From 120a307343a762fa781318a4e95680755c54fcd9 Mon Sep 17 00:00:00 2001 From: archipelago Date: Thu, 23 Apr 2026 04:49:45 -0400 Subject: [PATCH] =?UTF-8?q?docs:=20STATUS.md=20=E2=80=94=20complete=20SSH/?= =?UTF-8?q?key/sudo/deploy=20reference=20for=20next=20session?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Expands NEXT SESSION header with fully verified access info so a fresh agent has zero ambiguity: - SSH key inventory across laptop, .116, .228 (every file, purpose noted) - Actual SSH config aliases (archy, archy228) with IdentitiesOnly - Verified connectivity matrix (laptop -> both; .116 -> .228; .228 has no outbound key) - Corrected sudo state: .228 sudoers file is /etc/sudoers.d/archipelago (not archipelago-ci); .116 has archipelago-ci + archipelago-wg scope-limited drop-ins - SSHFS mount source command + AppleDouble gotcha - Cargo over SSH PATH gotcha + detached build pattern for >2min timeout - End-to-end deploy-to-.228 recipe (build, SCP, atomic swap, verify) - Git workflow rules (no push, no amend, no force, conventional commits) Removes duplicate host-reference block that the prior edit left trailing. No code change. --- docs/STATUS.md | 130 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 118 insertions(+), 12 deletions(-) diff --git a/docs/STATUS.md b/docs/STATUS.md index ca612272..a1f10540 100644 --- a/docs/STATUS.md +++ b/docs/STATUS.md @@ -10,6 +10,124 @@ Updated: 2026-04-23 (Dashboard Stop UX bug diagnosed; async-spawn fix fully desi **Goal**: implement async-spawn lifecycle fix so the dashboard never shows a frozen spinner again. User mandate: _"best server containers in the world"_. Do not ship the chaos matrix (Step 11) until this lands and manual LND stop verifies instant RPC + live `Stopping…` label. +### How to work on this repo (SSH + SSHFS setup) + +You are likely running on the **laptop** (macOS). The repo lives on the **ThinkPad** (.116). There are two access paths, use both: + +1. **SSHFS mount at `~/mnt/archy-thinkpad/`** — use for `read` / `edit` / `write` / `glob` / `grep` tools. Fast for file ops, too slow for git/cargo. Example: `/Users/dorian/mnt/archy-thinkpad/core/archipelago/src/api/rpc/container.rs`. + - Mount source: `archy:Projects/archy` (via the `archy` SSH alias, so it uses `~/.ssh/archy_opencode`) + - If mount is missing/stale, remount: `sshfs archy:Projects/archy ~/mnt/archy-thinkpad -o reconnect,ServerAliveInterval=15` + - AppleDouble `._*` files leak from macOS writes — add `--exclude="._*"` to any `rsync` over the mount; single-file `edit`/`write` is fine. +2. **SSH directly** — use for `git`, `cargo`, `npm`, running the server. SSH config aliases are already set up in `~/.ssh/config`: + - `ssh archy` → `archipelago@192.168.1.116` using `~/.ssh/archy_opencode` + - `ssh archy228` → `archipelago@192.168.1.228` using `~/.ssh/archy_opencode` + - Full host form also works: `ssh archipelago@192.168.1.116` / `ssh archipelago@192.168.1.228` (same key resolves via IdentitiesOnly). + +### SSH keys — what's where + +**Laptop `~/.ssh/` (macOS, user `dorian`)**: +| File | Purpose | +|---|---| +| `archy_opencode` / `.pub` | **Primary key for this project.** Unlocks both `archy` (.116) and `archy228` (.228). Created 2026-04-22 specifically for OpenCode work. | +| `archipelago-deploy` / `.pub` | Older archipelago deploy key. Not needed for current work. | +| `id_ed25519` / `.pub` | Personal default key. Not used by archy/archy228 configs (`IdentitiesOnly yes` forces `archy_opencode`). | +| `id_ed25519_angor` / `.pub` | Angor project. Unrelated. | +| `id_ed25519_start9` / `.pub` | Start9 project. Unrelated. | +| `vps-ci-setup` / `.pub` | VPS CI. Unrelated. | +| `config` | Host aliases (shown above) | + +**.116 `/home/archipelago/.ssh/`**: +| File | Purpose | +|---|---| +| `authorized_keys` | Accepts: laptop's `archy_opencode.pub` + 3 other keys (4 lines total). | +| `id_ed25519` / `.pub` | .116's OWN identity key. This is what lets `.116 → .228` work passwordless. | +| `archipelago-deploy` | Symlink → `id_ed25519` (legacy alias). | +| `id_ed25519_vps168` / `.pub` | For SSH to `146.59.87.168` (VPS). Unrelated to this work. | +| `config` | Host entry for the VPS only. | + +**.228 `/home/archipelago/.ssh/`**: +| File | Purpose | +|---|---| +| `authorized_keys` | Accepts: laptop's `archy_opencode.pub` + .116's `id_ed25519.pub` + 2 others (4 lines total). | +| _(no `id_ed25519`)_ | .228 has no outbound key — it's a terminal node. Don't try to `ssh` _from_ .228 _to_ anywhere. | + +**Connectivity matrix (all verified 2026-04-23)**: +| From → To | Works passwordless | Via | +|---|---|---| +| Laptop → .116 | ✅ | `archy_opencode` | +| Laptop → .228 | ✅ | `archy_opencode` | +| .116 → .228 | ✅ | .116's `id_ed25519` | +| .228 → anywhere | ❌ | no outbound key (by design) | + +### Sudo — verified state + +**.116** (dev ThinkPad): +- User `archipelago` is in `sudo` group. +- Sudo password required: **`ThisIsWeb54321@`** +- Sudoers drop-ins present: `/etc/sudoers.d/archipelago-ci`, `/etc/sudoers.d/archipelago-wg` (scope-limited NOPASSWD for specific CI/wg commands — not full NOPASSWD). +- For most dev work you don't need sudo on .116. + +**.228** (prod kiosk): +- User `archipelago` has **full passwordless sudo** via `/etc/sudoers.d/archipelago` containing `archipelago ALL=(ALL) NOPASSWD:ALL`. +- User is also in `sudo` group. +- Sudo password (if ever prompted, shouldn't be): **`archipelago`** +- Dashboard password: **`password123`** + +### Cargo / npm / paths + +- **Cargo PATH gotcha**: non-interactive SSH login has no cargo in PATH. Always use `~/.cargo/bin/cargo` over SSH. + - Example: `ssh archy '~/.cargo/bin/cargo check -p archipelago' --workdir ~/Projects/archy/core` + - Or cd first: `ssh archy 'cd ~/Projects/archy && ~/.cargo/bin/cargo check -p archipelago'` +- **Long cargo builds** (>2 min Bash tool timeout): launch detached and poll the log: + ``` + ssh archy 'cd ~/Projects/archy && nohup ~/.cargo/bin/cargo build --release -p archipelago > /tmp/cargo-build.log 2>&1 < /dev/null & disown' + ssh archy 'tail -30 /tmp/cargo-build.log' + ssh archy 'pgrep -a cargo' # to check if still running + ``` +- **npm / frontend** lives at `~/Projects/archy/neode-ui/` on .116 (also accessible via laptop mount at `~/mnt/archy-thinkpad/neode-ui/`). Node is on interactive PATH; for scripted SSH, `source ~/.nvm/nvm.sh && nvm use` or call the absolute path if nvm is used. +- Repo on .116: `~/Projects/archy/` (Cargo workspace at `core/Cargo.toml`). +- Web root on .228: check `/etc/nginx/sites-enabled/` for the live path; historically `/var/lib/archipelago/web-ui/` or `/opt/archipelago/web-ui/`. + +### Deploying new server binary to .228 + +``` +# 1. Build on .116 (detached — takes ~3-5 min for release) +ssh archy 'cd ~/Projects/archy && nohup ~/.cargo/bin/cargo build --release -p archipelago > /tmp/cargo-build.log 2>&1 < /dev/null & disown' +# wait / tail log until "Finished `release` profile" + +# 2. SCP .116 → .228 (uses .116's id_ed25519 → .228's authorized_keys, passwordless) +ssh archy 'scp ~/Projects/archy/core/target/release/archipelago archipelago@192.168.1.228:/tmp/archipelago.new' + +# 3. Atomic swap on .228 with backup +ssh archy228 'sudo cp /usr/local/bin/archipelago /usr/local/bin/archipelago.bak-pre-async-stop && sudo mv /tmp/archipelago.new /usr/local/bin/archipelago && sudo chmod +x /usr/local/bin/archipelago && sudo systemctl restart archipelago' + +# 4. Verify +ssh archy228 'systemctl status archipelago --no-pager | head -20 && sudo journalctl -u archipelago -n 50 --no-pager' +``` + +### Git workflow + +- Branch: `main` on .116, currently **22 commits ahead of `tx1138/main`**. +- Remote `tx1138` exists but **do NOT push** — user mirrors to 4 Gitea remotes personally after reviewing. +- Atomic commits, one logical change per commit. Conventional Commits format (`feat:`, `fix:`, `docs:`, `refactor:`, `chore:`, `test:`, `perf:`). +- Never `--amend` unless the commit you're amending was created in this session AND has not been pushed. Safer: new commit. +- Never `--force` push. Never modify git config. +- If pre-commit hooks fail, create a NEW commit with the fix — don't `--amend` after a failed commit. + +### Other + +- Full destructive latitude on both nodes. Announce multi-hour ops (OTA, full rebuild, apt upgrade). Don't ask for routine stop/start/rebuild permission. +- No ship pressure. Do it properly. +- Use `question` tool for ambiguous decisions (don't guess user intent on design choices). +- Keep `docs/STATUS.md` fresh between sessions — it IS the session handoff. + +### Hosts reference (quick) + +| Host | IP | SSH alias | Role | Dashboard | Sudo | +|---|---|---|---|---|---| +| `archy` (ThinkPad X250) | 192.168.1.116 | `ssh archy` | dev host, Debian 13 | `archipelago` | `ThisIsWeb54321@` | +| `archy228` (HP ProDesk) | 192.168.1.228 | `ssh archy228` | prod kiosk, Rust orchestrator | `password123` | NOPASSWD (fallback `archipelago`) | + ### Bug being fixed Dashboard sequence when user clicks **Stop LND**: @@ -131,18 +249,6 @@ Net visible bug: button spins briefly, reverts to Running, then several minutes 6. `web-ui.failed.*` scar on .228 (benign systemd unit state) 7. `test_parse_image_versions` pre-existing broken assertion — fix or `#[ignore]` when touching that area -### Host reference - -| Host | IP | Role | Dashboard pw | Sudo pw | SSH | -|---|---|---|---|---|---| -| `archy` (ThinkPad X250) | 192.168.1.116 | dev host, Debian 13, repo at `~/Projects/archy/` | archipelago | `ThisIsWeb54321@` | key installed | -| `archy228` (HP ProDesk) | 192.168.1.228 | prod kiosk, new Rust orchestrator binary | password123 | archipelago (NOPASSWD:ALL via /etc/sudoers.d/archipelago-ci) | key installed | - -- Laptop SSHFS mount: `~/mnt/archy-thinkpad/` (edits OK, git/cargo via SSH) -- Cargo path over SSH: `~/.cargo/bin/cargo` (non-interactive login has no cargo in PATH) -- Release model: local commit + tag only; user pushes to 4 Gitea mirrors personally -- Full destructive latitude on both nodes. Announce multi-hour ops. Don't ask for routine stop/start/rebuild permission. - --- ## Where we are