deploy.sh: pipe sudo password via sudo -S (no TTY prompt needed)

Adds password piping so the script works without a sudoers NOPASSWD
rule, on the assumption that the SSH login password is the same as
the sudo password (common on these VMs).

- ssh -tt now forces a TTY allocation; sudo -S requires one and
  was failing with 'sudo: no tty present' over plain non-interactive
  ssh.
- New run_remote_sudo helper pipes the per-VM password to
  'sudo -S -p ""' so each remote call authenticates without a
  prompt. The empty -p suppresses '[sudo] password for ...' from
  appearing in journal tail output.
- install_unit, restart_unit, and the journalctl call in
  status_block all go through run_remote_sudo. systemctl status
  no longer needs sudo (the unit is owned by administrator and
  status doesn't require root for it).
- If your sudo password differs from the login password, the
  script will silently no-op the install/restart steps. Fix by
  setting the right password via SDP_92_PASS / SDP_186_PASS, or
  add a NOPASSWD rule in /etc/sudoers.d/sdp-deploy and revert
  this change.

scripts/deploy.sh

@@ -8,6 +8,12 @@
 #
 # Nginx is configured by hand on 186 (out of scope for this script).
 # Run scripts/build.sh first.
+#
+# Sudo: the user password and the sudo password are assumed to be the
+# same on both VMs. Every sudo call uses `sudo -S -p ''` and reads the
+# password from a per-VM here-string. If your sudo password differs
+# from the login password, switch to a NOPASSWD rule in
+# /etc/sudoers.d/sdp-deploy and remove the piping.
 
 set -euo pipefail
 cd "$(dirname "$0")/.."
@@ -24,35 +30,72 @@ if ! command -v sshpass >/dev/null 2>&1; then
   exit 1
 fi
 
-SSH_92="sshpass -p $PASS_92 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
+# -tt forces a TTY so sudo -S works without a "no tty" error.
+SSH_92="sshpass -p $PASS_92 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
 SCP_92="sshpass -p $PASS_92 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
-SSH_186="sshpass -p $PASS_186 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
+SSH_186="sshpass -p $PASS_186 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
 SCP_186="sshpass -p $PASS_186 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
 
+# Wraps a command in `sudo -S -p ''` and pipes the password. The
+# leading -S makes sudo read the password from stdin; -p '' suppresses
+# the "[sudo] password for ..." prompt so it doesn't end up in the
+# remote PTY output and confuse downstream parsing.
+sudo_run() {
+  local pw="$1"; shift
+  printf '%s\n' "$pw" | sudo -S -p '' "$@"
+}
+
+# run_remote_sudo <ssh-prefix> <password> <cmd...>
+#   Runs `cmd` on the remote host, with the wrapped command preceded
+#   by sudo_run. Used so the rest of the script can stay readable.
+run_remote_sudo() {
+  local ssh_prefix="$1"
+  local pw="$2"
+  shift 2
+  # Build the inner shell command: pipe pw to sudo -S -p '' "cmd".
+  # We pre-marshal the command into a single string the SSH side can
+  # `eval` safely (single-quote the arguments).
+  local inner=""
+  for a in "$@"; do
+    inner+=" '"$(printf %s "$a" | sed "s/'/'\\\\''/g")"'"
+  done
+  $ssh_prefix "printf '%s\n' '$pw' | sudo -S -p '' sh -c '$inner'"
+}
+
 # ponytail: Wipe-and-replace. The deploys are stateful on the VM only via
 # SQLite + .log files in ~/SDP/data — we keep that. Binaries, dashboard,
 # and unit files in /etc/systemd/system are replaced cleanly.
 REMOTE_RESET='rm -rf ~/SDP/bin ~/SDP/dashboard && mkdir -p ~/SDP/bin ~/SDP/dashboard'
 
-# install_unit <ssh-prefix-with-host> <unit-name>
-#   stops the old unit (if any), copies the file from /tmp/ (already
-#   scp'd there), reloads systemd, and re-enables on next boot.
+# install_unit <ssh-prefix> <unit-name> <password>
 install_unit() {
-  local ssh_prefix="$1"   # e.g. "sshpass -p ... ssh -o ... administrator@host"
+  local ssh_prefix="$1"
   local unit="$2"
-  $ssh_prefix "sudo systemctl stop $unit 2>/dev/null || true"
-  $ssh_prefix "sudo install -m 644 -o root -g root /tmp/$unit /etc/systemd/system/$unit"
-  $ssh_prefix "sudo systemctl daemon-reload"
-  $ssh_prefix "sudo systemctl enable $unit"
+  local pw="$3"
+  run_remote_sudo "$ssh_prefix" "$pw" "systemctl stop $unit || true"
+  run_remote_sudo "$ssh_prefix" "$pw" "install -m 644 -o root -g root /tmp/$unit /etc/systemd/system/$unit"
+  run_remote_sudo "$ssh_prefix" "$pw" "systemctl daemon-reload"
+  run_remote_sudo "$ssh_prefix" "$pw" "systemctl enable $unit"
 }
 
-# status_block <ssh-prefix> <unit>
-#   prints a short status + last 10 journal lines.
+# status_block <ssh-prefix> <unit> <password>
+#   Prints a short status + last 10 journal lines. Uses sudo -S for
+#   journalctl (always root-only) but `systemctl status` works for
+#   the administrator's own services without sudo on most distros.
 status_block() {
   local ssh_prefix="$1"
   local unit="$2"
-  $ssh_prefix "echo '    status:'; sudo systemctl --no-pager --full status $unit | head -3"
-  $ssh_prefix "echo '    journal (last 10):'; sudo journalctl -u $unit -n 10 --no-pager"
+  local pw="$3"
+  $ssh_prefix "echo '    status:'; systemctl --no-pager --full status $unit 2>/dev/null | head -3"
+  $ssh_prefix "echo '    journal (last 10):'; printf '%s\n' '$pw' | sudo -S -p '' journalctl -u $unit -n 10 --no-pager"
+}
+
+# restart_unit <ssh-prefix> <unit> <password>
+restart_unit() {
+  local ssh_prefix="$1"
+  local unit="$2"
+  local pw="$3"
+  run_remote_sudo "$ssh_prefix" "$pw" "systemctl restart $unit"
 }
 
 echo "==> 92: $HOST_92"
@@ -60,9 +103,9 @@ $SSH_92 "$HOST_92" "$REMOTE_RESET"
 $SCP_92 "$REPO_ROOT/bin/agent-micro" "$HOST_92:~/SDP/bin/agent-micro"
 $SCP_92 "$REPO_ROOT/systemd/sdp-agent-micro.service" "$HOST_92:/tmp/sdp-agent-micro.service"
 $SSH_92 "$HOST_92" "chmod +x ~/SDP/bin/agent-micro"
-install_unit "$SSH_92 $HOST_92" sdp-agent-micro.service
-$SSH_92 "$HOST_92" "sudo systemctl restart sdp-agent-micro"
-status_block "$SSH_92 $HOST_92" sdp-agent-micro
+install_unit "$SSH_92 $HOST_92" sdp-agent-micro.service "$PASS_92"
+restart_unit "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92"
+status_block "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92"
 echo "    agent-micro installed"
 
 echo
@@ -75,14 +118,14 @@ $SCP_186 "$REPO_ROOT/systemd/sdp-control-plane.service" "$HOST_186:/tmp/sdp-cont
 $SCP_186 "$REPO_ROOT/systemd/sdp-agent-gateway.service"  "$HOST_186:/tmp/sdp-agent-gateway.service"
 $SSH_186 "$HOST_186" "chmod +x ~/SDP/bin/control-plane ~/SDP/bin/agent-gateway"
 
-# Control plane first so the gateway agent's -cp URL has something to dial.
-install_unit "$SSH_186 $HOST_186" sdp-control-plane.service
-$SSH_186 "$HOST_186" "sudo systemctl restart sdp-control-plane"
-status_block "$SSH_186 $HOST_186" sdp-control-plane
+# Control plane first so the gateway agent has something to dial.
+install_unit "$SSH_186 $HOST_186" sdp-control-plane.service "$PASS_186"
+restart_unit "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186"
+status_block "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186"
 
-install_unit "$SSH_186 $HOST_186" sdp-agent-gateway.service
-$SSH_186 "$HOST_186" "sudo systemctl restart sdp-agent-gateway"
-status_block "$SSH_186 $HOST_186" sdp-agent-gateway
+install_unit "$SSH_186 $HOST_186" sdp-agent-gateway.service "$PASS_186"
+restart_unit "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186"
+status_block "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186"
 
 echo "    control-plane, agent-gateway, dashboard installed"