dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d9dff6809cfcd4f835e496335869dc384894cdd4
codewhale/scripts/remote-smoke/setup-vm.sh
T
Hunter Bown 5483e1553d feat(remote-smoke): bump to v0.8.57, add gh CLI, swapfile, agent-session.sh, autonomous loop docs (#3022) 
- setup-vm.sh: bump RELEASE_TAG default to v0.8.57, add gh CLI install
  step (official APT repo) and 4G swapfile creation (idempotent)
- agent-session.sh: new sourceable helper that exports the provider key
  from /etc/codewhale/runtime.env for interactive agent sessions
- README.md: update version refs, add agent-session.sh to layout, add
  Autonomous agent loop section with full pick->PR commands

The droplet ops (binary upgrade, PAT setup, first end-to-end issue run)
are documented as the next steps for the operator.
2026-06-10 16:20:57 -07:00

163 lines
6.9 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# EXPERIMENTAL — one-shot CodeWhale + Telegram bridge setup for a fresh
# AWS Lightsail Ubuntu 24.04 VM (issue #1990 smoke lane).
#
# Run ON THE VM as root:
# sudo SECRETS_FILE=/tmp/cw-secrets.env bash setup-vm.sh
#
# SECRETS_FILE is a chmod-600 env file you scp'd up, containing:
# TELEGRAM_BOT_TOKEN=... # from @BotFather
# CODEWHALE_PROVIDER=deepseek # or arcee / xiaomi-mimo / ...
# PROVIDER_KEY_NAME=DEEPSEEK_API_KEY
# PROVIDER_KEY_VALUE=...
# TELEGRAM_CHAT_ALLOWLIST=123456789 # optional; empty = first-pairing mode
# The file is shredded after the values land in /etc/codewhale/*.env.
#
# Reuses the repo's existing provider-agnostic scripts:
# scripts/tencent-lighthouse/bootstrap-ubuntu.sh
# scripts/tencent-lighthouse/install-services.sh (CODEWHALE_BRIDGE=telegram)
# scripts/tencent-lighthouse/doctor.sh
# Uses prebuilt release binaries instead of a Rust build.
set -euo pipefail
RELEASE_TAG="${RELEASE_TAG:-v0.8.57}"
REPO_URL="${REPO_URL:-https://github.com/Hmbown/CodeWhale.git}"
REPO_BRANCH="${REPO_BRANCH:-main}"
SECRETS_FILE="${SECRETS_FILE:-/tmp/cw-secrets.env}"
[[ "$EUID" -eq 0 ]] || { echo "run as root (sudo)" >&2; exit 1; }
[[ -f "$SECRETS_FILE" ]] || { echo "SECRETS_FILE not found: $SECRETS_FILE" >&2; exit 1; }
# shellcheck disable=SC1090
. "$SECRETS_FILE"
: "${TELEGRAM_BOT_TOKEN:?missing in SECRETS_FILE}"
: "${CODEWHALE_PROVIDER:?missing in SECRETS_FILE}"
: "${PROVIDER_KEY_NAME:?missing in SECRETS_FILE}"
: "${PROVIDER_KEY_VALUE:?missing in SECRETS_FILE}"
TELEGRAM_CHAT_ALLOWLIST="${TELEGRAM_CHAT_ALLOWLIST:-}"
echo "== [1/8] clone repo (${REPO_BRANCH}) =="
apt-get update -q
apt-get install -y -q git curl ca-certificates
if [[ ! -d /tmp/codewhale/.git ]]; then
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /tmp/codewhale
fi
echo "== [2/8] bootstrap (user, dirs, packages, ufw, env skeletons) =="
CODEWHALE_REPO_URL="$REPO_URL" CODEWHALE_REPO_BRANCH="$REPO_BRANCH" \
bash /tmp/codewhale/scripts/tencent-lighthouse/bootstrap-ubuntu.sh
echo "== [3/8] install prebuilt ${RELEASE_TAG} binaries (no Rust build) =="
# The systemd unit hardcodes /home/codewhale/.cargo/bin/codewhale, so we put
# the release binaries exactly there.
BIN_DIR=/home/codewhale/.cargo/bin
install -d -o codewhale -g codewhale "$BIN_DIR"
BASE="https://github.com/Hmbown/CodeWhale/releases/download/${RELEASE_TAG}"
TMP=$(mktemp -d)
curl -fsSL -o "$TMP/codewhale" "$BASE/codewhale-linux-x64"
curl -fsSL -o "$TMP/codewhale-tui" "$BASE/codewhale-tui-linux-x64"
curl -fsSL -o "$TMP/sha256.txt" "$BASE/codewhale-artifacts-sha256.txt"
( cd "$TMP"
grep -E ' (codewhale|codewhale-tui)-linux-x64$' sha256.txt \
| sed 's/codewhale-linux-x64/codewhale/; s/codewhale-tui-linux-x64/codewhale-tui/' \
| sha256sum -c - )
install -m 0755 -o codewhale -g codewhale "$TMP/codewhale" "$BIN_DIR/codewhale"
install -m 0755 -o codewhale -g codewhale "$TMP/codewhale-tui" "$BIN_DIR/codewhale-tui"
rm -rf "$TMP"
sudo -u codewhale "$BIN_DIR/codewhale" --version
sudo -u codewhale "$BIN_DIR/codewhale-tui" --version
echo "== [4/8] install services (telegram bridge) =="
CODEWHALE_BRIDGE=telegram bash /tmp/codewhale/scripts/tencent-lighthouse/install-services.sh
echo "== [5/8] write secrets into /etc/codewhale/*.env =="
RUNTIME_ENV=/etc/codewhale/runtime.env
BRIDGE_ENV=/etc/codewhale/telegram-bridge.env
RUNTIME_TOKEN="dst_$(openssl rand -hex 24)"
set_kv() { # file key value (replace or append; never echoes the value)
local file="$1" key="$2" value="$3"
if grep -qE "^${key}=" "$file"; then
# use | delimiter; tokens never contain |
sed -i "s|^${key}=.*|${key}=${value}|" "$file"
else
printf '%s=%s\n' "$key" "$value" >> "$file"
fi
}
set_kv "$RUNTIME_ENV" CODEWHALE_RUNTIME_TOKEN "$RUNTIME_TOKEN"
set_kv "$RUNTIME_ENV" CODEWHALE_PROVIDER "$CODEWHALE_PROVIDER"
set_kv "$RUNTIME_ENV" "$PROVIDER_KEY_NAME" "$PROVIDER_KEY_VALUE"
set_kv "$BRIDGE_ENV" CODEWHALE_RUNTIME_TOKEN "$RUNTIME_TOKEN"
set_kv "$BRIDGE_ENV" TELEGRAM_BOT_TOKEN "$TELEGRAM_BOT_TOKEN"
if [[ -n "$TELEGRAM_CHAT_ALLOWLIST" ]]; then
set_kv "$BRIDGE_ENV" TELEGRAM_CHAT_ALLOWLIST "$TELEGRAM_CHAT_ALLOWLIST"
set_kv "$BRIDGE_ENV" TELEGRAM_ALLOW_UNLISTED false
else
echo "[warn] no TELEGRAM_CHAT_ALLOWLIST given: enabling first-pairing mode"
echo "[warn] (TELEGRAM_ALLOW_UNLISTED=true). DM the bot /status, copy the"
echo "[warn] chat_id into TELEGRAM_CHAT_ALLOWLIST, set ALLOW_UNLISTED=false,"
echo "[warn] then: systemctl restart codewhale-telegram-bridge"
set_kv "$BRIDGE_ENV" TELEGRAM_ALLOW_UNLISTED true
fi
chmod 0640 "$RUNTIME_ENV" "$BRIDGE_ENV"
chown root:codewhale "$RUNTIME_ENV" "$BRIDGE_ENV"
shred -u "$SECRETS_FILE"
echo "secrets written; $SECRETS_FILE shredded"
echo "== [5b/8] install gh CLI (for autonomous agent PR workflow) =="
if ! command -v gh &>/dev/null; then
apt-get install -y -q software-properties-common
# cli.github.com recommends the official APT repo for Ubuntu
(type -p wget &>/dev/null || apt-get install -y -q wget)
mkdir -p -m 755 /etc/apt/keyrings
wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg \
| tee /etc/apt/keyrings/githubcli-archive-keyring.gpg >/dev/null
chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
| tee /etc/apt/sources.list.d/github-cli.list >/dev/null
apt-get update -q
apt-get install -y -q gh
fi
echo "== [5c/8] create 4G swapfile (idempotent) =="
if [[ ! -f /swapfile ]]; then
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab
echo "swapfile created and activated"
else
echo "swapfile already exists, skipping"
fi
echo "== [6/8] pre-create runtime ReadWritePaths (unit fails without them) =="
install -d -o codewhale -g codewhale -m 0700 \
/home/codewhale/.codewhale /home/codewhale/.deepseek
echo "== [7/8] validate config =="
sudo -u codewhale node /opt/codewhale/telegram-bridge/scripts/validate-config.mjs \
--env "$BRIDGE_ENV" --runtime-env "$RUNTIME_ENV" \
--workspace-root /opt/whalebro --check-filesystem
echo "== [8/8] start + doctor =="
systemctl start codewhale-runtime
for _ in $(seq 1 20); do
curl -fsS --max-time 2 http://127.0.0.1:7878/health >/dev/null 2>&1 && break
sleep 1
done
curl -fsS http://127.0.0.1:7878/health; echo
systemctl start codewhale-telegram-bridge
sleep 3
CODEWHALE_BRIDGE=telegram bash /tmp/codewhale/scripts/tencent-lighthouse/doctor.sh
echo
echo "== Setup complete. Phone smoke checklist (docs/REMOTE_VM_US.md): =="
echo " 1. DM the bot: /status"
echo " 2. /menu (tappable controls)"
echo " 3. prompt: summarize git status in /opt/whalebro/codewhale"
echo " 4. /threads then a Resume button"
echo " 5. trigger a shell approval; test Allow/Deny buttons and /allow|/deny"
echo " 6. /interrupt during an active turn"
echo " 7. sudo reboot; confirm both services return: systemctl status codewhale-runtime codewhale-telegram-bridge"
Reference in New Issue View Git Blame Copy Permalink