veza/scripts/bootstrap/runner-bake-deps.sh

#!/usr/bin/env bash
# Install the OS packages every deploy.yml job assumes are pre-baked
# on the forgejo-runner Incus container. Run once per runner; idempotent.
#
# Usage (from operator laptop):
#     ssh -t srv-102v 'sudo bash -s' < scripts/bootstrap/runner-bake-deps.sh
#
# Or run directly on the R720:
#     sudo bash scripts/bootstrap/runner-bake-deps.sh
set -euo pipefail

PKGS=(
    # tarball compression for build artifacts
    zstd
    # rust musl-static target
    musl-tools
    # rust openssl-sys: pkg-config + libssl-dev for the glibc build,
    # perl + make + gcc (build-essential below) for the vendored
    # openssl-src crate which compiles OpenSSL from source against musl.
    pkg-config
    libssl-dev
    perl
    make
    # python3 + pipx for a recent ansible-core
    # (Debian apt's ansible 2.14 is too old for current community.general,
    #  which logs "Collection community.general does not support Ansible
    #  version 2.14.18" and fails on connection plugins.)
    python3-psycopg2
    python3-pip
    pipx
    # native node modules (mostly belt-and-braces — current deploy
    # avoids them via NODE_ENV=production, but keep for safety)
    build-essential
    python3-dev
)

echo "→ baking deps onto forgejo-runner container"
incus exec forgejo-runner -- bash -c "
    set -euo pipefail
    DEBIAN_FRONTEND=noninteractive apt-get update -qq
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${PKGS[*]}
"

echo
echo "→ installing ansible-core via pipx (newer than apt)"
incus exec forgejo-runner -- bash -c '
    set -euo pipefail
    export PIPX_HOME=/opt/pipx
    export PIPX_BIN_DIR=/usr/local/bin
    pipx install --force ansible-core
    /usr/local/bin/ansible --version | head -1
    /usr/local/bin/ansible-galaxy collection install community.general community.postgresql ansible.posix
'

echo
echo "→ verifying"
incus exec forgejo-runner -- bash -c '
    for cmd in zstd musl-gcc pkg-config ansible-playbook python3; do
        printf "  %-20s " "$cmd:"
        command -v "$cmd" || { echo MISSING ; exit 1 ; }
    done
'

echo
echo "✓ runner deps baked. Re-run Veza deploy in Forgejo UI."
fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:43:28 +00:00			`#!/usr/bin/env bash`
			`# Install the OS packages every deploy.yml job assumes are pre-baked`
			`# on the forgejo-runner Incus container. Run once per runner; idempotent.`
			`#`
			`# Usage (from operator laptop):`
			`# ssh -t srv-102v 'sudo bash -s' < scripts/bootstrap/runner-bake-deps.sh`
			`#`
			`# Or run directly on the R720:`
			`# sudo bash scripts/bootstrap/runner-bake-deps.sh`
			`set -euo pipefail`

			`PKGS=(`
			`# tarball compression for build artifacts`
			`zstd`
			`# rust musl-static target`
			`musl-tools`
fix(stream): vendor openssl for musl cross-compile + bake perl on runner build-stream was failing on openssl-sys because the runner has glibc libssl-dev but cargo cross-compiles to x86_64-unknown-linux-musl. Adding \`openssl = { features = ["vendored"] }\` as a direct dep forces openssl-src to build OpenSSL from source against musl, which feature- unifies through reqwest's native-tls and any other openssl-sys consumer. The vendored build needs perl + make at compile time — added them to runner-bake-deps.sh. The runner already has build-essential for the C compiler. Note: the build-web "husky: not found" error in the same run looks like a re-run of an old SHA, since main has \`npm ci --ignore-scripts\` since d243c2e2. A fresh workflow_dispatch should clear it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 11:05:00 +00:00			`# rust openssl-sys: pkg-config + libssl-dev for the glibc build,`
			`# perl + make + gcc (build-essential below) for the vendored`
			`# openssl-src crate which compiles OpenSSL from source against musl.`
fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:43:28 +00:00			`pkg-config`
			`libssl-dev`
fix(stream): vendor openssl for musl cross-compile + bake perl on runner build-stream was failing on openssl-sys because the runner has glibc libssl-dev but cargo cross-compiles to x86_64-unknown-linux-musl. Adding \`openssl = { features = ["vendored"] }\` as a direct dep forces openssl-src to build OpenSSL from source against musl, which feature- unifies through reqwest's native-tls and any other openssl-sys consumer. The vendored build needs perl + make at compile time — added them to runner-bake-deps.sh. The runner already has build-essential for the C compiler. Note: the build-web "husky: not found" error in the same run looks like a re-run of an old SHA, since main has \`npm ci --ignore-scripts\` since d243c2e2. A fresh workflow_dispatch should clear it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 11:05:00 +00:00			`perl`
			`make`
fix(ansible): newer ansible-core via pipx + raw-bootstrap python on targets Two blockers after the runner gained incus admin and started reaching the new data containers: 1. Debian apt's ansible-core (2.14) is below community.general's minimum, which logged "Collection community.general does not support Ansible version 2.14.18". runner-bake-deps.sh now installs ansible-core via pipx (latest stable) plus the required collections (community.general, community.postgresql, ansible.posix). 2. images:debian/13 — what the data containers are launched from — ships without python3, so every module call to a freshly-launched container hit "Failed to create temporary directory" / UNREACHABLE. Added a single bootstrap play (\`hosts: veza_data\`) that uses the raw module to install python3 + python3-apt before any other Configure-X play touches the targets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 13:14:05 +00:00			`# python3 + pipx for a recent ansible-core`
			`# (Debian apt's ansible 2.14 is too old for current community.general,`
			`# which logs "Collection community.general does not support Ansible`
			`# version 2.14.18" and fails on connection plugins.)`
fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:43:28 +00:00			`python3-psycopg2`
			`python3-pip`
fix(ansible): newer ansible-core via pipx + raw-bootstrap python on targets Two blockers after the runner gained incus admin and started reaching the new data containers: 1. Debian apt's ansible-core (2.14) is below community.general's minimum, which logged "Collection community.general does not support Ansible version 2.14.18". runner-bake-deps.sh now installs ansible-core via pipx (latest stable) plus the required collections (community.general, community.postgresql, ansible.posix). 2. images:debian/13 — what the data containers are launched from — ships without python3, so every module call to a freshly-launched container hit "Failed to create temporary directory" / UNREACHABLE. Added a single bootstrap play (\`hosts: veza_data\`) that uses the raw module to install python3 + python3-apt before any other Configure-X play touches the targets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 13:14:05 +00:00			`pipx`
fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:43:28 +00:00			`# native node modules (mostly belt-and-braces — current deploy`
			`# avoids them via NODE_ENV=production, but keep for safety)`
			`build-essential`
			`python3-dev`
			`)`

			`echo "→ baking deps onto forgejo-runner container"`
			`incus exec forgejo-runner -- bash -c "`
			`set -euo pipefail`
			`DEBIAN_FRONTEND=noninteractive apt-get update -qq`
			`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${PKGS[*]}`
			`"`

fix(ansible): newer ansible-core via pipx + raw-bootstrap python on targets Two blockers after the runner gained incus admin and started reaching the new data containers: 1. Debian apt's ansible-core (2.14) is below community.general's minimum, which logged "Collection community.general does not support Ansible version 2.14.18". runner-bake-deps.sh now installs ansible-core via pipx (latest stable) plus the required collections (community.general, community.postgresql, ansible.posix). 2. images:debian/13 — what the data containers are launched from — ships without python3, so every module call to a freshly-launched container hit "Failed to create temporary directory" / UNREACHABLE. Added a single bootstrap play (\`hosts: veza_data\`) that uses the raw module to install python3 + python3-apt before any other Configure-X play touches the targets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 13:14:05 +00:00			`echo`
			`echo "→ installing ansible-core via pipx (newer than apt)"`
			`incus exec forgejo-runner -- bash -c '`
			`set -euo pipefail`
			`export PIPX_HOME=/opt/pipx`
			`export PIPX_BIN_DIR=/usr/local/bin`
			`pipx install --force ansible-core`
			`/usr/local/bin/ansible --version \| head -1`
			`/usr/local/bin/ansible-galaxy collection install community.general community.postgresql ansible.posix`
			`'`

fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:43:28 +00:00			`echo`
			`echo "→ verifying"`
			`incus exec forgejo-runner -- bash -c '`
			`for cmd in zstd musl-gcc pkg-config ansible-playbook python3; do`
			`printf " %-20s " "$cmd:"`
			`command -v "$cmd" \|\| { echo MISSING ; exit 1 ; }`
			`done`
			`'`

			`echo`
			`echo "✓ runner deps baked. Re-run Veza deploy in Forgejo UI."`