perplexity/Timmy-time-dashboard
1
0
Fork 0
forked from rockachopa/Timmy-time-dashboard
Code Pull Requests Activity
Files
main
Timmy-time-dashboard/setup_timmy.sh

522 lines
16 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# =============================================================================
# Sovereign Agent Stack — VPS Deployment Script v8
#
# Hermes Agent + Paperclip, Tailscale-only.
# - Hermes Agent (Nous Research) — persistent AI agent
# - Paperclip in local_trusted mode (127.0.0.1:3100)
# - Nginx reverse proxy on Tailscale IP (port 80)
# - Cookie-based auth gate for Paperclip
# - PostgreSQL backend
# - UFW locked to Tailscale + SSH only
# - systemd services for auto-restart
# - Daily backups with 30-day retention
#
# Usage:
# ./setup_timmy.sh install # Full install (run once on fresh VPS)
# ./setup_timmy.sh start # Start all services
# ./setup_timmy.sh stop # Stop all services
# ./setup_timmy.sh restart # Stop + start
# ./setup_timmy.sh status # Health check
# ./setup_timmy.sh logs # Tail all logs
#
# Prerequisites:
# - Ubuntu 22.04+ VPS with root access
# - Tailscale installed and joined to tailnet
# - SSH key added
#
# Access (Tailscale only):
# Paperclip: http://<TAILSCALE_IP>
# Hermes: ssh to VPS, then `hermes`
# =============================================================================
set -euo pipefail
# --- Configuration ---
PROJECT_DIR="${PROJECT_DIR:-$HOME/sovereign-stack}"
PAPERCLIP_DIR="$PROJECT_DIR/paperclip"
LOG_DIR="$PROJECT_DIR/logs"
PID_DIR="$PROJECT_DIR/pids"
BACKUP_DIR="$HOME/backups/hermes"
# Tailscale IP (auto-detected)
TSIP="${TSIP:-$(tailscale ip -4 2>/dev/null || echo '127.0.0.1')}"
DB_USER="paperclip"
DB_PASS="paperclip"
DB_NAME="paperclip"
DATABASE_URL="postgresql://$DB_USER:$DB_PASS@localhost:5432/$DB_NAME"
AUTH_USER="${AUTH_USER:-Rockachopa}"
AUTH_PASS="${AUTH_PASS:-Iamrockachopathegend}"
SECRETS_FILE="$PROJECT_DIR/.secrets"
# --- Colors ---
CYAN='\033[0;36m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'; BOLD='\033[1m'; NC='\033[0m'
banner() { echo -e "\n${CYAN}═══════════════════════════════════════════════${NC}\n${BOLD}$1${NC}\n${CYAN}═══════════════════════════════════════════════${NC}\n"; }
step() { echo -e "${GREEN}${NC} $1"; }
warn() { echo -e "${YELLOW}${NC} $1"; }
fail() { echo -e "${RED}${NC} $1"; exit 1; }
info() { echo -e "${BOLD}$1${NC}"; }
# =============================================================================
# INSTALL
# =============================================================================
check_preflight() {
banner "Preflight"
# Tailscale must be connected
if [ "$TSIP" = "127.0.0.1" ]; then
fail "Tailscale not connected. Run: tailscale up --authkey=YOUR_KEY"
fi
step "Tailscale IP: $TSIP"
if command -v apt-get >/dev/null 2>&1; then
step "Installing system packages..."
apt-get update -y > /dev/null 2>&1
apt-get install -y curl git postgresql postgresql-contrib build-essential nginx lsof > /dev/null 2>&1
fi
# Node.js 20
if ! command -v node >/dev/null 2>&1; then
step "Installing Node.js 20..."
curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
apt-get install -y nodejs > /dev/null 2>&1
fi
step "Node $(node -v)"
# pnpm
if ! command -v pnpm >/dev/null 2>&1; then
step "Installing pnpm..."
npm install -g pnpm > /dev/null 2>&1
fi
step "pnpm $(pnpm -v)"
# uv (for Hermes)
if ! command -v uv >/dev/null 2>&1 && [ ! -f "$HOME/.local/bin/uv" ]; then
step "Installing uv..."
curl -LsSf https://astral.sh/uv/install.sh | sh > /dev/null 2>&1
fi
export PATH="$HOME/.local/bin:$PATH"
step "uv ready"
}
# --- Database ---
setup_database() {
banner "Database"
systemctl start postgresql || service postgresql start || true
sudo -u postgres psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='$DB_USER'" | grep -q 1 || \
sudo -u postgres psql -c "CREATE USER $DB_USER WITH PASSWORD '$DB_PASS' SUPERUSER;"
sudo -u postgres psql -lqt | cut -d \| -f 1 | grep -qw "$DB_NAME" || \
sudo -u postgres psql -c "CREATE DATABASE $DB_NAME OWNER $DB_USER;"
step "Database ready"
}
# --- Hermes Agent ---
install_hermes() {
banner "Hermes Agent"
if [ -d "$HOME/.hermes/hermes-agent" ]; then
step "Hermes already cloned, updating..."
cd "$HOME/.hermes/hermes-agent" && git pull origin main 2>/dev/null || true
cd - > /dev/null
else
step "Installing Hermes (one-liner)..."
curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash -s -- --skip-setup
fi
# Ensure venv exists
export PATH="$HOME/.local/bin:$HOME/.hermes/node/bin:$PATH"
if [ ! -d "$HOME/.hermes/hermes-agent/.venv" ]; then
step "Creating Hermes venv..."
cd "$HOME/.hermes/hermes-agent"
uv venv .venv --python 3.12 2>/dev/null || uv venv .venv
source .venv/bin/activate
uv pip install -e ".[all]" 2>&1 | tail -3
cd - > /dev/null
fi
# Add hermes to PATH in bashrc if not already there
if ! grep -q 'hermes-agent/.venv/bin' "$HOME/.bashrc" 2>/dev/null; then
cat >> "$HOME/.bashrc" <<'BASHRC'
# Sovereign Stack — Hermes Agent
export PATH="$HOME/.local/bin:$HOME/.hermes/node/bin:$HOME/.hermes/hermes-agent/.venv/bin:$PATH"
alias hermes='cd ~/.hermes/hermes-agent && source .venv/bin/activate && python hermes'
BASHRC
fi
step "Hermes installed"
}
# --- Auth Gate ---
install_auth_gate() {
step "Installing auth gate..."
cat > "$PROJECT_DIR/auth-gate.py" <<'AUTHGATE'
#!/usr/bin/env python3
"""Cookie-based auth gate. Login once, 7-day session."""
import hashlib, hmac, http.server, time, base64, os
SECRET = os.environ.get("AUTH_GATE_SECRET", "sovereign-timmy-gate-2026")
USER = os.environ.get("AUTH_USER", "admin")
PASS = os.environ.get("AUTH_PASS", "changeme")
COOKIE_NAME = "sovereign_gate"
COOKIE_MAX_AGE = 86400 * 7
def make_token(ts):
return hmac.new(SECRET.encode(), f"{USER}:{ts}".encode(), hashlib.sha256).hexdigest()[:32]
def verify_token(token):
try:
parts = token.split(".")
if len(parts) != 2: return False
ts, sig = int(parts[0]), parts[1]
if time.time() - ts > COOKIE_MAX_AGE: return False
return sig == make_token(ts)
except: return False
class Handler(http.server.BaseHTTPRequestHandler):
def log_message(self, *a): pass
def do_GET(self):
for c in self.headers.get("Cookie", "").split(";"):
c = c.strip()
if c.startswith(f"{COOKIE_NAME}=") and verify_token(c[len(COOKIE_NAME)+1:]):
self.send_response(200); self.end_headers(); return
auth = self.headers.get("Authorization", "")
if auth.startswith("Basic "):
try:
u, p = base64.b64decode(auth[6:]).decode().split(":", 1)
if u == USER and p == PASS:
ts = int(time.time())
self.send_response(200)
self.send_header("Set-Cookie",
f"{COOKIE_NAME}={ts}.{make_token(ts)}; Path=/; Max-Age={COOKIE_MAX_AGE}; HttpOnly; SameSite=Lax")
self.end_headers(); return
except: pass
self.send_response(401)
self.send_header("WWW-Authenticate", 'Basic realm="Sovereign Stack"')
self.end_headers()
if __name__ == "__main__":
s = http.server.HTTPServer(("127.0.0.1", 9876), Handler)
print("Auth gate on 127.0.0.1:9876"); s.serve_forever()
AUTHGATE
chmod +x "$PROJECT_DIR/auth-gate.py"
}
# --- Nginx (Tailscale-only) ---
install_nginx() {
step "Configuring nginx (Tailscale-only: $TSIP)..."
cat > /etc/nginx/sites-available/paperclip <<NGINX
server {
listen ${TSIP}:80;
location = /_auth {
internal;
proxy_pass http://127.0.0.1:9876;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI \$request_uri;
proxy_set_header Cookie \$http_cookie;
proxy_set_header Authorization \$http_authorization;
}
location / {
auth_request /_auth;
auth_request_set \$auth_cookie \$upstream_http_set_cookie;
add_header Set-Cookie \$auth_cookie;
proxy_pass http://127.0.0.1:3100;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host localhost;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-Host \$host;
proxy_cache_bypass \$http_upgrade;
proxy_read_timeout 86400;
}
error_page 401 = @login;
location @login {
proxy_pass http://127.0.0.1:9876;
proxy_set_header Authorization \$http_authorization;
proxy_set_header Cookie \$http_cookie;
}
}
NGINX
ln -sf /etc/nginx/sites-available/paperclip /etc/nginx/sites-enabled/paperclip
rm -f /etc/nginx/sites-enabled/default
nginx -t || fail "Nginx config failed"
}
# --- UFW (SSH first, then lockdown) ---
setup_firewall() {
banner "Firewall"
step "Allowing SSH before lockdown..."
ufw allow 22/tcp
ufw allow in on tailscale0
ufw allow in on lo
ufw default deny incoming
ufw default allow outgoing
ufw --force enable
step "Firewall locked: SSH + Tailscale only"
}
# --- Secrets ---
load_or_create_secrets() {
if [ -f "$SECRETS_FILE" ]; then
source "$SECRETS_FILE"
step "Loaded secrets"
else
BETTER_AUTH_SECRET="sovereign-$(openssl rand -hex 16)"
PAPERCLIP_AGENT_JWT_SECRET="agent-$(openssl rand -hex 16)"
cat > "$SECRETS_FILE" <<SECRETS
BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET"
PAPERCLIP_AGENT_JWT_SECRET="$PAPERCLIP_AGENT_JWT_SECRET"
SECRETS
chmod 600 "$SECRETS_FILE"
step "Generated secrets"
fi
}
# --- Paperclip ---
install_paperclip() {
banner "Paperclip"
mkdir -p "$PROJECT_DIR" "$LOG_DIR" "$PID_DIR"
if [ ! -d "$PAPERCLIP_DIR" ]; then
step "Cloning Paperclip..."
git clone --depth 1 https://github.com/paperclipai/paperclip.git "$PAPERCLIP_DIR"
fi
cd "$PAPERCLIP_DIR"
step "Installing dependencies..."
pnpm install --frozen-lockfile 2>/dev/null || pnpm install
cd - > /dev/null
install_auth_gate
install_nginx
step "Paperclip installed"
}
# --- systemd services ---
install_systemd() {
banner "systemd Services"
# Auth gate
cat > /etc/systemd/system/sovereign-auth-gate.service <<UNIT
[Unit]
Description=Sovereign Auth Gate
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/python3 $PROJECT_DIR/auth-gate.py
Environment=AUTH_USER=$AUTH_USER
Environment=AUTH_PASS=$AUTH_PASS
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
UNIT
# Paperclip
cat > /etc/systemd/system/sovereign-paperclip.service <<UNIT
[Unit]
Description=Paperclip Dashboard
After=network.target postgresql.service
[Service]
Type=simple
WorkingDirectory=$PAPERCLIP_DIR
ExecStart=$(which pnpm) dev
Environment=HOST=127.0.0.1
Environment=DATABASE_URL=$DATABASE_URL
Environment=PAPERCLIP_DEPLOYMENT_MODE=local_trusted
Environment=BETTER_AUTH_URL=http://$TSIP
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
UNIT
# Hermes gateway
cat > /etc/systemd/system/hermes-gateway.service <<UNIT
[Unit]
Description=Hermes Agent Gateway
After=network-online.target tailscaled.service
Wants=network-online.target
[Service]
Type=simple
WorkingDirectory=$HOME/.hermes/hermes-agent
ExecStart=$HOME/.hermes/hermes-agent/.venv/bin/python hermes gateway
Environment=HERMES_BIND_HOST=$TSIP
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
UNIT
# Load secrets into paperclip service
if [ -f "$SECRETS_FILE" ]; then
source "$SECRETS_FILE"
mkdir -p /etc/systemd/system/sovereign-paperclip.service.d
cat > /etc/systemd/system/sovereign-paperclip.service.d/secrets.conf <<OVERRIDE
[Service]
Environment=BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET
Environment=PAPERCLIP_AGENT_JWT_SECRET=$PAPERCLIP_AGENT_JWT_SECRET
OVERRIDE
fi
systemctl daemon-reload
systemctl enable sovereign-auth-gate sovereign-paperclip hermes-gateway
step "systemd services installed and enabled"
}
# --- Backups ---
install_backups() {
banner "Backups"
mkdir -p "$BACKUP_DIR"
cat > "$HOME/scripts/hermes-backup.sh" <<'BACKUP'
#!/bin/bash
BACKUP_DIR=$HOME/backups/hermes
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
HERMES_HOME=$HOME/.hermes
mkdir -p $BACKUP_DIR
tar czf $BACKUP_DIR/hermes_$TIMESTAMP.tar.gz \
$HERMES_HOME/config.yaml \
$HERMES_HOME/.env \
$HERMES_HOME/hermes-agent/skills/ \
$HERMES_HOME/hermes-agent/sessions/ \
$HERMES_HOME/cron/ \
2>/dev/null || true
# Prune backups older than 30 days
find $BACKUP_DIR -name 'hermes_*.tar.gz' -mtime +30 -delete
echo "$(date): Backup complete: hermes_$TIMESTAMP.tar.gz"
BACKUP
mkdir -p "$HOME/scripts"
chmod +x "$HOME/scripts/hermes-backup.sh"
# Cron: daily at 3 AM
(crontab -l 2>/dev/null | grep -v hermes-backup; echo "0 3 * * * $HOME/scripts/hermes-backup.sh >> /var/log/hermes-backup.log 2>&1") | crontab -
step "Daily backup at 3 AM, 30-day retention"
}
# =============================================================================
# RUNTIME
# =============================================================================
kill_zombies() {
step "Cleaning stale processes..."
for port in 3100 3101 3102 3103 3104 3105 9876; do
pid=$(lsof -ti :$port 2>/dev/null || true)
[ -n "$pid" ] && kill -9 $pid 2>/dev/null && step "Killed port $port" || true
done
sleep 1
}
start_services() {
banner "Starting"
load_or_create_secrets
kill_zombies
systemctl restart sovereign-auth-gate
systemctl restart nginx
systemctl restart sovereign-paperclip
step "Waiting for Paperclip..."
for i in $(seq 1 30); do
if systemctl is-active --quiet sovereign-paperclip && curl -s -o /dev/null http://127.0.0.1:3100 2>/dev/null; then
break
fi
printf "."; sleep 2
done
echo ""
info "══════════════════════════════════════"
info " Paperclip: http://$TSIP"
info " Hermes: ssh root@$TSIP → hermes"
info " Auth: $AUTH_USER / ********"
info "══════════════════════════════════════"
}
stop_services() {
banner "Stopping"
systemctl stop sovereign-paperclip 2>/dev/null || true
systemctl stop sovereign-auth-gate 2>/dev/null || true
systemctl stop hermes-gateway 2>/dev/null || true
step "All services stopped"
}
show_status() {
banner "Status"
for svc in sovereign-auth-gate sovereign-paperclip hermes-gateway nginx postgresql; do
if systemctl is-active --quiet $svc 2>/dev/null; then
echo -e " ${GREEN}${NC} $svc"
else
echo -e " ${RED}${NC} $svc"
fi
done
echo ""
echo -e " Tailscale: $TSIP"
echo -e " Paperclip: http://$TSIP"
echo ""
for port in 80 3100 9876; do
if lsof -ti :$port > /dev/null 2>&1; then
echo -e " ${GREEN}${NC} :$port"
else
echo -e " ${RED}${NC} :$port"
fi
done
}
# =============================================================================
# FULL INSTALL (run once)
# =============================================================================
full_install() {
check_preflight
setup_database
install_hermes
install_paperclip
load_or_create_secrets
install_systemd
install_backups
setup_firewall
banner "Install Complete"
info "Run: ./setup_timmy.sh start"
}
# --- CLI ---
case "${1:-}" in
install) full_install ;;
start) start_services ;;
stop) stop_services ;;
restart) stop_services; sleep 2; start_services ;;
status) show_status ;;
logs) journalctl -u sovereign-paperclip -u sovereign-auth-gate -u hermes-gateway -f ;;
*) echo "Usage: $0 {install|start|stop|restart|status|logs}"; exit 1 ;;
esac
View Git Blame Copy Permalink