0.2.0 Track B: deploy story for wohl-hub (systemd + Docker + INSTALL.md)#24
Merged
Conversation
Make `wohl-hub` deployable as a long-running daemon for the modeled
Pi 4/5 and MiniPC field hubs (see spar/wohl_nodes.aadl).
* deploy/systemd/wohl-hub.service — hardened unit that runs the
hub as a dedicated `wohl` user with NoNewPrivileges, ProtectSystem
strict, syscall allow-list, Restart=always + StartLimitBurst.
WatchdogSec deliberately omitted until sd_notify lands.
* Dockerfile + .dockerignore — multi-stage build on rust:1.85-slim
runtime image is distroless/cc-debian12:nonroot. Build context
climbs to the parent dir so the `path = "../relay/..."` sibling
deps resolve, matching the release.yml checkout shape.
* deploy/docker/docker-compose.yml — single-service stack with a
config bind-mount, named state volume, read-only rootfs, capability
drop, and 128M / 0.5cpu caps tuned for a Pi 4.
* docs/INSTALL.md — release-tarball quickstart, source build, Docker
walkthrough, cosign + SLSA verification one-liner, troubleshooting,
and update / rollback procedure.
* README.md — short "Deploying" section linking to docs/INSTALL.md.
* crates/wohl-hub/src/main.rs — add --config flag and $WOHL_CONFIG
env override (with hard-fail on missing/invalid explicit paths)
so the systemd unit and Docker entrypoint can point at
/etc/wohl/wohl.toml without the historical cwd search.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First deployment story for wohl-hub. Adds a hardened systemd unit, a multi-stage distroless Dockerfile, a docker-compose example, and an INSTALL.md walking through both deploy paths. Adds a small
--config <path>flag to wohl-hub so systemd's ExecStart has an explicit path argument (no path → existing default search, missing explicit path → hard fail so systemd Restart=always surfaces the error).Part of the 0.2.0 milestone — see release plan in this PR thread.
Files
deploy/systemd/wohl-hub.service—Type=simple,Restart=always, dedicatedwohluser, hardening (NoNewPrivileges,ProtectSystem=strict,ProtectHome,PrivateTmp,ReadWritePaths=/var/lib/wohl /var/log/wohl).Dockerfile— multi-stage. Builderrust:1.85-slim-bookworm; runtimegcr.io/distroless/cc-debian12:nonroot(~25 MB, no shell/pkg-mgr, uid 65532)..dockerignore— excludestarget/,.git/,.claude/.deploy/docker/docker-compose.yml— single-service example with config + state volumes.docs/INSTALL.md— prerequisites, quickstart from tarball, source build, Docker quickstart, integrity verification (thecosign verify-blob+gh attestation verifyone-liner from v0.1.0), troubleshooting, update procedure.README.md— new Deploying section pointing at INSTALL.md.crates/wohl-hub/src/main.rs—--config <path>andWOHL_CONFIGenv override. Missing explicit path → exit 2.Verified locally
cargo +1.85.0 fmt -- --check,cargo clippy --workspace --all-targets -- -D warnings,cargo test --workspace— all green.wohl-hub --config <path>exercised end-to-end with a freeze alert producing the expected JSON.docker buildandsystemd-analyze verifycould not be run locally (no docker daemon, macOS) — left to CI to validate as a follow-up.Open questions
sd_notifywatchdog support — currentlyType=simple; could move toType=notifylater for tick-loss kill+restart./var/lib/wohlstate-dir layout — reserved but unused yet; needs a spec when wohl-alert Verus dedup state starts snapshotting.🤖 Generated with Claude Code