veza/scripts/bootstrap/runner-bake-deps.sh

#!/usr/bin/env bash
# Install the OS packages every deploy.yml job assumes are pre-baked
# on the forgejo-runner Incus container. Run once per runner; idempotent.
#
# Usage (from operator laptop):
#     ssh -t srv-102v 'sudo bash -s' < scripts/bootstrap/runner-bake-deps.sh
#
# Or run directly on the R720:
#     sudo bash scripts/bootstrap/runner-bake-deps.sh
set -euo pipefail

PKGS=(
    # tarball compression for build artifacts
    zstd
    # rust musl-static target
    musl-tools
    # rust openssl-sys build-time
    pkg-config
    libssl-dev
    # ansible + postgres lib for community.postgresql modules
    ansible
    python3-psycopg2
    python3-pip
    # native node modules (mostly belt-and-braces — current deploy
    # avoids them via NODE_ENV=production, but keep for safety)
    build-essential
    python3-dev
)

echo "→ baking deps onto forgejo-runner container"
incus exec forgejo-runner -- bash -c "
    set -euo pipefail
    DEBIAN_FRONTEND=noninteractive apt-get update -qq
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${PKGS[*]}
"

echo
echo "→ verifying"
incus exec forgejo-runner -- bash -c '
    for cmd in zstd musl-gcc pkg-config ansible-playbook python3; do
        printf "  %-20s " "$cmd:"
        command -v "$cmd" || { echo MISSING ; exit 1 ; }
    done
'

echo
echo "✓ runner deps baked. Re-run Veza deploy in Forgejo UI."