a59ef5b930
Builds on ADR-006 to ship the operator-facing bits Sprint 4 was
blocked on. Single-host deploy is now a documented procedure.
deploy/systemd/ (12 files):
- 11 .service units, one per daemon. Each follows the same template:
Type=simple, User=lakehouse, hardening (NoNewPrivileges,
ProtectSystem=strict, ProtectHome, PrivateTmp, ReadWritePaths
scoped to /var/lib/lakehouse + /var/log/lakehouse), JSON to
journald with per-daemon SyslogIdentifier, EnvironmentFile=- on
/etc/lakehouse/auth.env.
- Dependency graph baked in via After=/Requires=:
storaged → standalone (only network-online)
catalogd → Requires storaged
ingestd → Requires storaged + catalogd
queryd → Requires catalogd
matrixd → Requires embedd + vectord
gateway → Wants every other daemon (Wants= not Requires=
so a single upstream restart doesn't cascade-restart
the gateway)
pathwayd / observerd / vectord / embedd / chatd → standalone
- chatd unit reads 4 cloud-provider EnvironmentFile=s
(ollama_cloud / openrouter / opencode / kimi) — each is its own
file so per-provider key rotation doesn't restart the others.
- lakehouse-go.target: convenience aggregator. Operators
systemctl start/stop/enable lakehouse-go.target instead of
managing 11 daemons individually. Per-daemon WantedBy=
this target.
deploy/etc-lakehouse/ (2 templates):
- auth.env.example: AUTH_TOKEN per ADR-006 6.2 + rotation playbook
comments. The committed file is empty — operators copy + fill in.
- secrets-go.toml.example: [s3.primary] template with
REPLACE_ME placeholders. Multi-bucket G2 example commented.
REPLICATION.md (top-level):
- Operator runbook from fresh box → 11 daemons running.
- Prereqs (Go 1.25+, gcc, MinIO, Ollama, optionally Langfuse +
Postgres for Langfuse) with reachability checks.
- Bind ports table (3110–3220, shifted by 10 from Rust legacy).
- Bootstrap: useradd → build → install → config → secrets →
systemd → validation.
- Auth posture matrix (loopback / non-loopback / multi-host / TLS).
- Token rotation procedure inline (ADR-006 Decision 6.5).
- Logs (journalctl), backup paths, troubleshooting matrix.
Validation: systemd-analyze verify passed on all 11 .service files
(only "not executable" warnings, expected since binaries don't live
at /usr/local/bin/lakehouse/ until step 2 of bootstrap runs).
Sprint 4 is now operator-ready. Next: Dockerfile + multi-stage
build for container deploys (separate concern; deploy targets
either systemd OR docker, not both).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 lines
1.0 KiB
Plaintext
24 lines
1.0 KiB
Plaintext
# /etc/lakehouse/auth.env — inter-service auth token per ADR-006.
|
|
#
|
|
# Mode 0600, owned by the lakehouse user (or root if systemd reads it
|
|
# before dropping privileges via User=). Loaded by every daemon's
|
|
# systemd unit via EnvironmentFile=-/etc/lakehouse/auth.env (the `-`
|
|
# prefix means "missing file is OK" so loopback-only deploys can skip
|
|
# this entirely).
|
|
#
|
|
# When the daemon binds non-loopback (anything other than 127.0.0.0/8
|
|
# or ::1), AUTH_TOKEN MUST be set — otherwise shared.Run refuses to
|
|
# start (R-001 + R-007 mechanical gate). Loopback-only deploys can
|
|
# leave this empty.
|
|
#
|
|
# Token rotation (ADR-006 Decision 6.5):
|
|
# 1. Generate new secret
|
|
# 2. Set AUTH_SECONDARY_TOKEN to new secret while AUTH_TOKEN stays
|
|
# on old (lakehouse.toml [auth].secondary_tokens reads this)
|
|
# 3. Update every caller to use new secret
|
|
# 4. Promote: AUTH_TOKEN=<new>, clear AUTH_SECONDARY_TOKEN
|
|
# 5. Restart daemons (or SIGHUP once hot-reload lands)
|
|
|
|
AUTH_TOKEN=
|
|
# AUTH_SECONDARY_TOKEN= # only set during rotation windows
|