No description

Find a file

Jeremie Fraeys fe9bd132d9 Some checks failed Deploy / deploy (push) Failing after 7s Details Restore requirements and tidy tests		2026-01-21 14:53:00 -05:00
.forgejo/workflows	changed run-on to self-hosted to match the server	2026-01-20 17:40:36 -05:00
config	initial infra commit	2026-01-19 16:27:09 -05:00
scripts	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
src/infra_controller	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
systemd	initial infra commit	2026-01-19 16:27:09 -05:00
tests	Restore requirements and tidy tests	2026-01-21 14:53:00 -05:00
.env.example	initial infra commit	2026-01-19 16:27:09 -05:00
.gitignore	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
.python-version	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
install.sh	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
LICENSE	initial infra commit	2026-01-19 16:27:09 -05:00
Makefile	initial infra commit	2026-01-19 16:27:09 -05:00
pyproject.toml	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
README.md	Option B: stop unused services; add restricted SSH scripts	2026-01-20 12:18:09 -05:00
requirements.txt	initial infra commit	2026-01-19 16:27:09 -05:00
setup.py	initial infra commit	2026-01-19 16:27:09 -05:00

README.md

infra-controller

Python-based controller that discovers active apps and ensures required infrastructure services are present.

Services are expected to be managed as Docker Compose projects on the services server (e.g. /opt/grafana, /opt/prometheus).

Requirements

Python 3.11+
Docker and Docker Compose installed on the services server

Config

Preferred config file:

/etc/infra-controller/config.toml

Copy the example config:

config/controller.toml.example -> /etc/infra-controller/config.toml

Optional YAML config:

config/controller.yml.example -> /etc/infra-controller/config.yml

Run

infra-controller --once

systemd (event-driven)

To avoid running a daemon or polling timer, you can trigger a one-shot run whenever deployments update the active apps directory:

enable path trigger: sudo systemctl enable --now infra-controller.path
view logs: journalctl -u infra-controller-once.service -f

Services that are no longer required are stopped after grace_period_minutes (see config) using docker compose down.

Remote app registration

Run infra-controller on the service server. When you deploy, create/update a registration file in /var/run/active-apps/ (this triggers the path unit).

Recommended (Forgejo runner on the web/app server):

deploy app locally on the web/app server (docker compose or bare-metal)
register app on the service server by streaming .infra.toml over SSH (no scp)

Example (from web/app server runner):

APP_NAME=my-app
ssh infractl@service-host \
  "cat > /var/run/active-apps/$APP_NAME.toml.tmp && mv /var/run/active-apps/$APP_NAME.toml.tmp /var/run/active-apps/$APP_NAME.toml" \
  < .infra.toml

Restricted SSH keys (recommended)

If you want to avoid giving CI a general shell on the services server, install the helper scripts to /usr/local/sbin (see install.sh) and restrict the runner key in authorized_keys.

Example (services server, ~infractl/.ssh/authorized_keys):

command="/usr/local/sbin/infra-register-stdin",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAA... runner

For deregistration, use a separate key restricted to /usr/local/sbin/infra-deregister.