feat: no-root deploy, remove CI deploy stage, deploy alerts

- deploy.sh installs sops/age to ./bin/ (no root/sudo needed) - Remove CI deploy stage — supervisor auto-pulls and deploys (zero CI secrets: no SSH keys, no deploy credentials) - Supervisor sends alert on deploy success/failure via webhook Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 18:23:19 +01:00
parent e4bd9378f5
commit 8558fd6b40
4 changed files with 22 additions and 26 deletions
--- a/deploy.sh
+++ b/deploy.sh
@@ -2,6 +2,11 @@
 set -euo pipefail

 # ── Ensure sops + age are installed ───────────────────────
+APP_DIR="$(cd "$(dirname "$0")" && pwd)"
+BIN_DIR="$APP_DIR/bin"
+mkdir -p "$BIN_DIR"
+export PATH="$BIN_DIR:$PATH"
+
 ARCH=$(uname -m)
 case "$ARCH" in
    x86_64)  ARCH_SOPS="amd64"; ARCH_AGE="amd64" ;;
@@ -10,23 +15,23 @@ case "$ARCH" in
 esac

 if ! command -v age &>/dev/null; then
-    echo "==> Installing age..."
+    echo "==> Installing age to $BIN_DIR..."
    AGE_VERSION="v1.3.1"
    curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
-    tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
-    chmod +x /usr/local/bin/age /usr/local/bin/age-keygen
+    tar -xzf /tmp/age.tar.gz -C "$BIN_DIR" --strip-components=1 age/age age/age-keygen
+    chmod +x "$BIN_DIR/age" "$BIN_DIR/age-keygen"
    rm /tmp/age.tar.gz
 fi

 if ! command -v sops &>/dev/null; then
-    echo "==> Installing sops..."
+    echo "==> Installing sops to $BIN_DIR..."
    SOPS_VERSION="v3.12.1"
-    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o /usr/local/bin/sops
-    chmod +x /usr/local/bin/sops
+    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o "$BIN_DIR/sops"
+    chmod +x "$BIN_DIR/sops"
 fi

 # ── Ensure age keypair exists ─────────────────────────────
-AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}"
+AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$APP_DIR/age-key.txt}"
 export SOPS_AGE_KEY_FILE="$AGE_KEY_FILE"

 if [ ! -f "$AGE_KEY_FILE" ]; then