#!/usr/bin/env bash # Install the OS packages every deploy.yml job assumes are pre-baked # on the forgejo-runner Incus container. Run once per runner; idempotent. # # Usage (from operator laptop): # ssh -t srv-102v 'sudo bash -s' < scripts/bootstrap/runner-bake-deps.sh # # Or run directly on the R720: # sudo bash scripts/bootstrap/runner-bake-deps.sh set -euo pipefail PKGS=( # tarball compression for build artifacts zstd # rust musl-static target musl-tools # rust openssl-sys: pkg-config + libssl-dev for the glibc build, # perl + make + gcc (build-essential below) for the vendored # openssl-src crate which compiles OpenSSL from source against musl. pkg-config libssl-dev perl make # python3 + pipx for a recent ansible-core # (Debian apt's ansible 2.14 is too old for current community.general, # which logs "Collection community.general does not support Ansible # version 2.14.18" and fails on connection plugins.) python3-psycopg2 python3-pip pipx # native node modules (mostly belt-and-braces — current deploy # avoids them via NODE_ENV=production, but keep for safety) build-essential python3-dev ) echo "→ baking deps onto forgejo-runner container" incus exec forgejo-runner -- bash -c " set -euo pipefail DEBIAN_FRONTEND=noninteractive apt-get update -qq DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${PKGS[*]} " echo echo "→ installing ansible-core via pipx (newer than apt)" incus exec forgejo-runner -- bash -c ' set -euo pipefail export PIPX_HOME=/opt/pipx export PIPX_BIN_DIR=/usr/local/bin pipx install --force ansible-core /usr/local/bin/ansible --version | head -1 /usr/local/bin/ansible-galaxy collection install community.general community.postgresql ansible.posix ' echo echo "→ verifying" incus exec forgejo-runner -- bash -c ' for cmd in zstd musl-gcc pkg-config ansible-playbook python3; do printf " %-20s " "$cmd:" command -v "$cmd" || { echo MISSING ; exit 1 ; } done ' echo echo "✓ runner deps baked. Re-run Veza deploy in Forgejo UI."