Ops-dashboard/deploy/ops-agent/setup.sh

#!/usr/bin/env bash
# Deploy ops-agent to the host.
# Run as root.
set -euo pipefail

REPO_DIR="$(cd "$(dirname "$0")/../.." && pwd)"
INSTALL_DIR=/opt/ops-agent
CONFIG_DIR=/etc/ops-agent
SERVICE_FILE=/etc/systemd/system/ops-agent.service

echo "==> Creating ops-agent system user"
if ! id ops-agent &>/dev/null; then
  useradd --system --no-create-home --shell /usr/sbin/nologin ops-agent
fi

echo "==> Installing service files to ${INSTALL_DIR}"
mkdir -p "${INSTALL_DIR}"
rsync -a --delete \
  --exclude=node_modules \
  --exclude=.git \
  "${REPO_DIR}/ops-agent/" "${INSTALL_DIR}/"

echo "==> Installing Node dependencies"
cd "${INSTALL_DIR}"
npm ci --omit=dev 2>/dev/null || npm install --omit=dev

echo "==> Building TypeScript"
npx tsc

chown -R ops-agent:ops-agent "${INSTALL_DIR}"

echo "==> Installing config dir"
mkdir -p "${CONFIG_DIR}"
if [ ! -f "${CONFIG_DIR}/commands.yml" ]; then
  cp "${REPO_DIR}/ops-agent/commands.yml.example" "${CONFIG_DIR}/commands.yml"
  echo "  Installed default commands.yml — review before use"
fi

echo "==> Generating shared secret (if not present)"
if [ ! -f "${CONFIG_DIR}/secret" ]; then
  openssl rand -hex 32 > "${CONFIG_DIR}/secret"
fi
chown root:ops-agent "${CONFIG_DIR}/secret"
chmod 0640 "${CONFIG_DIR}/secret"

echo "==> Installing systemd unit"
cp "${REPO_DIR}/deploy/ops-agent/ops-agent.service" "${SERVICE_FILE}"

echo "==> Installing sudoers config"
install -m 0440 -o root -g root "${REPO_DIR}/deploy/ops-agent/sudoers" /etc/sudoers.d/ops-agent
visudo -c -f /etc/sudoers.d/ops-agent

echo "==> Enabling and starting ops-agent"
systemctl daemon-reload
systemctl enable --now ops-agent

echo "==> Done. Status:"
systemctl status ops-agent --no-pager