notify-runner" ]] || [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]]; then
|
||||
log "Setting up notifications directory..."
|
||||
sudo /usr/bin/mkdir -p /data/notifications
|
||||
sudo /usr/bin/chown root:data-ops /data/notifications
|
||||
sudo /usr/bin/chmod 2770 /data/notifications
|
||||
fi
|
||||
|
||||
# Create Jira webhook data directory (raw data, will be processed to parquet later)
|
||||
log "Setting up Jira data directory..."
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/issues
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/webhook_events
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/attachments
|
||||
sudo /usr/bin/chown -R root:data-ops /data/src_data/raw/jira
|
||||
sudo /usr/bin/chmod -R 2770 /data/src_data/raw/jira # setgid, www-data (data-ops member) can write
|
||||
# Jira data directory (only if Jira connector exists)
|
||||
if [[ -d "${REPO_DIR}/connectors/jira" ]]; then
|
||||
log "Setting up Jira data directory..."
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/issues
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/webhook_events
|
||||
sudo /usr/bin/mkdir -p /data/src_data/raw/jira/attachments
|
||||
sudo /usr/bin/chown -R root:data-ops /data/src_data/raw/jira
|
||||
sudo /usr/bin/chmod -R 2770 /data/src_data/raw/jira
|
||||
# ACL for read access by analysts
|
||||
if command -v setfacl &>/dev/null; then
|
||||
sudo /usr/bin/setfacl -R -m g:dataread:rx /data/src_data/raw/jira/attachments 2>/dev/null || true
|
||||
sudo /usr/bin/setfacl -R -d -m g:dataread:rx /data/src_data/raw/jira/attachments 2>/dev/null || true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create password auth data directory
|
||||
log "Setting up password auth directory..."
|
||||
sudo /usr/bin/mkdir -p /data/auth
|
||||
sudo /usr/bin/chown www-data:data-ops /data/auth
|
||||
sudo /usr/bin/chmod 2770 /data/auth # setgid, www-data can write, no others access
|
||||
# Password auth directory (only if password auth module exists)
|
||||
if [[ -f "${REPO_DIR}/auth/password.py" ]]; then
|
||||
log "Setting up password auth directory..."
|
||||
sudo /usr/bin/mkdir -p /data/auth
|
||||
sudo /usr/bin/chown www-data:data-ops /data/auth
|
||||
sudo /usr/bin/chmod 2770 /data/auth
|
||||
fi
|
||||
|
||||
# Create corporate memory data directory
|
||||
log "Setting up corporate memory directory..."
|
||||
sudo /usr/bin/mkdir -p /data/corporate-memory
|
||||
sudo /usr/bin/chown deploy:data-ops /data/corporate-memory
|
||||
sudo /usr/bin/chmod 2770 /data/corporate-memory # setgid, deploy can write
|
||||
# Corporate memory directory
|
||||
if [[ -d "${REPO_DIR}/services/corporate-memory" ]]; then
|
||||
log "Setting up corporate memory directory..."
|
||||
sudo /usr/bin/mkdir -p /data/corporate-memory
|
||||
sudo /usr/bin/chown root:data-ops /data/corporate-memory
|
||||
sudo /usr/bin/chmod 2770 /data/corporate-memory
|
||||
fi
|
||||
|
||||
# Create user sessions data directory
|
||||
# User sessions directory
|
||||
log "Setting up user sessions directory..."
|
||||
sudo /usr/bin/mkdir -p /data/user_sessions
|
||||
sudo /usr/bin/chown root:data-ops /data/user_sessions
|
||||
sudo /usr/bin/chmod 2770 /data/user_sessions # setgid, root writes, admins only
|
||||
sudo /usr/bin/chmod 2770 /data/user_sessions
|
||||
|
||||
# Create staging directory for data sync (uses /tmp for faster I/O)
|
||||
log "Setting up staging directory..."
|
||||
sudo /usr/bin/mkdir -p /tmp/data_analyst_staging
|
||||
sudo /usr/bin/chown root:data-ops /tmp/data_analyst_staging
|
||||
sudo /usr/bin/chmod 2770 /tmp/data_analyst_staging # setgid, data-ops can write
|
||||
|
||||
# Add read access to Jira attachments for analysts (dataread group)
|
||||
if command -v setfacl &>/dev/null; then
|
||||
sudo /usr/bin/setfacl -R -m g:dataread:rx /data/src_data/raw/jira/attachments 2>/dev/null || true
|
||||
sudo /usr/bin/setfacl -R -d -m g:dataread:rx /data/src_data/raw/jira/attachments 2>/dev/null || true
|
||||
log " ACL set for dataread group on Jira attachments"
|
||||
fi
|
||||
|
||||
# Set ACL for private data directory (data-private group only, remove dataread)
|
||||
if command -v setfacl &>/dev/null; then
|
||||
# Private data ACL (only if private directory exists)
|
||||
if [[ -d /data/src_data/parquet/private ]] && command -v setfacl &>/dev/null; then
|
||||
sudo /usr/bin/setfacl -R -m g:data-private:rx /data/src_data/parquet/private/ 2>/dev/null || true
|
||||
sudo /usr/bin/setfacl -R -d -m g:data-private:rx /data/src_data/parquet/private/ 2>/dev/null || true
|
||||
sudo /usr/bin/setfacl -R -x g:dataread /data/src_data/parquet/private/ 2>/dev/null || true
|
||||
|
|
@ -195,7 +224,8 @@ if command -v setfacl &>/dev/null; then
|
|||
log " ACL set for data-private group on private parquet directory"
|
||||
fi
|
||||
|
||||
# Deploy systemd service and timer files from services/ and connectors/
|
||||
# --- Deploy systemd services and timers ---
|
||||
|
||||
log "Deploying systemd service and timer files..."
|
||||
SYSTEMD_CHANGED=false
|
||||
for unit_file in "${REPO_DIR}"/services/*/systemd/*.service "${REPO_DIR}"/services/*/systemd/*.timer \
|
||||
|
|
@ -219,154 +249,128 @@ if [[ -f "/etc/systemd/system/jira-consistency.service" ]]; then
|
|||
sudo /usr/bin/chmod 664 /opt/data-analyst/logs/jira-consistency.log
|
||||
fi
|
||||
|
||||
# Deploy example notification scripts to /data/examples
|
||||
log "Deploying example notification scripts..."
|
||||
sudo /usr/bin/mkdir -p /data/examples/notifications
|
||||
for example in "${REPO_DIR}"/examples/notifications/*.py; do
|
||||
if [[ -f "$example" ]]; then
|
||||
sudo /usr/bin/cp "$example" /data/examples/notifications/
|
||||
fi
|
||||
done
|
||||
sudo /usr/bin/chmod -R 755 /data/examples
|
||||
sudo /usr/bin/chown -R deploy:data-ops /data/examples
|
||||
|
||||
# Update resource limits configuration
|
||||
log "Updating resource limits..."
|
||||
if [[ -f "${REPO_DIR}/server/limits-users.conf" ]]; then
|
||||
log "Updating resource limits..."
|
||||
sudo /usr/bin/cp "${REPO_DIR}/server/limits-users.conf" /etc/security/limits.d/99-users.conf
|
||||
sudo /usr/bin/chmod 644 /etc/security/limits.d/99-users.conf
|
||||
log " Updated /etc/security/limits.d/99-users.conf"
|
||||
fi
|
||||
|
||||
# Create data sync .env file from environment variables (passed from GitHub Actions)
|
||||
# --- Create .env for data sync (data-source agnostic) ---
|
||||
|
||||
SYNC_ENV_FILE="${REPO_DIR}/.env"
|
||||
if [[ -n "${KEBOOLA_STORAGE_TOKEN:-}" ]]; then
|
||||
log "Creating data sync .env file..."
|
||||
{
|
||||
echo "KEBOOLA_STORAGE_TOKEN=${KEBOOLA_STORAGE_TOKEN}"
|
||||
echo "KEBOOLA_STACK_URL=${KEBOOLA_STACK_URL}"
|
||||
echo "KEBOOLA_PROJECT_ID=${KEBOOLA_PROJECT_ID}"
|
||||
echo "DATA_DIR=${DATA_DIR}"
|
||||
echo "DATA_SOURCE=${DATA_SOURCE}"
|
||||
echo "LOG_LEVEL=${LOG_LEVEL}"
|
||||
if [[ -n "${DOCS_OUTPUT_DIR:-}" ]]; then
|
||||
echo "DOCS_OUTPUT_DIR=${DOCS_OUTPUT_DIR}"
|
||||
|
||||
# Write all known env vars that are set (works for any data source)
|
||||
log "Creating data sync .env file..."
|
||||
{
|
||||
# Core settings (always written if set)
|
||||
for var in DATA_DIR DATA_SOURCE DOCS_OUTPUT_DIR LOG_LEVEL; do
|
||||
if [[ -n "${!var:-}" ]]; then
|
||||
echo "${var}=${!var}"
|
||||
fi
|
||||
if [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]]; then
|
||||
echo "TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN}"
|
||||
done
|
||||
|
||||
# Keboola data source
|
||||
for var in KEBOOLA_STORAGE_TOKEN KEBOOLA_STACK_URL KEBOOLA_PROJECT_ID; do
|
||||
if [[ -n "${!var:-}" ]]; then
|
||||
echo "${var}=${!var}"
|
||||
fi
|
||||
if [[ -n "${DESKTOP_JWT_SECRET:-}" ]]; then
|
||||
echo "DESKTOP_JWT_SECRET=${DESKTOP_JWT_SECRET}"
|
||||
done
|
||||
|
||||
# BigQuery data source
|
||||
for var in BIGQUERY_PROJECT BIGQUERY_LOCATION; do
|
||||
if [[ -n "${!var:-}" ]]; then
|
||||
echo "${var}=${!var}"
|
||||
fi
|
||||
if [[ -n "${SENDGRID_API_KEY:-}" ]]; then
|
||||
echo "SENDGRID_API_KEY=${SENDGRID_API_KEY}"
|
||||
done
|
||||
|
||||
# OpenMetadata catalog
|
||||
for var in OPENMETADATA_TOKEN; do
|
||||
if [[ -n "${!var:-}" ]]; then
|
||||
echo "${var}=${!var}"
|
||||
fi
|
||||
if [[ -n "${JIRA_SLA_EMAIL:-}" ]]; then
|
||||
echo "JIRA_SLA_EMAIL=${JIRA_SLA_EMAIL}"
|
||||
done
|
||||
|
||||
# Optional services (written only if set)
|
||||
for var in TELEGRAM_BOT_TOKEN DESKTOP_JWT_SECRET SENDGRID_API_KEY \
|
||||
JIRA_SLA_EMAIL JIRA_SLA_API_TOKEN JIRA_CLOUD_ID \
|
||||
EMAIL_FROM_ADDRESS EMAIL_FROM_NAME ALLOWED_EMAILS \
|
||||
ANTHROPIC_API_KEY; do
|
||||
if [[ -n "${!var:-}" ]]; then
|
||||
echo "${var}=${!var}"
|
||||
fi
|
||||
if [[ -n "${JIRA_SLA_API_TOKEN:-}" ]]; then
|
||||
echo "JIRA_SLA_API_TOKEN=${JIRA_SLA_API_TOKEN}"
|
||||
fi
|
||||
if [[ -n "${JIRA_CLOUD_ID:-}" ]]; then
|
||||
echo "JIRA_CLOUD_ID=${JIRA_CLOUD_ID}"
|
||||
fi
|
||||
if [[ -n "${EMAIL_FROM_ADDRESS:-}" ]]; then
|
||||
echo "EMAIL_FROM_ADDRESS=${EMAIL_FROM_ADDRESS}"
|
||||
fi
|
||||
if [[ -n "${EMAIL_FROM_NAME:-}" ]]; then
|
||||
echo "EMAIL_FROM_NAME=${EMAIL_FROM_NAME}"
|
||||
fi
|
||||
if [[ -n "${ALLOWED_EMAILS:-}" ]]; then
|
||||
echo "ALLOWED_EMAILS=${ALLOWED_EMAILS}"
|
||||
fi
|
||||
if [[ -n "${ANTHROPIC_API_KEY:-}" ]]; then
|
||||
echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}"
|
||||
fi
|
||||
} | sudo /usr/bin/tee "$SYNC_ENV_FILE" > /dev/null
|
||||
done
|
||||
} | sudo /usr/bin/tee "$SYNC_ENV_FILE" > /dev/null
|
||||
|
||||
# Only set permissions if file has content
|
||||
if [[ -s "$SYNC_ENV_FILE" ]]; then
|
||||
sudo /usr/bin/chown root:data-ops "$SYNC_ENV_FILE"
|
||||
sudo /usr/bin/chmod 640 "$SYNC_ENV_FILE"
|
||||
log " Data sync .env created with secure permissions (640)"
|
||||
else
|
||||
log " Skipping data sync .env creation (no sync credentials provided)"
|
||||
log " No environment variables provided, .env is empty"
|
||||
fi
|
||||
|
||||
# Set correct permissions
|
||||
# --- Set correct permissions ---
|
||||
|
||||
log "Setting permissions..."
|
||||
sudo /usr/bin/chown -R root:data-ops "$APP_DIR"
|
||||
sudo /usr/bin/chmod -R 770 "$APP_DIR" # owner+group rwx, others none
|
||||
sudo /usr/bin/chmod -R g+s "$APP_DIR" # setgid for new files
|
||||
sudo /usr/bin/chmod -R 770 "$APP_DIR"
|
||||
sudo /usr/bin/chmod -R g+s "$APP_DIR"
|
||||
|
||||
# Restore .env permissions (may have been overwritten by chmod -R)
|
||||
if [[ -f "$SYNC_ENV_FILE" ]]; then
|
||||
sudo /usr/bin/chmod 640 "$SYNC_ENV_FILE"
|
||||
fi
|
||||
|
||||
# Update and restart webapp if running
|
||||
# --- Restart services ---
|
||||
|
||||
# Webapp (always restart if running)
|
||||
if systemctl is-active --quiet webapp 2>/dev/null || systemctl is-enabled --quiet webapp 2>/dev/null; then
|
||||
log "Updating webapp service..."
|
||||
sudo /usr/bin/cp "${REPO_DIR}/server/webapp.service" /etc/systemd/system/webapp.service
|
||||
sudo /usr/bin/systemctl daemon-reload
|
||||
if [[ -f "${REPO_DIR}/server/webapp.service" ]]; then
|
||||
sudo /usr/bin/cp "${REPO_DIR}/server/webapp.service" /etc/systemd/system/webapp.service
|
||||
sudo /usr/bin/systemctl daemon-reload
|
||||
fi
|
||||
log "Restarting webapp..."
|
||||
sudo /usr/bin/systemctl restart webapp
|
||||
fi
|
||||
|
||||
# Restart notify-bot if running
|
||||
if systemctl is-active --quiet notify-bot 2>/dev/null; then
|
||||
log "Restarting notify-bot..."
|
||||
sudo /usr/bin/systemctl restart notify-bot
|
||||
elif [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]]; then
|
||||
log "Starting notify-bot service..."
|
||||
sudo /usr/bin/systemctl enable notify-bot
|
||||
sudo /usr/bin/systemctl start notify-bot
|
||||
fi
|
||||
# Optional services (restart only if already running or newly configured)
|
||||
for svc in notify-bot ws-gateway; do
|
||||
if systemctl is-active --quiet "$svc" 2>/dev/null; then
|
||||
log "Restarting ${svc}..."
|
||||
sudo /usr/bin/systemctl restart "$svc"
|
||||
fi
|
||||
done
|
||||
|
||||
# Restart ws-gateway if running
|
||||
if systemctl is-active --quiet ws-gateway 2>/dev/null; then
|
||||
log "Restarting ws-gateway..."
|
||||
sudo /usr/bin/systemctl restart ws-gateway
|
||||
elif [[ -n "${DESKTOP_JWT_SECRET:-}" ]]; then
|
||||
log "Starting ws-gateway service..."
|
||||
sudo /usr/bin/systemctl enable ws-gateway
|
||||
sudo /usr/bin/systemctl start ws-gateway
|
||||
fi
|
||||
|
||||
# Enable corporate-memory timer if ANTHROPIC_API_KEY is set
|
||||
if [[ -n "${ANTHROPIC_API_KEY:-}" ]]; then
|
||||
if ! systemctl is-enabled --quiet corporate-memory.timer 2>/dev/null; then
|
||||
log "Enabling corporate-memory timer..."
|
||||
sudo /usr/bin/systemctl enable corporate-memory.timer
|
||||
sudo /usr/bin/systemctl start corporate-memory.timer
|
||||
# Enable notify-bot if Telegram token is newly provided
|
||||
if [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]] && ! systemctl is-active --quiet notify-bot 2>/dev/null; then
|
||||
if [[ -f "/etc/systemd/system/notify-bot.service" ]]; then
|
||||
log "Starting notify-bot service..."
|
||||
sudo /usr/bin/systemctl enable notify-bot
|
||||
sudo /usr/bin/systemctl start notify-bot
|
||||
fi
|
||||
fi
|
||||
|
||||
# Enable jira-sla-poll timer if JIRA_SLA_API_TOKEN is set
|
||||
if [[ -n "${JIRA_SLA_API_TOKEN:-}" ]]; then
|
||||
if ! systemctl is-enabled --quiet jira-sla-poll.timer 2>/dev/null; then
|
||||
log "Enabling jira-sla-poll timer..."
|
||||
sudo /usr/bin/systemctl enable jira-sla-poll.timer
|
||||
sudo /usr/bin/systemctl start jira-sla-poll.timer
|
||||
# Enable ws-gateway if JWT secret is newly provided
|
||||
if [[ -n "${DESKTOP_JWT_SECRET:-}" ]] && ! systemctl is-active --quiet ws-gateway 2>/dev/null; then
|
||||
if [[ -f "/etc/systemd/system/ws-gateway.service" ]]; then
|
||||
log "Starting ws-gateway service..."
|
||||
sudo /usr/bin/systemctl enable ws-gateway
|
||||
sudo /usr/bin/systemctl start ws-gateway
|
||||
fi
|
||||
fi
|
||||
|
||||
# Enable jira-consistency timers (always enabled if Jira credentials are configured)
|
||||
if [[ -f "/opt/data-analyst/.env" ]] && grep -q "JIRA_API_TOKEN" /opt/data-analyst/.env 2>/dev/null; then
|
||||
if ! systemctl is-enabled --quiet jira-consistency.timer 2>/dev/null; then
|
||||
log "Enabling jira-consistency timer..."
|
||||
sudo /usr/bin/systemctl enable jira-consistency.timer
|
||||
sudo /usr/bin/systemctl start jira-consistency.timer
|
||||
# Enable timers (only if service files exist)
|
||||
for timer in corporate-memory session-collector jira-sla-poll jira-consistency jira-consistency-deep; do
|
||||
if [[ -f "/etc/systemd/system/${timer}.timer" ]]; then
|
||||
if ! systemctl is-enabled --quiet "${timer}.timer" 2>/dev/null; then
|
||||
log "Enabling ${timer} timer..."
|
||||
sudo /usr/bin/systemctl enable "${timer}.timer"
|
||||
sudo /usr/bin/systemctl start "${timer}.timer"
|
||||
fi
|
||||
fi
|
||||
if ! systemctl is-enabled --quiet jira-consistency-deep.timer 2>/dev/null; then
|
||||
log "Enabling jira-consistency-deep timer..."
|
||||
sudo /usr/bin/systemctl enable jira-consistency-deep.timer
|
||||
sudo /usr/bin/systemctl start jira-consistency-deep.timer
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Enable session-collector timer
|
||||
if ! systemctl is-enabled --quiet session-collector.timer 2>/dev/null; then
|
||||
log "Enabling session-collector timer..."
|
||||
sudo /usr/bin/systemctl enable session-collector.timer
|
||||
sudo /usr/bin/systemctl start session-collector.timer
|
||||
fi
|
||||
|
||||
log "Deployment completed successfully! (v4)"
|
||||
log "Deployment completed successfully! (v5)"
|
||||
|
|
|
|||
Loading…
Reference in a new issue