bri-sandbox-development-platform/scripts/deploy.sh

#!/usr/bin/env bash
# Push the built binaries, dashboard, and systemd unit files to both
# SDP VMs, then enable + start the services.
#
#   92 (micro):    ~/SDP/agent-micro, sdp-agent-micro.service
#   186 (gateway): ~/SDP/{control-plane,agent-gateway,dashboard},
#                  sdp-control-plane.service, sdp-agent-gateway.service
#
# Nginx is configured by hand on 186 (out of scope for this script).
# Run scripts/build.sh first.
#
# Sudo: the user password and the sudo password are assumed to be the
# same on both VMs. Every sudo call uses `sudo -S -p ''` and reads the
# password from a per-VM here-string. If your sudo password differs
# from the login password, switch to a NOPASSWD rule in
# /etc/sudoers.d/sdp-deploy and remove the piping.

set -euo pipefail
cd "$(dirname "$0")/.."
REPO_ROOT="$(pwd)"

# ponytail: paths can be overridden by env so the same script works from CI.
HOST_92="${SDP_92_HOST:-administrator@172.18.136.92}"
PASS_92="${SDP_92_PASS:-password}"
HOST_186="${SDP_186_HOST:-administrator@172.18.139.186}"
PASS_186="${SDP_186_PASS:-Bre@kthrough2312}"

if ! command -v sshpass >/dev/null 2>&1; then
  echo "sshpass not found. Install with: brew install sshpass" >&2
  exit 1
fi

# -tt forces a TTY so sudo -S works without a "no tty" error.
SSH_92="sshpass -p $PASS_92 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
SCP_92="sshpass -p $PASS_92 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
SSH_186="sshpass -p $PASS_186 ssh -tt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
SCP_186="sshpass -p $PASS_186 scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"

# Wraps a command in `sudo -S -p ''` and pipes the password. The
# leading -S makes sudo read the password from stdin; -p '' suppresses
# the "[sudo] password for ..." prompt so it doesn't end up in the
# remote PTY output and confuse downstream parsing.
sudo_run() {
  local pw="$1"; shift
  printf '%s\n' "$pw" | sudo -S -p '' "$@"
}

# run_remote_sudo <ssh-prefix> <password> <cmd...>
#   Runs `cmd` on the remote host under sudo, piping the password
#   through `sudo -S -p ''`. We also force PAGER/SYSTEMD_PAGER=cat
#   inside the sh -c so any systemctl / journalctl call (even if
#   piped further) doesn't open a pager over the ssh -tt TTY.
run_remote_sudo() {
  local ssh_prefix="$1"
  local pw="$2"
  shift 2
  local inner=""
  for a in "$@"; do
    inner+=" '"$(printf %s "$a" | sed "s/'/'\\\\''/g")"'"
  done
  $ssh_prefix "printf '%s\n' '$pw' | sudo -S -p '' sh -c 'export PAGER=cat SYSTEMD_PAGER=cat; $inner'"
}

# ponytail: Wipe-and-replace. The deploys are stateful on the VM only via
# SQLite + .log files in ~/SDP/data — we keep that. Binaries, dashboard,
# and unit files in /etc/systemd/system are replaced cleanly.
REMOTE_RESET='rm -rf ~/SDP/bin ~/SDP/dashboard && mkdir -p ~/SDP/bin ~/SDP/dashboard'

# install_unit <ssh-prefix> <unit-name> <password>
install_unit() {
  local ssh_prefix="$1"
  local unit="$2"
  local pw="$3"
  run_remote_sudo "$ssh_prefix" "$pw" "systemctl stop $unit || true"
  run_remote_sudo "$ssh_prefix" "$pw" "install -m 644 -o root -g root /tmp/$unit /etc/systemd/system/$unit"
  run_remote_sudo "$ssh_prefix" "$pw" "systemctl daemon-reload"
  run_remote_sudo "$ssh_prefix" "$pw" "systemctl enable $unit"
}

# status_block <ssh-prefix> <unit> <password>
#   Prints a short status + last 10 journal lines. Uses sudo -S for
#   journalctl (always root-only) but `systemctl status` works for
#   the administrator's own services without sudo on most distros.
#   PAGER/SYSTEMD_PAGER=cat and --output=cat on journalctl defeat
#   the pager that would otherwise kick in over the ssh -tt TTY.
status_block() {
  local ssh_prefix="$1"
  local unit="$2"
  local pw="$3"
  $ssh_prefix "echo '    status:'; PAGER=cat SYSTEMD_PAGER=cat systemctl --no-pager --full status $unit 2>/dev/null | head -3"
  $ssh_prefix "echo '    journal (last 10):'; export PAGER=cat SYSTEMD_PAGER=cat; printf '%s\n' '$pw' | sudo -S -p '' journalctl -u $unit -n 10 --no-pager --output=cat 2>/dev/null | head -20"
}

# restart_unit <ssh-prefix> <unit> <password>
restart_unit() {
  local ssh_prefix="$1"
  local unit="$2"
  local pw="$3"
  run_remote_sudo "$ssh_prefix" "$pw" "systemctl restart $unit"
}

echo "==> 92: $HOST_92"
$SSH_92 "$HOST_92" "$REMOTE_RESET"
$SCP_92 "$REPO_ROOT/bin/agent-micro" "$HOST_92:~/SDP/bin/agent-micro"
$SCP_92 "$REPO_ROOT/systemd/sdp-agent-micro.service" "$HOST_92:/tmp/sdp-agent-micro.service"
$SSH_92 "$HOST_92" "chmod +x ~/SDP/bin/agent-micro"
install_unit "$SSH_92 $HOST_92" sdp-agent-micro.service "$PASS_92"
restart_unit "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92"
status_block "$SSH_92 $HOST_92" sdp-agent-micro "$PASS_92"
echo "    agent-micro installed"

echo
echo "==> 186: $HOST_186"
$SSH_186 "$HOST_186" "$REMOTE_RESET"
$SCP_186 "$REPO_ROOT/bin/control-plane"  "$HOST_186:~/SDP/bin/control-plane"
$SCP_186 "$REPO_ROOT/bin/agent-gateway"  "$HOST_186:~/SDP/bin/agent-gateway"
$SCP_186 -r "$REPO_ROOT/dashboard/out/."  "$HOST_186:~/SDP/dashboard/"
$SCP_186 "$REPO_ROOT/systemd/sdp-control-plane.service" "$HOST_186:/tmp/sdp-control-plane.service"
$SCP_186 "$REPO_ROOT/systemd/sdp-agent-gateway.service"  "$HOST_186:/tmp/sdp-agent-gateway.service"
$SSH_186 "$HOST_186" "chmod +x ~/SDP/bin/control-plane ~/SDP/bin/agent-gateway"

# Control plane first so the gateway agent has something to dial.
install_unit "$SSH_186 $HOST_186" sdp-control-plane.service "$PASS_186"
restart_unit "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186"
status_block "$SSH_186 $HOST_186" sdp-control-plane "$PASS_186"

install_unit "$SSH_186 $HOST_186" sdp-agent-gateway.service "$PASS_186"
restart_unit "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186"
status_block "$SSH_186 $HOST_186" sdp-agent-gateway "$PASS_186"

echo "    control-plane, agent-gateway, dashboard installed"

echo
echo "done. (configure nginx by hand on 186; see AGENTS.md for the location block.)"