GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions
botserver/src/core/package_manager/installer.rs

1543 lines
69 KiB
Rust
Raw Blame History

use crate::core::package_manager::component::ComponentConfig;
use crate::core::package_manager::os::detect_os;
use crate::core::package_manager::{InstallMode, OsType};
use crate::security::command_guard::SafeCommand;
use anyhow::{Context, Result};
use log::{error, info, trace, warn};
use once_cell::sync::Lazy;
use serde::Deserialize;
use std::collections::HashMap;
use std::path::PathBuf;
#[cfg(unix)]
use std::os::unix::fs::PermissionsExt;
#[derive(Deserialize, Debug)]
struct ComponentEntry {
url: String,
}
#[derive(Deserialize, Debug)]
struct ThirdPartyConfig {
components: HashMap<String, ComponentEntry>,
}
static THIRDPARTY_CONFIG: Lazy<ThirdPartyConfig> = Lazy::new(|| {
let toml_str = include_str!("../../../3rdparty.toml");
toml::from_str(toml_str).unwrap_or_else(|e| {
panic!("Failed to parse embedded 3rdparty.toml: {e}")
})
});
fn get_component_url(name: &str) -> Option<String> {
THIRDPARTY_CONFIG
.components
.get(name)
.map(|c| c.url.clone())
}
#[cfg(target_os = "windows")]
fn safe_nvcc_version() -> Option<std::process::Output> {
SafeCommand::new("nvcc")
.and_then(|c| c.arg("--version"))
.ok()
.and_then(|cmd| cmd.execute().ok())
}
fn safe_sh_command(script: &str) -> Option<std::process::Output> {
SafeCommand::new("sh")
.and_then(|c| c.arg("-c"))
.and_then(|c| c.trusted_shell_script_arg(script))
.ok()
.and_then(|cmd| cmd.execute().ok())
}
fn safe_pgrep(args: &[&str]) -> Option<std::process::Output> {
SafeCommand::new("pgrep")
.and_then(|c| c.args(args))
.ok()
.and_then(|cmd| cmd.execute().ok())
}
const LLAMA_CPP_VERSION: &str = "b7345";
fn get_llama_cpp_url() -> Option<String> {
#[cfg(target_os = "linux")]
{
#[cfg(target_arch = "x86_64")]
{
if std::path::Path::new("/usr/local/cuda").exists()
|| std::path::Path::new("/opt/cuda").exists()
|| std::env::var("CUDA_HOME").is_ok()
{
// CUDA versions not currently in 3rdparty.toml for Linux, falling back to Vulkan or CPU if not added
// Or if we had them: get_component_url("llm_linux_cuda12")
}
if std::path::Path::new("/usr/share/vulkan").exists()
|| std::env::var("VULKAN_SDK").is_ok()
{
info!("Detected Vulkan - using Vulkan build");
return get_component_url("llm_linux_vulkan");
}
info!("Using standard Ubuntu x64 build (CPU)");
get_component_url("llm")
}
#[cfg(target_arch = "s390x")]
{
info!("Detected s390x architecture");
return get_component_url("llm_linux_s390x");
}
#[cfg(target_arch = "aarch64")]
{
info!("Detected ARM64 architecture on Linux");
warn!("No pre-built llama.cpp for Linux ARM64 - LLM will not be available");
return None;
}
}
#[cfg(target_os = "macos")]
{
#[cfg(target_arch = "aarch64")]
{
info!("Detected macOS ARM64 (Apple Silicon)");
return get_component_url("llm_macos_arm64");
}
#[cfg(target_arch = "x86_64")]
{
info!("Detected macOS x64 (Intel)");
return get_component_url("llm_macos_x64");
}
}
#[cfg(target_os = "windows")]
{
#[cfg(target_arch = "x86_64")]
{
if std::env::var("CUDA_PATH").is_ok() {
if let Some(output) = safe_nvcc_version() {
let version_str = String::from_utf8_lossy(&output.stdout);
if version_str.contains("13.") {
info!("Detected CUDA 13.x on Windows");
return get_component_url("llm_win_cuda13");
} else if version_str.contains("12.") {
info!("Detected CUDA 12.x on Windows");
return get_component_url("llm_win_cuda12");
}
}
}
if std::env::var("VULKAN_SDK").is_ok() {
info!("Detected Vulkan SDK on Windows");
return get_component_url("llm_win_vulkan");
}
info!("Using standard Windows x64 CPU build");
return get_component_url("llm_win_cpu_x64");
}
#[cfg(target_arch = "aarch64")]
{
info!("Detected Windows ARM64");
return get_component_url("llm_win_cpu_arm64");
}
}
}
#[derive(Debug)]
pub struct PackageManager {
pub mode: InstallMode,
pub os_type: OsType,
pub base_path: PathBuf,
pub tenant: String,
pub components: HashMap<String, ComponentConfig>,
}
impl PackageManager {
pub fn new(mode: InstallMode, tenant: Option<String>) -> Result<Self> {
let os_type = detect_os();
let base_path = if mode == InstallMode::Container {
PathBuf::from("/opt/gbo")
} else if let Ok(custom_path) = std::env::var("BOTSERVER_STACK_PATH") {
PathBuf::from(custom_path)
} else {
std::env::current_dir()?.join("botserver-stack")
};
let tenant = tenant.unwrap_or_else(|| "default".to_string());
let mut pm = Self {
mode,
os_type,
base_path,
tenant,
components: HashMap::new(),
};
pm.register_components();
Ok(pm)
}
pub fn with_base_path(
mode: InstallMode,
tenant: Option<String>,
base_path: PathBuf,
) -> Result<Self> {
let os_type = detect_os();
let tenant = tenant.unwrap_or_else(|| "default".to_string());
let mut pm = Self {
mode,
os_type,
base_path,
tenant,
components: HashMap::new(),
};
pm.register_components();
Ok(pm)
}
fn register_components(&mut self) {
self.register_vault();
self.register_tables();
self.register_cache();
self.register_drive();
self.register_llm();
self.register_email();
self.register_proxy();
self.register_dns();
self.register_directory();
self.register_alm();
self.register_alm_ci();
self.register_meeting();
self.register_remote_terminal();
self.register_devtools();
self.register_vector_db();
self.register_timeseries_db();
self.register_observability();
self.register_host();
self.register_webmail();
self.register_table_editor();
self.register_doc_editor();
}
fn register_drive(&mut self) {
self.components.insert(
"drive".to_string(),
ComponentConfig {
name: "drive".to_string(),
ports: vec![9100, 9101],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("drive"),
binary_name: Some("minio".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::from([
("MINIO_ROOT_USER".to_string(), "$DRIVE_ACCESSKEY".to_string()),
("MINIO_ROOT_PASSWORD".to_string(), "$DRIVE_SECRET".to_string()),
]),
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/minio server {{DATA_PATH}} --address :9100 --console-address :9101 --certs-dir {{CONF_PATH}}/drive/certs > {{LOGS_PATH}}/minio.log 2>&1 &".to_string(),
check_cmd: "curl -sf --cacert {{CONF_PATH}}/drive/certs/CAs/ca.crt https://127.0.0.1:9100/minio/health/live >/dev/null 2>&1".to_string(),
},
);
}
fn register_tables(&mut self) {
self.components.insert(
"tables".to_string(),
ComponentConfig {
name: "tables".to_string(),
ports: vec![5432],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("tables"),
binary_name: Some("postgres".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![
"chmod +x ./bin/*".to_string(),
"if [ ! -d \"{{DATA_PATH}}/pgdata\" ]; then PG_PASSWORD='{{DB_PASSWORD}}' ./bin/initdb -D {{DATA_PATH}}/pgdata -U gbuser --pwfile=<(echo \"$PG_PASSWORD\"); fi".to_string(),
"echo \"data_directory = '{{DATA_PATH}}/pgdata'\" > {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"ident_file = '{{CONF_PATH}}/pg_ident.conf'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"port = 5432\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"listen_addresses = '*'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"ssl = on\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"ssl_cert_file = '{{CONF_PATH}}/system/certificates/tables/server.crt'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"ssl_key_file = '{{CONF_PATH}}/system/certificates/tables/server.key'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"ssl_ca_file = '{{CONF_PATH}}/system/certificates/ca/ca.crt'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"log_directory = '{{LOGS_PATH}}'\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"logging_collector = on\" >> {{CONF_PATH}}/postgresql.conf".to_string(),
"echo \"hostssl all all all md5\" > {{CONF_PATH}}/pg_hba.conf".to_string(),
"touch {{CONF_PATH}}/pg_ident.conf".to_string(),
"./bin/pg_ctl -D {{DATA_PATH}}/pgdata -l {{LOGS_PATH}}/postgres.log start -w -t 30".to_string(),
"sleep 5".to_string(),
"for i in $(seq 1 30); do ./bin/pg_isready -h localhost -p 5432 -d postgres >/dev/null 2>&1 && echo 'PostgreSQL is ready' && break || echo \"Waiting for PostgreSQL... attempt $i/30\" >&2; sleep 2; done".to_string(),
"./bin/pg_isready -h localhost -p 5432 -d postgres || { echo 'ERROR: PostgreSQL failed to start properly' >&2; cat {{LOGS_PATH}}/postgres.log >&2; exit 1; }".to_string(),
"PGPASSWORD='{{DB_PASSWORD}}' ./bin/psql -h localhost -p 5432 -U gbuser -d postgres -c \"CREATE DATABASE botserver WITH OWNER gbuser\" 2>&1 | grep -v 'already exists' || true".to_string(),
],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![
"chmod +x ./bin/*".to_string(),
"if [ ! -d \"{{DATA_PATH}}/pgdata\" ]; then ./bin/initdb -A -D {{DATA_PATH}}/pgdata -U postgres; fi".to_string(),
],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "./bin/pg_ctl -D {{DATA_PATH}}/pgdata -l {{LOGS_PATH}}/postgres.log start -w -t 30 > {{LOGS_PATH}}/stdout.log 2>&1 &".to_string(),
check_cmd: "{{BIN_PATH}}/bin/pg_isready -h localhost -p 5432 -d postgres >/dev/null 2>&1".to_string(),
},
);
}
fn register_cache(&mut self) {
self.components.insert(
"cache".to_string(),
ComponentConfig {
name: "cache".to_string(),
ports: vec![6379],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("cache"),
binary_name: Some("valkey-server".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![
"mkdir -p {{BIN_PATH}}/bin && cd {{BIN_PATH}}/bin && tar -xzf {{CACHE_FILE}} --strip-components=1 -C {{BIN_PATH}}/bin 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-server 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-cli 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-benchmark 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-check-aof 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-check-rdb 2>/dev/null || true".to_string(),
"chmod +x {{BIN_PATH}}/bin/valkey-sentinel 2>/dev/null || true".to_string(),
],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/bin/valkey-server --port 6379 --dir {{DATA_PATH}} --logfile {{LOGS_PATH}}/valkey.log --daemonize yes > {{LOGS_PATH}}/valkey-startup.log 2>&1".to_string(),
check_cmd: "{{BIN_PATH}}/bin/valkey-cli ping 2>/dev/null | grep -q PONG".to_string(),
},
);
}
fn register_llm(&mut self) {
let download_url = get_llama_cpp_url();
if download_url.is_none() {
warn!("No llama.cpp binary available for this platform");
warn!("Local LLM will not be available - use external API instead");
}
info!(
"LLM component using llama.cpp {} for this platform",
LLAMA_CPP_VERSION
);
self.components.insert(
"llm".to_string(),
ComponentConfig {
name: "llm".to_string(),
ports: vec![8081, 8082],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url,
binary_name: Some("llama-server".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: vec![
"https://huggingface.co/bartowski/DeepSeek-R1-Distill-Qwen-1.5B-GGUF/resolve/main/DeepSeek-R1-Distill-Qwen-1.5B-Q3_K_M.gguf".to_string(),
"https://huggingface.co/CompendiumLabs/bge-small-en-v1.5-gguf/resolve/main/bge-small-en-v1.5-f32.gguf".to_string(),
],
exec_cmd: "nohup {{BIN_PATH}}/build/bin/llama-server --port 8081 --ssl-key-file {{CONF_PATH}}/system/certificates/llm/server.key --ssl-cert-file {{CONF_PATH}}/system/certificates/llm/server.crt -m {{DATA_PATH}}/DeepSeek-R1-Distill-Qwen-1.5B-Q3_K_M.gguf --ubatch-size 512 > {{LOGS_PATH}}/llm.log 2>&1 & nohup {{BIN_PATH}}/build/bin/llama-server --port 8082 --ssl-key-file {{CONF_PATH}}/system/certificates/embedding/server.key --ssl-cert-file {{CONF_PATH}}/system/certificates/embedding/server.crt -m {{DATA_PATH}}/bge-small-en-v1.5-f32.gguf --embedding --ubatch-size 512 > {{LOGS_PATH}}/embedding.log 2>&1 &".to_string(),
check_cmd: "curl -f -k --connect-timeout 2 -m 5 https://localhost:8081/health >/dev/null 2>&1 && curl -f -k --connect-timeout 2 -m 5 https://localhost:8082/health >/dev/null 2>&1".to_string(),
},
);
}
fn register_email(&mut self) {
self.components.insert(
"email".to_string(),
ComponentConfig {
name: "email".to_string(),
ports: vec![25, 143, 465, 993, 8025],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("email"),
binary_name: Some("stalwart-mail".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::from([
("STALWART_TLS_ENABLE".to_string(), "true".to_string()),
("STALWART_TLS_CERT".to_string(), "{{CONF_PATH}}/system/certificates/email/server.crt".to_string()),
("STALWART_TLS_KEY".to_string(), "{{CONF_PATH}}/system/certificates/email/server.key".to_string()),
]),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/stalwart-mail --config {{CONF_PATH}}/email/config.toml".to_string(),
check_cmd: "curl -f -k --connect-timeout 2 -m 5 https://localhost:8025/health >/dev/null 2>&1".to_string(),
},
);
}
fn register_proxy(&mut self) {
self.components.insert(
"proxy".to_string(),
ComponentConfig {
name: "proxy".to_string(),
ports: vec![80, 443],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("proxy"),
binary_name: Some("caddy".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![
"setcap 'cap_net_bind_service=+ep' {{BIN_PATH}}/caddy".to_string(),
],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::from([(
"XDG_DATA_HOME".to_string(),
"{{DATA_PATH}}".to_string(),
)]),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/caddy run --config {{CONF_PATH}}/Caddyfile".to_string(),
check_cmd: "curl -f --connect-timeout 2 -m 5 http://localhost >/dev/null 2>&1"
.to_string(),
},
);
}
fn register_directory(&mut self) {
self.components.insert(
"directory".to_string(),
ComponentConfig {
name: "directory".to_string(),
ports: vec![9000],
dependencies: vec!["tables".to_string()],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("directory"),
binary_name: Some("zitadel".to_string()),
pre_install_cmds_linux: vec![
"mkdir -p {{CONF_PATH}}/directory".to_string(),
"mkdir -p {{LOGS_PATH}}".to_string(),
// Create Zitadel steps YAML: configures a machine user (service account)
// with IAM_OWNER role and writes a PAT file for API bootstrap
concat!(
"cat > {{CONF_PATH}}/directory/zitadel-init-steps.yaml << 'STEPSEOF'\n",
"FirstInstance:\n",
" Org:\n",
" Machine:\n",
" Machine:\n",
" Username: gb-service-account\n",
" Name: General Bots Service Account\n",
" MachineKey:\n",
" Type: 1\n",
" Pat:\n",
" ExpirationDate: '2099-01-01T00:00:00Z'\n",
" PatPath: {{CONF_PATH}}/directory/admin-pat.txt\n",
" MachineKeyPath: {{CONF_PATH}}/directory/machine-key.json\n",
"STEPSEOF",
).to_string(),
],
post_install_cmds_linux: vec![
// Create zitadel DB user before start-from-init
"PGPASSWORD='{{DB_PASSWORD}}' {{STACK_PATH}}/bin/tables/bin/psql -h localhost -p 5432 -U gbuser -d postgres -c \"CREATE ROLE zitadel WITH LOGIN PASSWORD 'zitadel'\" 2>&1 | grep -v 'already exists' || true".to_string(),
"PGPASSWORD='{{DB_PASSWORD}}' {{STACK_PATH}}/bin/tables/bin/psql -h localhost -p 5432 -U gbuser -d postgres -c \"CREATE DATABASE zitadel WITH OWNER zitadel\" 2>&1 | grep -v 'already exists' || true".to_string(),
"PGPASSWORD='{{DB_PASSWORD}}' {{STACK_PATH}}/bin/tables/bin/psql -h localhost -p 5432 -U gbuser -d postgres -c \"GRANT ALL PRIVILEGES ON DATABASE zitadel TO zitadel\" 2>&1 || true".to_string(),
// Start Zitadel with --steps pointing to our init file (creates machine user + PAT)
concat!(
"ZITADEL_PORT=8300 ",
"ZITADEL_DATABASE_POSTGRES_HOST=localhost ",
"ZITADEL_DATABASE_POSTGRES_PORT=5432 ",
"ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=gbuser ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD={{DB_PASSWORD}} ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ",
"ZITADEL_EXTERNALSECURE=false ",
"ZITADEL_EXTERNALDOMAIN=localhost ",
"ZITADEL_EXTERNALPORT=8300 ",
"ZITADEL_TLS_ENABLED=false ",
"nohup {{BIN_PATH}}/zitadel start-from-init ",
"--masterkey MasterkeyNeedsToHave32Characters ",
"--tlsMode disabled ",
"--steps {{CONF_PATH}}/directory/zitadel-init-steps.yaml ",
"> {{LOGS_PATH}}/zitadel.log 2>&1 &",
).to_string(),
// Wait for Zitadel to be ready
"for i in $(seq 1 120); do curl -sf http://localhost:8300/debug/healthz && echo 'Zitadel is ready!' && break || sleep 2; done".to_string(),
// Wait for PAT token to be written to logs with retry loop
// Zitadel may take several seconds to write the PAT after health check passes
"echo 'Waiting for PAT token in logs...'; for i in $(seq 1 30); do sync; if grep -q -E '^[A-Za-z0-9_-]{40,}$' {{LOGS_PATH}}/zitadel.log 2>/dev/null; then echo \"PAT token found in logs after $((i*2)) seconds\"; break; fi; sleep 2; done".to_string(),
// Extract PAT token from logs if Zitadel printed it to stdout instead of file
// The PAT appears as a standalone line (alphanumeric with hyphens/underscores) after machine key JSON
"if [ ! -f '{{CONF_PATH}}/directory/admin-pat.txt' ]; then grep -E '^[A-Za-z0-9_-]{40,}$' {{LOGS_PATH}}/zitadel.log 2>/dev/null | head -1 > {{CONF_PATH}}/directory/admin-pat.txt && echo 'PAT extracted from logs' || echo 'Could not extract PAT from logs'; fi".to_string(),
// Verify PAT file was created and is not empty
"sync; sleep 1; if [ -f '{{CONF_PATH}}/directory/admin-pat.txt' ] && [ -s '{{CONF_PATH}}/directory/admin-pat.txt' ]; then echo 'PAT token created successfully'; cat {{CONF_PATH}}/directory/admin-pat.txt; else echo 'WARNING: PAT file not found or empty'; fi".to_string(),
],
pre_install_cmds_macos: vec![
"mkdir -p {{CONF_PATH}}/directory".to_string(),
],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::from([
("ZITADEL_PORT".to_string(), "8300".to_string()),
("ZITADEL_EXTERNALSECURE".to_string(), "false".to_string()),
("ZITADEL_EXTERNALDOMAIN".to_string(), "localhost".to_string()),
("ZITADEL_EXTERNALPORT".to_string(), "8300".to_string()),
("ZITADEL_TLS_ENABLED".to_string(), "false".to_string()),
]),
data_download_list: Vec::new(),
exec_cmd: concat!(
"ZITADEL_PORT=8300 ",
"ZITADEL_DATABASE_POSTGRES_HOST=localhost ",
"ZITADEL_DATABASE_POSTGRES_PORT=5432 ",
"ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ",
"ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=gbuser ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD={{DB_PASSWORD}} ",
"ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ",
"ZITADEL_EXTERNALSECURE=false ",
"ZITADEL_EXTERNALDOMAIN=localhost ",
"ZITADEL_EXTERNALPORT=8300 ",
"ZITADEL_TLS_ENABLED=false ",
"nohup {{BIN_PATH}}/zitadel start ",
"--masterkey MasterkeyNeedsToHave32Characters ",
"--tlsMode disabled ",
"> {{LOGS_PATH}}/zitadel.log 2>&1 &",
).to_string(),
check_cmd: "curl -f --connect-timeout 2 -m 5 http://localhost:8300/debug/healthz >/dev/null 2>&1".to_string(),
},
);
}
fn register_alm(&mut self) {
self.components.insert(
"alm".to_string(),
ComponentConfig {
name: "alm".to_string(),
ports: vec![3000],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("alm"),
binary_name: Some("forgejo".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::from([
("USER".to_string(), "alm".to_string()),
("HOME".to_string(), "{{DATA_PATH}}".to_string()),
]),
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/forgejo web --work-path {{DATA_PATH}} --port 3000 --cert {{CONF_PATH}}/system/certificates/alm/server.crt --key {{CONF_PATH}}/system/certificates/alm/server.key > {{LOGS_PATH}}/forgejo.log 2>&1 &".to_string(),
check_cmd: "curl -f -k --connect-timeout 2 -m 5 https://localhost:3000 >/dev/null 2>&1".to_string(),
},
);
}
fn register_alm_ci(&mut self) {
self.components.insert(
"alm-ci".to_string(),
ComponentConfig {
name: "alm-ci".to_string(),
ports: vec![],
dependencies: vec!["alm".to_string()],
linux_packages: vec![],
macos_packages: vec!["git".to_string(), "node".to_string()],
windows_packages: vec![],
download_url: get_component_url("alm_ci"),
binary_name: Some("forgejo-runner".to_string()),
pre_install_cmds_linux: vec![
"mkdir -p {{CONF_PATH}}/alm-ci".to_string(),
],
post_install_cmds_linux: vec![
"echo 'To register the runner, run:'".to_string(),
"echo '{{BIN_PATH}}/forgejo-runner register --instance $ALM_URL --token $ALM_RUNNER_TOKEN --name gbo --labels ubuntu-latest:docker://node:20-bookworm'".to_string(),
"echo 'Then start with: {{BIN_PATH}}/forgejo-runner daemon --config {{CONF_PATH}}/alm-ci/config.yaml'".to_string(),
],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: {
let mut env = HashMap::new();
env.insert("ALM_URL".to_string(), "$ALM_URL".to_string());
env.insert("ALM_RUNNER_TOKEN".to_string(), "$ALM_RUNNER_TOKEN".to_string());
env
},
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/forgejo-runner daemon --config {{CONF_PATH}}/alm-ci/config.yaml > {{LOGS_PATH}}/forgejo-runner.log 2>&1 &".to_string(),
check_cmd: "ps -ef | grep forgejo-runner | grep -v grep | grep {{BIN_PATH}} >/dev/null 2>&1".to_string(),
},
);
}
fn register_dns(&mut self) {
self.components.insert(
"dns".to_string(),
ComponentConfig {
name: "dns".to_string(),
ports: vec![53],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("dns"),
binary_name: Some("coredns".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/coredns -conf {{CONF_PATH}}/dns/Corefile".to_string(),
check_cmd: "dig @localhost botserver.local >/dev/null 2>&1".to_string(),
},
);
}
fn register_webmail(&mut self) {
self.components.insert(
"webmail".to_string(),
ComponentConfig {
name: "webmail".to_string(),
ports: vec![8300],
dependencies: vec!["email".to_string()],
linux_packages: vec![
"ca-certificates".to_string(),
"apt-transport-https".to_string(),
"php8.1".to_string(),
"php8.1-fpm".to_string(),
],
macos_packages: vec!["php".to_string()],
windows_packages: vec![],
download_url: get_component_url("webmail"),
binary_name: None,
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "php -S 0.0.0.0:9000 -t {{DATA_PATH}}/roundcubemail".to_string(),
check_cmd:
"curl -f -k --connect-timeout 2 -m 5 https://localhost:8300 >/dev/null 2>&1"
.to_string(),
},
);
}
fn register_meeting(&mut self) {
self.components.insert(
"meet".to_string(),
ComponentConfig {
name: "meet".to_string(),
ports: vec![7880],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("meet"),
binary_name: Some("livekit-server".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/livekit-server --config {{CONF_PATH}}/meet/config.yaml --key-file {{CONF_PATH}}/system/certificates/meet/server.key --cert-file {{CONF_PATH}}/system/certificates/meet/server.crt".to_string(),
check_cmd: "curl -f -k --connect-timeout 2 -m 5 https://localhost:7880 >/dev/null 2>&1".to_string(),
},
);
}
fn register_table_editor(&mut self) {
self.components.insert(
"table_editor".to_string(),
ComponentConfig {
name: "table_editor".to_string(),
ports: vec![5757],
dependencies: vec!["tables".to_string()],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("table_editor"),
binary_name: Some("nocodb".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/nocodb".to_string(),
check_cmd:
"curl -f -k --connect-timeout 2 -m 5 https://localhost:5757 >/dev/null 2>&1"
.to_string(),
},
);
}
fn register_doc_editor(&mut self) {
self.components.insert(
"doc_editor".to_string(),
ComponentConfig {
name: "doc_editor".to_string(),
ports: vec![9980],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: None,
binary_name: Some("coolwsd".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "coolwsd --config-file={{CONF_PATH}}/coolwsd.xml".to_string(),
check_cmd:
"curl -f -k --connect-timeout 2 -m 5 https://localhost:9980 >/dev/null 2>&1"
.to_string(),
},
);
}
fn register_remote_terminal(&mut self) {
self.components.insert(
"remote_terminal".to_string(),
ComponentConfig {
name: "remote_terminal".to_string(),
ports: vec![3389],
dependencies: vec![],
linux_packages: vec!["xvfb".to_string(), "xrdp".to_string(), "xfce4".to_string()],
macos_packages: vec![],
windows_packages: vec![],
download_url: None,
binary_name: None,
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "xrdp --nodaemon".to_string(),
check_cmd: "netstat -tln | grep :3389 >/dev/null 2>&1".to_string(),
},
);
}
fn register_devtools(&mut self) {
self.components.insert(
"devtools".to_string(),
ComponentConfig {
name: "devtools".to_string(),
ports: vec![],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: None,
binary_name: None,
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "".to_string(),
check_cmd: "".to_string(),
},
);
}
fn _register_botserver(&mut self) {
self.components.insert(
"system".to_string(),
ComponentConfig {
name: "system".to_string(),
ports: vec![8000],
dependencies: vec![],
linux_packages: vec!["curl".to_string(), "unzip".to_string(), "git".to_string()],
macos_packages: vec![],
windows_packages: vec![],
download_url: None,
binary_name: None,
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "".to_string(),
check_cmd: "".to_string(),
},
);
}
fn register_vector_db(&mut self) {
self.components.insert(
"vector_db".to_string(),
ComponentConfig {
name: "vector_db".to_string(),
ports: vec![6334],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("vector_db"),
binary_name: Some("qdrant".to_string()),
pre_install_cmds_linux: vec![],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/qdrant --config-path {{CONF_PATH}}/vector_db/config.yaml > {{LOGS_PATH}}/qdrant.log 2>&1 &".to_string(),
check_cmd: "curl -sfk https://localhost:6333/collections >/dev/null 2>&1".to_string(),
},
);
}
fn register_timeseries_db(&mut self) {
self.components.insert(
"timeseries_db".to_string(),
ComponentConfig {
name: "timeseries_db".to_string(),
ports: vec![8086, 8083],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("timeseries_db"),
binary_name: Some("influxd".to_string()),
pre_install_cmds_linux: vec![
"mkdir -p {{DATA_PATH}}/influxdb".to_string(),
"mkdir -p {{CONF_PATH}}/influxdb".to_string(),
],
post_install_cmds_linux: vec![
"{{BIN_PATH}}/influx setup --org system --bucket metrics --username admin --password {{GENERATED_PASSWORD}} --force".to_string(),
],
pre_install_cmds_macos: vec![
"mkdir -p {{DATA_PATH}}/influxdb".to_string(),
],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: {
let mut env = HashMap::new();
env.insert("INFLUXD_ENGINE_PATH".to_string(), "{{DATA_PATH}}/influxdb/engine".to_string());
env.insert("INFLUXD_BOLT_PATH".to_string(), "{{DATA_PATH}}/influxdb/influxd.bolt".to_string());
env.insert("INFLUXD_HTTP_BIND_ADDRESS".to_string(), ":8086".to_string());
env.insert("INFLUXD_REPORTING_DISABLED".to_string(), "true".to_string());
env
},
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/influxd --bolt-path={{DATA_PATH}}/influxdb/influxd.bolt --engine-path={{DATA_PATH}}/influxdb/engine --http-bind-address=:8086".to_string(),
check_cmd: "curl -f --connect-timeout 2 -m 5 http://localhost:8086/health >/dev/null 2>&1".to_string(),
},
);
}
fn register_vault(&mut self) {
self.components.insert(
"vault".to_string(),
ComponentConfig {
name: "vault".to_string(),
ports: vec![8200],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("vault"),
binary_name: Some("vault".to_string()),
pre_install_cmds_linux: vec![
"mkdir -p {{DATA_PATH}}/vault".to_string(),
"mkdir -p {{CONF_PATH}}/vault".to_string(),
"mkdir -p {{LOGS_PATH}}".to_string(),
r#"cat > {{CONF_PATH}}/vault/config.hcl << 'EOF'
storage "file" {
path = "{{DATA_PATH}}/vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
tls_key_file = "{{CONF_PATH}}/system/certificates/vault/server.key"
tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
}
api_addr = "https://localhost:8200"
cluster_addr = "https://localhost:8201"
ui = true
disable_mlock = true
EOF"#.to_string(),
],
post_install_cmds_linux: vec![
"mkdir -p {{CONF_PATH}}/system/certificates/ca".to_string(),
"mkdir -p {{CONF_PATH}}/system/certificates/vault".to_string(),
"mkdir -p {{CONF_PATH}}/system/certificates/botserver".to_string(),
"mkdir -p {{CONF_PATH}}/system/certificates/tables".to_string(),
"openssl genrsa -out {{CONF_PATH}}/system/certificates/ca/ca.key 4096 2>/dev/null".to_string(),
"openssl req -new -x509 -days 3650 -key {{CONF_PATH}}/system/certificates/ca/ca.key -out {{CONF_PATH}}/system/certificates/ca/ca.crt -subj '/C=BR/ST=SP/L=São Paulo/O=BotServer Internal CA/CN=BotServer CA' 2>/dev/null".to_string(),
"openssl genrsa -out {{CONF_PATH}}/system/certificates/vault/server.key 4096 2>/dev/null".to_string(),
"openssl req -new -key {{CONF_PATH}}/system/certificates/vault/server.key -out {{CONF_PATH}}/system/certificates/vault/server.csr -subj '/C=BR/ST=SP/L=São Paulo/O=BotServer/CN=localhost' 2>/dev/null".to_string(),
"openssl x509 -req -days 3650 -in {{CONF_PATH}}/system/certificates/vault/server.csr -CA {{CONF_PATH}}/system/certificates/ca/ca.crt -CAkey {{CONF_PATH}}/system/certificates/ca/ca.key -CAcreateserial -out {{CONF_PATH}}/system/certificates/vault/server.crt 2>/dev/null".to_string(),
"openssl genrsa -out {{CONF_PATH}}/system/certificates/botserver/client.key 4096 2>/dev/null".to_string(),
"openssl req -new -key {{CONF_PATH}}/system/certificates/botserver/client.key -out {{CONF_PATH}}/system/certificates/botserver/client.csr -subj '/C=BR/ST=SP/L=São Paulo/O=BotServer/CN=botserver' 2>/dev/null".to_string(),
"openssl x509 -req -days 3650 -in {{CONF_PATH}}/system/certificates/botserver/client.csr -CA {{CONF_PATH}}/system/certificates/ca/ca.crt -CAkey {{CONF_PATH}}/system/certificates/ca/ca.key -CAcreateserial -out {{CONF_PATH}}/system/certificates/botserver/client.crt 2>/dev/null".to_string(),
"openssl genrsa -out {{CONF_PATH}}/system/certificates/tables/server.key 4096 2>/dev/null".to_string(),
"openssl req -new -key {{CONF_PATH}}/system/certificates/tables/server.key -out {{CONF_PATH}}/system/certificates/tables/server.csr -subj '/C=BR/ST=SP/L=São Paulo/O=BotServer/CN=localhost' 2>/dev/null".to_string(),
"openssl x509 -req -days 3650 -in {{CONF_PATH}}/system/certificates/tables/server.csr -CA {{CONF_PATH}}/system/certificates/ca/ca.crt -CAkey {{CONF_PATH}}/system/certificates/ca/ca.key -CAcreateserial -out {{CONF_PATH}}/system/certificates/tables/server.crt 2>/dev/null".to_string(),
"echo 'Certificates generated successfully'".to_string(),
],
pre_install_cmds_macos: vec![
"mkdir -p {{DATA_PATH}}/vault".to_string(),
"mkdir -p {{CONF_PATH}}/vault".to_string(),
"mkdir -p {{LOGS_PATH}}".to_string(),
r#"cat > {{CONF_PATH}}/vault/config.hcl << 'EOF'
storage "file" {
path = "{{DATA_PATH}}/vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
tls_key_file = "{{CONF_PATH}}/system/certificates/vault/server.key"
tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
}
api_addr = "https://localhost:8200"
cluster_addr = "https://localhost:8201"
ui = true
disable_mlock = true
EOF"#.to_string(),
],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: {
let mut env = HashMap::new();
env.insert(
"VAULT_ADDR".to_string(),
"https://localhost:8200".to_string(),
);
env.insert(
"VAULT_CACERT".to_string(),
"./botserver-stack/conf/system/certificates/ca/ca.crt".to_string(),
);
env
},
data_download_list: Vec::new(),
exec_cmd: "nohup {{BIN_PATH}}/vault server -config={{CONF_PATH}}/vault/config.hcl > {{LOGS_PATH}}/vault.log 2>&1 &"
.to_string(),
check_cmd: "if [ -f {{CONF_PATH}}/system/certificates/botserver/client.crt ]; then curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; else curl -f -sk --connect-timeout 2 -m 5 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1; fi"
.to_string(),
},
);
}
fn register_observability(&mut self) {
self.components.insert(
"observability".to_string(),
ComponentConfig {
name: "observability".to_string(),
ports: vec![8686],
dependencies: vec!["timeseries_db".to_string()],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: get_component_url("observability"),
binary_name: Some("vector".to_string()),
pre_install_cmds_linux: vec![
"mkdir -p {{CONF_PATH}}/monitoring".to_string(),
"mkdir -p {{DATA_PATH}}/vector".to_string(),
],
post_install_cmds_linux: vec![],
pre_install_cmds_macos: vec![
"mkdir -p {{CONF_PATH}}/monitoring".to_string(),
"mkdir -p {{DATA_PATH}}/vector".to_string(),
],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "{{BIN_PATH}}/vector --config {{CONF_PATH}}/monitoring/vector.toml"
.to_string(),
check_cmd:
"curl -f --connect-timeout 2 -m 5 http://localhost:8686/health >/dev/null 2>&1"
.to_string(),
},
);
}
fn register_host(&mut self) {
self.components.insert(
"host".to_string(),
ComponentConfig {
name: "host".to_string(),
ports: vec![],
dependencies: vec![],
linux_packages: vec![],
macos_packages: vec![],
windows_packages: vec![],
download_url: None,
binary_name: None,
pre_install_cmds_linux: vec![
"echo 'net.ipv4.ip_forward=1' | tee -a /etc/sysctl.conf".to_string(),
"sysctl -p".to_string(),
],
post_install_cmds_linux: vec![
"lxd init --dump >/dev/null 2>&1 || lxd init --auto".to_string(),
"lxc storage show default >/dev/null 2>&1 || lxc storage create default dir".to_string(),
"lxc profile device include default root >/dev/null 2>&1 || lxc profile device add default root disk path=/ pool=default".to_string(),
"lxc profile device show default | grep lxd-sock >/dev/null 2>&1 || lxc profile device add default lxd-sock proxy connect=unix:/var/lib/lxd/unix.socket listen=unix:/tmp/lxd.sock bind=container uid=0 gid=0 mode=0660".to_string(),
],
pre_install_cmds_macos: vec![],
post_install_cmds_macos: vec![],
pre_install_cmds_windows: vec![],
post_install_cmds_windows: vec![],
env_vars: HashMap::new(),
data_download_list: Vec::new(),
exec_cmd: "".to_string(),
check_cmd: "".to_string(),
},
);
}
pub fn start(&self, component: &str) -> Result<std::process::Child> {
if let Some(component) = self.components.get(component) {
let bin_path = self.base_path.join("bin").join(&component.name);
let data_path = self.base_path.join("data").join(&component.name);
let conf_path = self.base_path.join("conf");
let logs_path = self.base_path.join("logs").join(&component.name);
let check_cmd = component
.check_cmd
.replace("{{BIN_PATH}}", &bin_path.to_string_lossy())
.replace("{{DATA_PATH}}", &data_path.to_string_lossy())
.replace("{{CONF_PATH}}", &conf_path.to_string_lossy())
.replace("{{LOGS_PATH}}", &logs_path.to_string_lossy());
let check_output = safe_sh_command(&check_cmd)
.map(|o| o.status.success())
.unwrap_or(false);
if check_output {
info!(
"Component {} is already running, skipping start",
component.name
);
return SafeCommand::noop_child()
.map_err(|e| anyhow::anyhow!("Failed to create noop process: {}", e));
}
let rendered_cmd = component
.exec_cmd
.replace("{{BIN_PATH}}", &bin_path.to_string_lossy())
.replace("{{DATA_PATH}}", &data_path.to_string_lossy())
.replace("{{CONF_PATH}}", &conf_path.to_string_lossy())
.replace("{{LOGS_PATH}}", &logs_path.to_string_lossy());
trace!(
"Starting component {} with command: {}",
component.name,
rendered_cmd
);
trace!(
"Working directory: {}, logs_path: {}",
bin_path.display(),
logs_path.display()
);
let vault_credentials = Self::fetch_vault_credentials();
let mut evaluated_envs = HashMap::new();
for (k, v) in &component.env_vars {
if let Some(var_name) = v.strip_prefix('$') {
let value = vault_credentials
.get(var_name)
.cloned()
.or_else(|| std::env::var(var_name).ok())
.unwrap_or_default();
evaluated_envs.insert(k.clone(), value);
} else {
evaluated_envs.insert(k.clone(), v.clone());
}
}
trace!(
"About to spawn shell command for {}: {}",
component.name,
rendered_cmd
);
trace!("Working dir: {}", bin_path.display());
let child = SafeCommand::new("sh")
.and_then(|c| c.arg("-c"))
.and_then(|c| c.trusted_shell_script_arg(&rendered_cmd))
.and_then(|c| c.working_dir(&bin_path))
.and_then(|cmd| cmd.spawn_with_envs(&evaluated_envs))
.map_err(|e| anyhow::anyhow!("Failed to spawn process: {}", e));
trace!("Spawn result for {}: {:?}", component.name, child.is_ok());
std::thread::sleep(std::time::Duration::from_secs(2));
trace!(
"Checking if {} process exists after 2s sleep...",
component.name
);
let check_proc = safe_pgrep(&["-f", &component.name]);
if let Some(output) = check_proc {
let pids = String::from_utf8_lossy(&output.stdout);
trace!("pgrep '{}' result: '{}'", component.name, pids.trim());
}
match child {
Ok(c) => {
trace!("Component {} started successfully", component.name);
// Initialize Vault after successful start (local mode only)
if component.name == "vault" && self.mode == InstallMode::Local {
if let Err(e) = self.initialize_vault_local() {
warn!("Failed to initialize Vault: {}", e);
warn!("Vault started but may need manual initialization");
}
}
Ok(c)
}
Err(e) => {
error!("Spawn failed for {}: {}", component.name, e);
let err_msg = e.to_string();
if err_msg.contains("already running")
|| err_msg.contains("be running")
|| component.name == "tables"
{
trace!(
"Component {} may already be running, continuing anyway",
component.name
);
// Even if vault was already running, ensure .env exists
if component.name == "vault" && self.mode == InstallMode::Local {
let _ = self.ensure_env_file_exists();
}
SafeCommand::noop_child()
.map_err(|e| anyhow::anyhow!("Failed to create noop process: {}", e))
} else {
Err(e)
}
}
}
} else {
Err(anyhow::anyhow!("Component not found: {}", component))
}
}
fn fetch_vault_credentials() -> HashMap<String, String> {
let mut credentials = HashMap::new();
dotenvy::dotenv().ok();
let base_path = std::env::var("BOTSERVER_STACK_PATH")
.map(std::path::PathBuf::from)
.unwrap_or_else(|_| {
std::env::current_dir()
.unwrap_or_else(|_| std::path::PathBuf::from("."))
.join("botserver-stack")
});
let vault_addr =
std::env::var("VAULT_ADDR").unwrap_or_else(|_| "https://localhost:8200".to_string());
let vault_token = std::env::var("VAULT_TOKEN").unwrap_or_default();
if vault_token.is_empty() {
warn!("VAULT_TOKEN not set, cannot fetch credentials from Vault");
return credentials;
}
// Check if Vault is reachable before trying to fetch credentials
// Use -k for self-signed certs and mTLS client cert
let client_cert = base_path.join("conf/system/certificates/botserver/client.crt");
let client_key = base_path.join("conf/system/certificates/botserver/client.key");
let vault_check = safe_sh_command(&format!(
"curl -sfk --cert {} --key {} {}/v1/sys/health >/dev/null 2>&1",
client_cert.display(),
client_key.display(),
vault_addr
))
.map(|o| o.status.success())
.unwrap_or(false);
if !vault_check {
trace!(
"Vault not reachable at {}, skipping credential fetch",
vault_addr
);
return credentials;
}
let vault_bin = base_path.join("bin/vault/vault");
let vault_bin_str = vault_bin.to_string_lossy();
// Get CA cert path for Vault TLS
let ca_cert_path = std::env::var("VAULT_CACERT").unwrap_or_else(|_| {
base_path
.join("conf/system/certificates/ca/ca.crt")
.to_string_lossy()
.to_string()
});
trace!(
"Fetching drive credentials from Vault at {} using {}",
vault_addr,
vault_bin_str
);
let drive_cmd = format!(
"VAULT_ADDR={} VAULT_TOKEN={} VAULT_CACERT={} {} kv get -format=json secret/gbo/drive",
vault_addr, vault_token, ca_cert_path, vault_bin_str
);
match safe_sh_command(&drive_cmd) {
Some(output) => {
if output.status.success() {
let json_str = String::from_utf8_lossy(&output.stdout);
trace!("Vault drive response: {}", json_str);
match serde_json::from_str::<serde_json::Value>(&json_str) {
Ok(json) => {
if let Some(data) = json.get("data").and_then(|d| d.get("data")) {
if let Some(accesskey) =
data.get("accesskey").and_then(|v| v.as_str())
{
trace!("Found DRIVE_ACCESSKEY from Vault");
credentials.insert(
"DRIVE_ACCESSKEY".to_string(),
accesskey.to_string(),
);
}
if let Some(secret) = data.get("secret").and_then(|v| v.as_str()) {
trace!("Found DRIVE_SECRET from Vault");
credentials
.insert("DRIVE_SECRET".to_string(), secret.to_string());
}
} else {
warn!("Vault response missing data.data field");
}
}
Err(e) => warn!("Failed to parse Vault JSON: {}", e),
}
} else {
let stderr = String::from_utf8_lossy(&output.stderr);
warn!("Vault drive command failed: {}", stderr);
}
}
None => warn!("Failed to execute Vault command"),
}
let cache_cmd = format!(
"VAULT_ADDR={} VAULT_TOKEN={} VAULT_CACERT={} {} kv get -format=json secret/gbo/cache 2>/dev/null",
vault_addr, vault_token, ca_cert_path, vault_bin_str
);
if let Some(output) = safe_sh_command(&cache_cmd) {
if output.status.success() {
if let Ok(json_str) = String::from_utf8(output.stdout) {
if let Ok(json) = serde_json::from_str::<serde_json::Value>(&json_str) {
if let Some(data) = json.get("data").and_then(|d| d.get("data")) {
if let Some(password) = data.get("password").and_then(|v| v.as_str()) {
credentials
.insert("CACHE_PASSWORD".to_string(), password.to_string());
}
}
}
}
}
}
trace!("Fetched {} credentials from Vault", credentials.len());
credentials
}
/// Initialize Vault locally (non-LXC mode) and create .env file
///
/// This function:
/// 1. Checks if Vault is already initialized
/// 2. If not, runs `vault operator init` to get root token and unseal keys
/// 3. Creates .env file with VAULT_ADDR and VAULT_TOKEN
/// 4. Creates vault-unseal-keys file with proper permissions
/// 5. Unseals Vault with 3 keys
fn initialize_vault_local(&self) -> Result<()> {
use std::io::Write;
info!("Initializing Vault locally (non-LXC mode)...");
let bin_path = self.base_path.join("bin/vault");
let conf_path = self.base_path.join("conf");
let vault_bin = bin_path.join("vault");
// Check if already initialized
let init_json = self.base_path.join("conf/vault/init.json");
if init_json.exists() {
info!("Vault already initialized (init.json exists), skipping initialization");
// Still ensure .env file exists
self.ensure_env_file_exists()?;
return Ok(());
}
// Wait for Vault to be ready
info!("Waiting for Vault to start...");
std::thread::sleep(std::time::Duration::from_secs(3));
let vault_addr = std::env::var("VAULT_ADDR")
.unwrap_or_else(|_| "https://localhost:8200".to_string());
let ca_cert = conf_path.join("system/certificates/ca/ca.crt");
// Initialize Vault
let init_cmd = format!(
"{} operator init -tls-skip-verify -key-shares=5 -key-threshold=3 -format=json -address={}",
vault_bin.display(),
vault_addr
);
info!("Running vault operator init...");
let output = safe_sh_command(&init_cmd)
.ok_or_else(|| anyhow::anyhow!("Failed to execute vault init command"))?;
if !output.status.success() {
let stderr = String::from_utf8_lossy(&output.stderr);
if stderr.contains("already initialized") {
warn!("Vault already initialized, skipping file generation");
return self.ensure_env_file_exists();
}
return Err(anyhow::anyhow!("Failed to initialize Vault: {}", stderr));
}
let init_output = String::from_utf8_lossy(&output.stdout);
let init_json_val: serde_json::Value = serde_json::from_str(&init_output)
.context("Failed to parse Vault init output")?;
let unseal_keys = init_json_val["unseal_keys_b64"]
.as_array()
.context("No unseal keys in output")?;
let root_token = init_json_val["root_token"]
.as_str()
.context("No root token in output")?;
// Save init.json
std::fs::write(
&init_json,
serde_json::to_string_pretty(&init_json_val)?
)?;
info!("Created {}", init_json.display());
// Create .env file with Vault credentials
let env_file = std::path::PathBuf::from(".env");
let env_content = format!(
r#"
# Vault Configuration (auto-generated)
VAULT_ADDR={}
VAULT_TOKEN={}
VAULT_CACERT={}
"#,
vault_addr,
root_token,
ca_cert.display()
);
if env_file.exists() {
let existing = std::fs::read_to_string(&env_file)?;
if existing.contains("VAULT_ADDR=") {
warn!(".env already contains VAULT_ADDR, not overwriting");
} else {
let mut file = std::fs::OpenOptions::new()
.append(true)
.open(&env_file)?;
file.write_all(env_content.as_bytes())?;
info!("Appended Vault config to .env");
}
} else {
std::fs::write(&env_file, env_content.trim_start())?;
info!("Created .env with Vault config");
}
// Create vault-unseal-keys file
let unseal_keys_file = std::path::PathBuf::from("vault-unseal-keys");
let keys_content: String = unseal_keys
.iter()
.enumerate()
.map(|(i, key): (usize, &serde_json::Value)| {
format!("Unseal Key {}: {}\n", i + 1, key.as_str().unwrap_or(""))
})
.collect();
std::fs::write(&unseal_keys_file, keys_content)?;
#[cfg(unix)]
{
std::fs::set_permissions(&unseal_keys_file, std::fs::Permissions::from_mode(0o600))?;
}
#[cfg(not(unix))]
{
let _ = &unseal_keys_file; // suppress unused warning
}
info!("Created {} (chmod 600)", unseal_keys_file.display());
// Unseal Vault (need 3 keys)
info!("Unsealing Vault...");
for i in 0..3 {
if let Some(key) = unseal_keys.get(i) {
let key_str: &str = key.as_str().unwrap_or("");
let unseal_cmd = format!(
"{} operator unseal -tls-skip-verify -address={} {}",
vault_bin.display(),
vault_addr,
key_str
);
let unseal_output = safe_sh_command(&unseal_cmd);
if let Some(output) = unseal_output {
if !output.status.success() {
warn!("Unseal step {} may have failed", i + 1);
}
} else {
warn!("Unseal step {} command failed to execute", i + 1);
}
}
}
info!("Vault initialized and unsealed successfully");
info!("✓ Created .env with VAULT_ADDR, VAULT_TOKEN");
info!("✓ Created vault-unseal-keys (chmod 600)");
Ok(())
}
/// Ensure .env file exists with Vault credentials
fn ensure_env_file_exists(&self) -> Result<()> {
let init_json = self.base_path.join("conf/vault/init.json");
let env_file = std::path::PathBuf::from(".env");
if !init_json.exists() {
return Ok(()); // No init, no .env needed yet
}
let init_content = std::fs::read_to_string(&init_json)?;
let init_json_val: serde_json::Value = serde_json::from_str(&init_content)?;
let root_token = init_json_val["root_token"]
.as_str()
.context("No root_token in init.json")?;
let conf_path = self.base_path.join("conf");
let ca_cert = conf_path.join("system/certificates/ca/ca.crt");
let vault_addr = std::env::var("VAULT_ADDR")
.unwrap_or_else(|_| "https://localhost:8200".to_string());
let env_content = format!(
r#"
# Vault Configuration (auto-generated)
VAULT_ADDR={}
VAULT_TOKEN={}
VAULT_CACERT={}
"#,
vault_addr,
root_token,
ca_cert.display()
);
if env_file.exists() {
let existing = std::fs::read_to_string(&env_file)?;
if existing.contains("VAULT_ADDR=") {
return Ok(());
}
let mut file = std::fs::OpenOptions::new()
.append(true)
.open(&env_file)?;
use std::io::Write;
file.write_all(env_content.as_bytes())?;
} else {
std::fs::write(&env_file, env_content.trim_start())?;
}
info!("Created .env with Vault credentials");
Ok(())
}
}
Reference in a new issue View git blame Copy permalink