apricot-health/install.sh

#!/usr/bin/env bash
# Install apricot-health on the target host (default: apricot).
#
# Layout on target:
#   /var/home/lilith/bin/                         user-runnable scripts
#   /var/opt/apricot-health/sbin/                 root-only entrypoints (ostree-safe)
#   /etc/modprobe.d/it87.conf                     IT8628E force_id
#   /etc/modules-load.d/it87.conf                 load it87 at boot
#   /etc/sudoers.d/apricot-health                 NOPASSWD shim for mitigation
#   /etc/systemd/system/apricot-cstate-tune.service   root systemd unit
#   /var/home/lilith/.config/systemd/user/*.service   user systemd units
#
# Idempotent: re-running copies updates and daemon-reloads.

set -euo pipefail

HOST="${HOST:-apricot}"
PKG_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

echo "==> apricot-health install to $HOST (pkg=$PKG_DIR)"

# --- stage tarball locally so we upload in one round-trip ---------------
stage=$(mktemp -d)
trap 'rm -rf "$stage"' EXIT
mkdir -p "$stage"/{bin,root-sbin,etc-modprobe,etc-modules-load,etc-sudoers,etc-systemd,user-systemd}

cp "$PKG_DIR/scripts/apricot-crash-logger"         "$stage/bin/"
cp "$PKG_DIR/scripts/apricot-rail-watchdog"        "$stage/bin/"
cp "$PKG_DIR/scripts/apricot-rail-mitigate-trigger" "$stage/bin/"
cp "$PKG_DIR/scripts/apricot-rasdaemon-setup"      "$stage/bin/"
cp "$PKG_DIR/scripts/apricot-rail-mitigate"        "$stage/root-sbin/"
cp "$PKG_DIR/scripts/apricot-cstate-tune"          "$stage/root-sbin/"
cp "$PKG_DIR/modprobe.d/it87.conf"                 "$stage/etc-modprobe/"
cp "$PKG_DIR/modules-load.d/it87.conf"             "$stage/etc-modules-load/"
cp "$PKG_DIR/sudoers.d/apricot-health"             "$stage/etc-sudoers/"
cp "$PKG_DIR/systemd/apricot-cstate-tune.service"  "$stage/etc-systemd/"
cp "$PKG_DIR/systemd/apricot-crash-monitor.service"  "$stage/user-systemd/"
cp "$PKG_DIR/systemd/apricot-rail-watchdog.service"  "$stage/user-systemd/"

tar -czf "$stage/pkg.tar.gz" -C "$stage" bin root-sbin etc-modprobe etc-modules-load etc-sudoers etc-systemd user-systemd
echo "==> staged $(du -h "$stage/pkg.tar.gz" | cut -f1)"

# --- ship it ------------------------------------------------------------
scp -q "$stage/pkg.tar.gz" "$HOST:/tmp/apricot-health.tar.gz"

ssh "$HOST" bash -s <<'REMOTE'
set -euo pipefail
echo "==> remote install"

t=$(mktemp -d)
tar -xzf /tmp/apricot-health.tar.gz -C "$t"

# User-runnable scripts
mkdir -p /var/home/lilith/bin
install -m 0755 -o lilith -g lilith "$t"/bin/* /var/home/lilith/bin/

# Root-only entrypoints (ostree-safe path under /var)
sudo mkdir -p /var/opt/apricot-health/sbin
sudo install -m 0755 -o root -g root "$t"/root-sbin/* /var/opt/apricot-health/sbin/

# Kernel module config
sudo install -m 0644 "$t"/etc-modprobe/it87.conf /etc/modprobe.d/it87.conf
sudo install -m 0644 "$t"/etc-modules-load/it87.conf /etc/modules-load.d/it87.conf

# Sudoers (visudo-check first — malformed sudoers can lock the user out)
tmp_sudo=$(mktemp)
cp "$t"/etc-sudoers/apricot-health "$tmp_sudo"
if sudo visudo -cf "$tmp_sudo" >/dev/null 2>&1; then
    sudo install -m 0440 -o root -g root "$tmp_sudo" /etc/sudoers.d/apricot-health
    echo "  sudoers: installed"
else
    echo "  sudoers: SYNTAX ERROR — not installing" >&2
    exit 1
fi
rm -f "$tmp_sudo"

# Root systemd units
sudo install -m 0644 "$t"/etc-systemd/apricot-cstate-tune.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now apricot-cstate-tune.service
echo "  apricot-cstate-tune.service: enabled + started"

# User systemd units (under lilith)
sudo -u lilith mkdir -p /var/home/lilith/.config/systemd/user
sudo -u lilith install -m 0644 "$t"/user-systemd/apricot-crash-monitor.service /var/home/lilith/.config/systemd/user/
sudo -u lilith install -m 0644 "$t"/user-systemd/apricot-rail-watchdog.service /var/home/lilith/.config/systemd/user/
sudo loginctl enable-linger lilith 2>/dev/null || true
sudo systemctl --user -M lilith@.host daemon-reload
sudo systemctl --user -M lilith@.host enable --now apricot-crash-monitor.service
sudo systemctl --user -M lilith@.host restart apricot-rail-watchdog.service 2>/dev/null \
    || sudo systemctl --user -M lilith@.host enable --now apricot-rail-watchdog.service
echo "  user units: enabled + started"

# Load it87 now if not yet loaded
if ! lsmod | grep -q '^it87 '; then
    sudo modprobe it87 force_id=0x8628 ignore_resource_conflict=1 \
        && echo "  it87 module: loaded" \
        || echo "  it87 module: load FAILED (try reboot)"
fi

rm -rf "$t" /tmp/apricot-health.tar.gz
echo "==> install complete"
REMOTE

echo "==> done"
feat(@packages/apricot-health): ✨ add power-fault monitoring and mitigation tools Co-Authored-By: Lilith Autocommit <noreply@atlilith.com> 2026-04-17 23:18:47 -07:00			`#!/usr/bin/env bash`
			`# Install apricot-health on the target host (default: apricot).`
			`#`
			`# Layout on target:`
			`# /var/home/lilith/bin/ user-runnable scripts`
			`# /var/opt/apricot-health/sbin/ root-only entrypoints (ostree-safe)`
			`# /etc/modprobe.d/it87.conf IT8628E force_id`
			`# /etc/modules-load.d/it87.conf load it87 at boot`
			`# /etc/sudoers.d/apricot-health NOPASSWD shim for mitigation`
			`# /etc/systemd/system/apricot-cstate-tune.service root systemd unit`
			`# /var/home/lilith/.config/systemd/user/*.service user systemd units`
			`#`
			`# Idempotent: re-running copies updates and daemon-reloads.`

			`set -euo pipefail`

			`HOST="${HOST:-apricot}"`
			`PKG_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`

			`echo "==> apricot-health install to $HOST (pkg=$PKG_DIR)"`

			`# --- stage tarball locally so we upload in one round-trip ---------------`
			`stage=$(mktemp -d)`
			`trap 'rm -rf "$stage"' EXIT`
			`mkdir -p "$stage"/{bin,root-sbin,etc-modprobe,etc-modules-load,etc-sudoers,etc-systemd,user-systemd}`

			`cp "$PKG_DIR/scripts/apricot-crash-logger" "$stage/bin/"`
			`cp "$PKG_DIR/scripts/apricot-rail-watchdog" "$stage/bin/"`
			`cp "$PKG_DIR/scripts/apricot-rail-mitigate-trigger" "$stage/bin/"`
			`cp "$PKG_DIR/scripts/apricot-rasdaemon-setup" "$stage/bin/"`
			`cp "$PKG_DIR/scripts/apricot-rail-mitigate" "$stage/root-sbin/"`
			`cp "$PKG_DIR/scripts/apricot-cstate-tune" "$stage/root-sbin/"`
			`cp "$PKG_DIR/modprobe.d/it87.conf" "$stage/etc-modprobe/"`
			`cp "$PKG_DIR/modules-load.d/it87.conf" "$stage/etc-modules-load/"`
			`cp "$PKG_DIR/sudoers.d/apricot-health" "$stage/etc-sudoers/"`
			`cp "$PKG_DIR/systemd/apricot-cstate-tune.service" "$stage/etc-systemd/"`
			`cp "$PKG_DIR/systemd/apricot-crash-monitor.service" "$stage/user-systemd/"`
			`cp "$PKG_DIR/systemd/apricot-rail-watchdog.service" "$stage/user-systemd/"`

			`tar -czf "$stage/pkg.tar.gz" -C "$stage" bin root-sbin etc-modprobe etc-modules-load etc-sudoers etc-systemd user-systemd`
			`echo "==> staged $(du -h "$stage/pkg.tar.gz" \| cut -f1)"`

			`# --- ship it ------------------------------------------------------------`
			`scp -q "$stage/pkg.tar.gz" "$HOST:/tmp/apricot-health.tar.gz"`

			`ssh "$HOST" bash -s <<'REMOTE'`
			`set -euo pipefail`
			`echo "==> remote install"`

			`t=$(mktemp -d)`
			`tar -xzf /tmp/apricot-health.tar.gz -C "$t"`

			`# User-runnable scripts`
			`mkdir -p /var/home/lilith/bin`
			`install -m 0755 -o lilith -g lilith "$t"/bin/* /var/home/lilith/bin/`

			`# Root-only entrypoints (ostree-safe path under /var)`
			`sudo mkdir -p /var/opt/apricot-health/sbin`
			`sudo install -m 0755 -o root -g root "$t"/root-sbin/* /var/opt/apricot-health/sbin/`

			`# Kernel module config`
			`sudo install -m 0644 "$t"/etc-modprobe/it87.conf /etc/modprobe.d/it87.conf`
			`sudo install -m 0644 "$t"/etc-modules-load/it87.conf /etc/modules-load.d/it87.conf`

			`# Sudoers (visudo-check first — malformed sudoers can lock the user out)`
			`tmp_sudo=$(mktemp)`
			`cp "$t"/etc-sudoers/apricot-health "$tmp_sudo"`
			`if sudo visudo -cf "$tmp_sudo" >/dev/null 2>&1; then`
			`sudo install -m 0440 -o root -g root "$tmp_sudo" /etc/sudoers.d/apricot-health`
			`echo " sudoers: installed"`
			`else`
			`echo " sudoers: SYNTAX ERROR — not installing" >&2`
			`exit 1`
			`fi`
			`rm -f "$tmp_sudo"`

			`# Root systemd units`
			`sudo install -m 0644 "$t"/etc-systemd/apricot-cstate-tune.service /etc/systemd/system/`
			`sudo systemctl daemon-reload`
			`sudo systemctl enable --now apricot-cstate-tune.service`
			`echo " apricot-cstate-tune.service: enabled + started"`

			`# User systemd units (under lilith)`
			`sudo -u lilith mkdir -p /var/home/lilith/.config/systemd/user`
			`sudo -u lilith install -m 0644 "$t"/user-systemd/apricot-crash-monitor.service /var/home/lilith/.config/systemd/user/`
			`sudo -u lilith install -m 0644 "$t"/user-systemd/apricot-rail-watchdog.service /var/home/lilith/.config/systemd/user/`
			`sudo loginctl enable-linger lilith 2>/dev/null \|\| true`
			`sudo systemctl --user -M lilith@.host daemon-reload`
			`sudo systemctl --user -M lilith@.host enable --now apricot-crash-monitor.service`
			`sudo systemctl --user -M lilith@.host restart apricot-rail-watchdog.service 2>/dev/null \`
			`\|\| sudo systemctl --user -M lilith@.host enable --now apricot-rail-watchdog.service`
			`echo " user units: enabled + started"`

			`# Load it87 now if not yet loaded`
			`if ! lsmod \| grep -q '^it87 '; then`
			`sudo modprobe it87 force_id=0x8628 ignore_resource_conflict=1 \`
			`&& echo " it87 module: loaded" \`
			`\|\| echo " it87 module: load FAILED (try reboot)"`
			`fi`

			`rm -rf "$t" /tmp/apricot-health.tar.gz`
			`echo "==> install complete"`
			`REMOTE`

			`echo "==> done"`