golangLAKEHOUSE

profit/golangLAKEHOUSE

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	a59ef5b930	Sprint 4 deployment artifacts: 11 systemd units + REPLICATION.md + env templates Builds on ADR-006 to ship the operator-facing bits Sprint 4 was blocked on. Single-host deploy is now a documented procedure. deploy/systemd/ (12 files): - 11 .service units, one per daemon. Each follows the same template: Type=simple, User=lakehouse, hardening (NoNewPrivileges, ProtectSystem=strict, ProtectHome, PrivateTmp, ReadWritePaths scoped to /var/lib/lakehouse + /var/log/lakehouse), JSON to journald with per-daemon SyslogIdentifier, EnvironmentFile=- on /etc/lakehouse/auth.env. - Dependency graph baked in via After=/Requires=: storaged → standalone (only network-online) catalogd → Requires storaged ingestd → Requires storaged + catalogd queryd → Requires catalogd matrixd → Requires embedd + vectord gateway → Wants every other daemon (Wants= not Requires= so a single upstream restart doesn't cascade-restart the gateway) pathwayd / observerd / vectord / embedd / chatd → standalone - chatd unit reads 4 cloud-provider EnvironmentFile=s (ollama_cloud / openrouter / opencode / kimi) — each is its own file so per-provider key rotation doesn't restart the others. - lakehouse-go.target: convenience aggregator. Operators systemctl start/stop/enable lakehouse-go.target instead of managing 11 daemons individually. Per-daemon WantedBy= this target. deploy/etc-lakehouse/ (2 templates): - auth.env.example: AUTH_TOKEN per ADR-006 6.2 + rotation playbook comments. The committed file is empty — operators copy + fill in. - secrets-go.toml.example: [s3.primary] template with REPLACE_ME placeholders. Multi-bucket G2 example commented. REPLICATION.md (top-level): - Operator runbook from fresh box → 11 daemons running. - Prereqs (Go 1.25+, gcc, MinIO, Ollama, optionally Langfuse + Postgres for Langfuse) with reachability checks. - Bind ports table (3110–3220, shifted by 10 from Rust legacy). - Bootstrap: useradd → build → install → config → secrets → systemd → validation. - Auth posture matrix (loopback / non-loopback / multi-host / TLS). - Token rotation procedure inline (ADR-006 Decision 6.5). - Logs (journalctl), backup paths, troubleshooting matrix. Validation: systemd-analyze verify passed on all 11 .service files (only "not executable" warnings, expected since binaries don't live at /usr/local/bin/lakehouse/ until step 2 of bootstrap runs). Sprint 4 is now operator-ready. Next: Dockerfile + multi-stage build for container deploys (separate concern; deploy targets either systemd OR docker, not both). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-30 18:54:49 -05:00

Author

SHA1

Message

Date

root

a59ef5b930

Sprint 4 deployment artifacts: 11 systemd units + REPLICATION.md + env templates

Builds on ADR-006 to ship the operator-facing bits Sprint 4 was
blocked on. Single-host deploy is now a documented procedure.

deploy/systemd/ (12 files):
- 11 .service units, one per daemon. Each follows the same template:
  Type=simple, User=lakehouse, hardening (NoNewPrivileges,
  ProtectSystem=strict, ProtectHome, PrivateTmp, ReadWritePaths
  scoped to /var/lib/lakehouse + /var/log/lakehouse), JSON to
  journald with per-daemon SyslogIdentifier, EnvironmentFile=- on
  /etc/lakehouse/auth.env.
- Dependency graph baked in via After=/Requires=:
    storaged → standalone (only network-online)
    catalogd → Requires storaged
    ingestd → Requires storaged + catalogd
    queryd → Requires catalogd
    matrixd → Requires embedd + vectord
    gateway → Wants every other daemon (Wants= not Requires=
              so a single upstream restart doesn't cascade-restart
              the gateway)
    pathwayd / observerd / vectord / embedd / chatd → standalone
- chatd unit reads 4 cloud-provider EnvironmentFile=s
  (ollama_cloud / openrouter / opencode / kimi) — each is its own
  file so per-provider key rotation doesn't restart the others.
- lakehouse-go.target: convenience aggregator. Operators
  systemctl start/stop/enable lakehouse-go.target instead of
  managing 11 daemons individually. Per-daemon WantedBy=
  this target.

deploy/etc-lakehouse/ (2 templates):
- auth.env.example: AUTH_TOKEN per ADR-006 6.2 + rotation playbook
  comments. The committed file is empty — operators copy + fill in.
- secrets-go.toml.example: [s3.primary] template with
  REPLACE_ME placeholders. Multi-bucket G2 example commented.

REPLICATION.md (top-level):
- Operator runbook from fresh box → 11 daemons running.
- Prereqs (Go 1.25+, gcc, MinIO, Ollama, optionally Langfuse +
  Postgres for Langfuse) with reachability checks.
- Bind ports table (3110–3220, shifted by 10 from Rust legacy).
- Bootstrap: useradd → build → install → config → secrets →
  systemd → validation.
- Auth posture matrix (loopback / non-loopback / multi-host / TLS).
- Token rotation procedure inline (ADR-006 Decision 6.5).
- Logs (journalctl), backup paths, troubleshooting matrix.

Validation: systemd-analyze verify passed on all 11 .service files
(only "not executable" warnings, expected since binaries don't live
at /usr/local/bin/lakehouse/ until step 2 of bootstrap runs).

Sprint 4 is now operator-ready. Next: Dockerfile + multi-stage
build for container deploys (separate concern; deploy targets
either systemd OR docker, not both).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-30 18:54:49 -05:00

1 Commits