janpeter/Ops-dashboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Ops-dashboard. deployen van repos naar docker
71 commits 11 branches 0 tags 434 KiB
Find a file
Janpeter Visser 2b03ee02e0 feat(server-backup): one-shot install script for ops-agent wiring 
Adds deploy/server-backup/install-flows.sh — een idempotent installer die
de ops-agent-zijde van de server-backup feature aan elkaar plakt:

  1. wrappers/*.sh                 → /srv/backups/scripts/wrappers/
  2. flows.example/server_backup_* → /etc/ops-agent/flows/
  3. commands.yml.example commands → /etc/ops-agent/commands.yml (append, met backup)
  4. NOPASSWD-regels voor wrappers → /etc/sudoers.d/ops-agent (visudo-validated)
  5. systemctl restart ops-agent
  6. systemctl enable --now server-backup.timer

Wat het bewust *niet* doet (staat in scriptheader): restic env/password
aanmaken, repos initialiseren, base-scripts of systemd-units plaatsen —
die secrets-stappen blijven handwerk per README "Snelle installatie".

Re-run safe:
- cmp-check per file in stappen 1-2 (skip als identiek)
- grep-check op command-name in stap 3 (skip als al aanwezig)
- visudo-validatie in stap 4 voorkomt lockout bij syntax-fout
- backups van mutaties: commands.yml.bak.<ts> en sudoers.d/ops-agent.bak.<ts>

Regex-fix t.o.v. eerste handmatige run vandaag: command-block-extractie
gebruikt nu [a-z0-9_]+ ipv [a-z_]+, zodat namen met digits (restic_*_b2)
als losse blocks gezien worden. Het oude pattern miste ze maar sleepte
ze toevallig mee in het vorige block — eindresultaat correct, output
misleidend. Nieuwe versie faalt expliciet als een command echt ontbreekt.

README aangevuld met sectie "Ops-agent wiring (na stap 1-7)" die naar
het script verwijst.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 21:04:43 +02:00
app feat(flows): add /flows/server-backup page (full + restore-test) 2026-05-15 20:52:52 +02:00
components feat(worker-logs): add worker run-log viewer page 2026-05-15 01:58:03 +02:00
deploy feat(server-backup): one-shot install script for ops-agent wiring 2026-05-15 21:04:43 +02:00
docs fix(server-backup): host-paths + script bugs uit eerste install 2026-05-15 16:34:21 +02:00
hooks feat(security): rate-limit /api/flows/start, CSRF double-submit cookie, CSP headers 2026-05-13 20:01:43 +02:00
lib feat(worker-logs): add worker run-log viewer page 2026-05-15 01:58:03 +02:00
ops-agent feat(server-backup): restic dual-repo backup (NAS + B2) with dashboard UI 2026-05-15 13:03:00 +02:00
prisma feat(audit): truncate stdout/stderr to 64KB + index FlowRun(user_id, started_at desc) 2026-05-13 18:03:06 +02:00
public feat: Next.js + Tailwind + shadcn/ui project skeleton 2026-05-13 16:59:21 +02:00
.dockerignore feat: Dockerfile, deploy configs en Caddy-block voor ops.jp-visser.nl 2026-05-13 17:12:37 +02:00
.env.example feat(worker-logs): add worker run-log viewer page 2026-05-15 01:58:03 +02:00
.gitignore feat: Prisma schema, migrations en seed voor auth en audit-log 2026-05-13 17:04:27 +02:00
AGENTS.md feat: Next.js + Tailwind + shadcn/ui project skeleton 2026-05-13 16:59:21 +02:00
CLAUDE.md feat: Next.js + Tailwind + shadcn/ui project skeleton 2026-05-13 16:59:21 +02:00
components.json feat: Next.js + Tailwind + shadcn/ui project skeleton 2026-05-13 16:59:21 +02:00
Dockerfile fix(build): placeholder DATABASE_URL in builder stage 2026-05-13 21:20:24 +02:00
next.config.ts feat: Dockerfile, deploy configs en Caddy-block voor ops.jp-visser.nl 2026-05-13 17:12:37 +02:00
package-lock.json feat(deps): install CodeMirror 6 dependencies for live Caddyfile editor 2026-05-13 23:36:30 +02:00
package.json feat(deps): install CodeMirror 6 dependencies for live Caddyfile editor 2026-05-13 23:36:30 +02:00
postcss.config.mjs feat: Next.js + Tailwind + shadcn/ui project skeleton 2026-05-13 16:59:21 +02:00
prisma.config.ts feat: Prisma schema, migrations en seed voor auth en audit-log 2026-05-13 17:04:27 +02:00
proxy.ts fix(proxy): merge middleware.ts into proxy.ts for Next.js 16 compat 2026-05-13 21:20:24 +02:00
README.md feat(ops): self-update script, systemd units, README install guide, recovery runbook 2026-05-13 20:10:21 +02:00
tsconfig.json fix(tsconfig): exclude ops-agent from Next.js TypeScript check 2026-05-13 17:28:55 +02:00

README.md

Ops Dashboard

Single-user ops dashboard voor jp-visser.nl.

See docs/runbooks/ for setup, deployment, and operational procedures.

Installation

Prerequisites

  • Docker + Docker Compose (plugin) installed on the host
  • A PostgreSQL service named postgres already running in the same Compose stack
  • The repository cloned to /srv/ops/repos/ops-dashboard
  • /srv/scrum4me/compose/docker-compose.yml as the shared Compose file

1. Configure environment

cp deploy/ops-dashboard.env.example /srv/ops/ops-dashboard.env
# Edit /srv/ops/ops-dashboard.env — set DATABASE_URL, AUTH_SECRET, etc.

2. Install ops-agent

sudo deploy/ops-agent/setup.sh

This creates the ops-agent system user, installs /opt/ops-agent, generates /etc/ops-agent/secret, and enables the systemd unit.

Copy the generated secret into the web-app env file:

sudo cat /etc/ops-agent/secret
# Paste the value as OPS_AGENT_SECRET= in /srv/ops/ops-dashboard.env

3. Build and start the dashboard

sudo docker compose -f /srv/scrum4me/compose/docker-compose.yml build ops-dashboard
sudo docker compose -f /srv/scrum4me/compose/docker-compose.yml up -d ops-dashboard

The dashboard is now reachable on 127.0.0.1:3001 (proxied by Caddy).

4. Install the self-update script

sudo deploy/ops-dashboard-updater/install.sh

To enable scheduled updates (daily at 03:00):

sudo systemctl enable --now ops-dashboard-updater.timer

To trigger a manual update via SSH:

sudo systemctl start ops-dashboard-updater.service
# or:
sudo /opt/ops-dashboard-updater/update.sh

Never trigger updates through the dashboard UI — the script restarts the container that serves the UI.

Configuration

File Purpose
/srv/ops/ops-dashboard.env Web-app environment (DATABASE_URL, AUTH_SECRET, OPS_AGENT_SECRET, …)
/etc/ops-agent/secret Shared HMAC secret between web-app and ops-agent
/etc/ops-agent/commands.yml Whitelist of commands the ops-agent may run
/etc/ops-agent/flows/ Flow YAML files (backup, caddy reload, etc.)
/srv/scrum4me/compose/docker-compose.yml Main Compose file (add ops-dashboard fragment from deploy/)

Ops-agent auth

The web-app communicates with the ops-agent via a shared secret stored in /etc/ops-agent/secret (mode 0640, owner root:ops-agent).

  • The ops-agent reads the secret at startup via OPS_AGENT_SECRET_PATH.
  • Every request from the web-app carries Authorization: Bearer <secret>.
  • The agent validates using a constant-time comparison to prevent timing attacks.
  • The web-app reads the secret value from the OPS_AGENT_SECRET environment variable.

Secret rotation procedure

  1. Generate a new secret on the server: 
    openssl rand -hex 32 | sudo tee /etc/ops-agent/secret
sudo chown root:ops-agent /etc/ops-agent/secret
sudo chmod 0640 /etc/ops-agent/secret
  2. Update OPS_AGENT_SECRET in the web-app's environment file (/srv/ops/ops-dashboard.env) with the new value.
  3. Restart both services: 
    sudo systemctl restart ops-agent
sudo docker compose -f /srv/ops/docker-compose.ops-dashboard.yml restart ops-dashboard
  4. Verify the dashboard is operational and that systemctl status ops-agent shows the service running without errors.