a59ef5b930
Builds on ADR-006 to ship the operator-facing bits Sprint 4 was
blocked on. Single-host deploy is now a documented procedure.
deploy/systemd/ (12 files):
- 11 .service units, one per daemon. Each follows the same template:
Type=simple, User=lakehouse, hardening (NoNewPrivileges,
ProtectSystem=strict, ProtectHome, PrivateTmp, ReadWritePaths
scoped to /var/lib/lakehouse + /var/log/lakehouse), JSON to
journald with per-daemon SyslogIdentifier, EnvironmentFile=- on
/etc/lakehouse/auth.env.
- Dependency graph baked in via After=/Requires=:
storaged → standalone (only network-online)
catalogd → Requires storaged
ingestd → Requires storaged + catalogd
queryd → Requires catalogd
matrixd → Requires embedd + vectord
gateway → Wants every other daemon (Wants= not Requires=
so a single upstream restart doesn't cascade-restart
the gateway)
pathwayd / observerd / vectord / embedd / chatd → standalone
- chatd unit reads 4 cloud-provider EnvironmentFile=s
(ollama_cloud / openrouter / opencode / kimi) — each is its own
file so per-provider key rotation doesn't restart the others.
- lakehouse-go.target: convenience aggregator. Operators
systemctl start/stop/enable lakehouse-go.target instead of
managing 11 daemons individually. Per-daemon WantedBy=
this target.
deploy/etc-lakehouse/ (2 templates):
- auth.env.example: AUTH_TOKEN per ADR-006 6.2 + rotation playbook
comments. The committed file is empty — operators copy + fill in.
- secrets-go.toml.example: [s3.primary] template with
REPLACE_ME placeholders. Multi-bucket G2 example commented.
REPLICATION.md (top-level):
- Operator runbook from fresh box → 11 daemons running.
- Prereqs (Go 1.25+, gcc, MinIO, Ollama, optionally Langfuse +
Postgres for Langfuse) with reachability checks.
- Bind ports table (3110–3220, shifted by 10 from Rust legacy).
- Bootstrap: useradd → build → install → config → secrets →
systemd → validation.
- Auth posture matrix (loopback / non-loopback / multi-host / TLS).
- Token rotation procedure inline (ADR-006 Decision 6.5).
- Logs (journalctl), backup paths, troubleshooting matrix.
Validation: systemd-analyze verify passed on all 11 .service files
(only "not executable" warnings, expected since binaries don't live
at /usr/local/bin/lakehouse/ until step 2 of bootstrap runs).
Sprint 4 is now operator-ready. Next: Dockerfile + multi-stage
build for container deploys (separate concern; deploy targets
either systemd OR docker, not both).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
42 lines
1.3 KiB
Desktop File
42 lines
1.3 KiB
Desktop File
[Unit]
|
|
Description=Lakehouse-Go chatd — multi-provider LLM dispatcher
|
|
Documentation=https://git.agentview.dev/profit/golangLAKEHOUSE
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
# Operator prereq: Ollama on localhost:11434 for the bare/ollama/
|
|
# providers; cloud providers (ollama_cloud, openrouter, opencode,
|
|
# kimi) read keys from /etc/lakehouse/<provider>.env per chatd
|
|
# config. Missing key files leave that provider unregistered (404
|
|
# at first call, never 503).
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=lakehouse
|
|
Group=lakehouse
|
|
WorkingDirectory=/var/lib/lakehouse
|
|
ExecStart=/usr/local/bin/lakehouse/chatd -config /etc/lakehouse/lakehouse.toml
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
EnvironmentFile=-/etc/lakehouse/auth.env
|
|
# chatd reads provider key files via paths in lakehouse.toml [chatd]
|
|
# (ollama_cloud_key_file etc.) — each is its own EnvironmentFile so
|
|
# operators can rotate one provider without restarting others.
|
|
EnvironmentFile=-/etc/lakehouse/ollama_cloud.env
|
|
EnvironmentFile=-/etc/lakehouse/openrouter.env
|
|
EnvironmentFile=-/etc/lakehouse/opencode.env
|
|
EnvironmentFile=-/etc/lakehouse/kimi.env
|
|
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
ReadWritePaths=/var/lib/lakehouse /var/log/lakehouse
|
|
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=lakehouse-chatd
|
|
|
|
[Install]
|
|
WantedBy=lakehouse-go.target
|