Wire HDHomeRun observations and recover Forge OP Stack

2026-05-03 20:24:04 -07:00 · 2026-05-03 20:24:04 -07:00 · 0d86104762
commit 0d86104762
parent 8065860449
18 changed files with 1613 additions and 58 deletions
--- a/scripts/hetzner-robot-forge.sh
+++ b/scripts/hetzner-robot-forge.sh
@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "${root}"
+
+robot_base="${EVERY_CHANNEL_ROBOT_API_BASE:-https://robot-ws.your-server.de}"
+server="${EVERY_CHANNEL_ROBOT_SERVER:-2800441}"
+host_ip="${EVERY_CHANNEL_FORGE_IP:-95.216.114.54}"
+host_name="${EVERY_CHANNEL_FORGE_HOSTNAME:-git.every.channel}"
+op_item="${EVERY_CHANNEL_ROBOT_OP_ITEM:-Hetzner Robot}"
+op_vault="${EVERY_CHANNEL_ROBOT_OP_VAULT:-}"
+ssh_identity="${EVERY_CHANNEL_FORGE_SSH_IDENTITY:-$HOME/.ssh/id_ed25519}"
+ssh_pub="${EVERY_CHANNEL_FORGE_SSH_PUBLIC_KEY:-${ssh_identity}.pub}"
+
+usage() {
+  cat <<EOF
+Usage: $0 <command>
+
+Commands:
+  probe             Check public HTTPS and SSH reachability for ${host_name}.
+  server            Query Robot server metadata.
+  status            Query Robot reset and rescue status.
+  rescue-status     Query Robot rescue status.
+  activate-rescue   Activate Linux rescue mode for ${server}.
+  reset [type]      Execute a Robot reset, default: hw.
+  recover [type]    Activate rescue mode, then execute a reset.
+  wait-ssh          Wait until TCP/22 answers on ${host_ip}.
+
+Credentials:
+  Set EVERY_CHANNEL_ROBOT_USER and EVERY_CHANNEL_ROBOT_PASSWORD, or sign in with
+  1Password CLI and keep the existing item named "${op_item}" available.
+
+Optional:
+  EVERY_CHANNEL_ROBOT_OP_ITEM                  default: Hetzner Robot
+  EVERY_CHANNEL_ROBOT_OP_VAULT                 optional 1Password vault scope
+  EVERY_CHANNEL_ROBOT_AUTHORIZED_KEY_FINGERPRINT
+  EVERY_CHANNEL_ROBOT_PRINT_SENSITIVE=1        print Robot-generated rescue password
+  EVERY_CHANNEL_ROBOT_RESCUE_OS=linux
+  EVERY_CHANNEL_ROBOT_RESCUE_KEYBOARD=us
+  EVERY_CHANNEL_ROBOT_RESET_TYPE=hw
+EOF
+}
+
+require_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "error: required command not found: $1" >&2
+    exit 2
+  fi
+}
+
+op_field() {
+  local field="$1"
+  if [[ -n "${op_vault}" ]]; then
+    op item get "${op_item}" --vault "${op_vault}" --fields "label=${field}" --reveal
+  else
+    op item get "${op_item}" --fields "label=${field}" --reveal
+  fi
+}
+
+load_robot_auth() {
+  robot_user="${EVERY_CHANNEL_ROBOT_USER:-${HETZNER_ROBOT_USER:-}}"
+  robot_password="${EVERY_CHANNEL_ROBOT_PASSWORD:-${HETZNER_ROBOT_PASSWORD:-}}"
+
+  if [[ -z "${robot_user}" || -z "${robot_password}" ]]; then
+    require_cmd op
+    robot_user="${robot_user:-$(op_field username)}"
+    robot_password="${robot_password:-$(op_field password)}"
+  fi
+
+  if [[ -z "${robot_user}" || -z "${robot_password}" ]]; then
+    echo "error: Robot credentials are not available" >&2
+    echo "hint: run 'op signin' or export EVERY_CHANNEL_ROBOT_USER and EVERY_CHANNEL_ROBOT_PASSWORD" >&2
+    exit 2
+  fi
+}
+
+robot_curl() {
+  local method="$1"
+  local path="$2"
+  shift 2
+
+  local config
+  config="$(mktemp "${TMPDIR:-/tmp}/ec-robot-curl.XXXXXX")"
+  chmod 600 "${config}"
+  cleanup_config() {
+    rm -f "${config}"
+  }
+  trap cleanup_config RETURN
+
+  {
+    printf 'url = "%s%s"\n' "${robot_base}" "${path}"
+    printf 'request = "%s"\n' "${method}"
+    printf 'user = "%s:%s"\n' "${robot_user}" "${robot_password}"
+    printf 'silent\nshow-error\nfail\n'
+  } >"${config}"
+
+  curl --config "${config}" "$@"
+}
+
+mask_sensitive_json() {
+  if [[ "${EVERY_CHANNEL_ROBOT_PRINT_SENSITIVE:-0}" == "1" ]]; then
+    cat
+    return
+  fi
+
+  if command -v jq >/dev/null 2>&1; then
+    jq 'walk(if type == "object" and has("password") then .password = "<redacted>" else . end)'
+  else
+    sed -E 's/"password"[[:space:]]*:[[:space:]]*"[^"]*"/"password":"<redacted>"/g'
+  fi
+}
+
+authorized_key_fingerprint() {
+  if [[ -n "${EVERY_CHANNEL_ROBOT_AUTHORIZED_KEY_FINGERPRINT:-}" ]]; then
+    printf '%s\n' "${EVERY_CHANNEL_ROBOT_AUTHORIZED_KEY_FINGERPRINT}"
+    return
+  fi
+
+  if [[ -f "${ssh_pub}" ]] && command -v ssh-keygen >/dev/null 2>&1; then
+    ssh-keygen -E md5 -lf "${ssh_pub}" | awk '{print $2}' | sed 's/^MD5://'
+  fi
+}
+
+probe() {
+  echo "== HTTPS via DNS =="
+  curl --max-time 12 -I -sS "https://${host_name}/" || true
+  echo
+  echo "== HTTPS via pinned IP =="
+  curl --max-time 12 -I -sS --resolve "${host_name}:443:${host_ip}" "https://${host_name}/" || true
+  echo
+  echo "== SSH =="
+  ssh -o ConnectTimeout=12 -o BatchMode=yes -o IdentityAgent=none -o IdentitiesOnly=yes \
+    -i "${ssh_identity}" "root@${host_ip}" echo ssh-ok || true
+}
+
+server_metadata() {
+  load_robot_auth
+  robot_curl GET "/server/${server}" | mask_sensitive_json
+}
+
+reset_status() {
+  robot_curl GET "/reset/${server}" | mask_sensitive_json
+}
+
+rescue_status() {
+  load_robot_auth
+  robot_curl GET "/boot/${server}/rescue" | mask_sensitive_json
+}
+
+status() {
+  load_robot_auth
+  echo "== reset =="
+  reset_status
+  echo
+  echo "== rescue =="
+  robot_curl GET "/boot/${server}/rescue" | mask_sensitive_json
+}
+
+activate_rescue() {
+  load_robot_auth
+  local rescue_os="${EVERY_CHANNEL_ROBOT_RESCUE_OS:-linux}"
+  local keyboard="${EVERY_CHANNEL_ROBOT_RESCUE_KEYBOARD:-us}"
+  local key_fingerprint
+  key_fingerprint="$(authorized_key_fingerprint || true)"
+
+  local args=(--data-urlencode "os=${rescue_os}" --data-urlencode "keyboard=${keyboard}")
+  if [[ -n "${key_fingerprint}" ]]; then
+    args+=(--data-urlencode "authorized_key[]=${key_fingerprint}")
+  fi
+
+  robot_curl POST "/boot/${server}/rescue" "${args[@]}" | mask_sensitive_json
+}
+
+reset_server() {
+  load_robot_auth
+  local reset_type="${1:-${EVERY_CHANNEL_ROBOT_RESET_TYPE:-hw}}"
+  robot_curl POST "/reset/${server}" --data-urlencode "type=${reset_type}" | mask_sensitive_json
+}
+
+recover() {
+  local reset_type="${1:-${EVERY_CHANNEL_ROBOT_RESET_TYPE:-hw}}"
+  echo "== activate rescue =="
+  activate_rescue
+  echo
+  echo "== reset ${reset_type} =="
+  reset_server "${reset_type}"
+  echo
+  echo "Rescue boot requested. Run '$0 wait-ssh' to watch for SSH on ${host_ip}."
+}
+
+wait_ssh() {
+  local deadline="${EVERY_CHANNEL_FORGE_WAIT_SECONDS:-300}"
+  local started
+  started="$(date +%s)"
+
+  while true; do
+    if command -v nc >/dev/null 2>&1; then
+      if nc -z -w 5 "${host_ip}" 22 >/dev/null 2>&1; then
+        echo "ssh port is reachable on ${host_ip}:22"
+        return 0
+      fi
+    elif ssh -o ConnectTimeout=5 -o BatchMode=yes -o StrictHostKeyChecking=no \
+      -o UserKnownHostsFile=/dev/null "root@${host_ip}" true >/dev/null 2>&1; then
+      echo "ssh is reachable on ${host_ip}"
+      return 0
+    fi
+
+    if (( "$(date +%s)" - started >= deadline )); then
+      echo "error: timed out waiting for SSH on ${host_ip}:22" >&2
+      return 1
+    fi
+    sleep 5
+  done
+}
+
+cmd="${1:-}"
+case "${cmd}" in
+  ""|-h|--help|help)
+    usage
+    ;;
+  probe)
+    probe
+    ;;
+  server)
+    require_cmd curl
+    server_metadata
+    ;;
+  status)
+    require_cmd curl
+    status
+    ;;
+  rescue-status)
+    require_cmd curl
+    rescue_status
+    ;;
+  activate-rescue)
+    require_cmd curl
+    activate_rescue
+    ;;
+  reset)
+    require_cmd curl
+    reset_server "${2:-}"
+    ;;
+  recover)
+    require_cmd curl
+    recover "${2:-}"
+    ;;
+  wait-ssh)
+    wait_ssh
+    ;;
+  *)
+    echo "error: unknown command: ${cmd}" >&2
+    usage >&2
+    exit 2
+    ;;
+esac