#!/bin/sh # ============================================================================= # Srasta Platform — Quick Install # # Default mode (today's behavior): # curl -fsSL https://get.srasta.ai | sh # - docker pulls srasta/installer:latest # - runs the installer wizard on port 9000 # # Bundle mode (P3.2.2 of #165): # curl -fsSL https://get.srasta.ai | sh -s -- --bundle v1.0.0 # - downloads the v1.0.0 release bundle from GitLab Releases # - cosign-verifies the signature (Sigstore-keyless) # - sha256-verifies the tarball # - extracts + runs the installer image at the digest pinned in the # bundle's release-manifest.json. Cryptographically anchored install. # # The installer handles everything else: hardware detection, model selection, # service deployment, secrets management, and TLS certificate provisioning. # ============================================================================= set -e INSTALLER_IMAGE="${SRASTA_INSTALLER_IMAGE:-srasta/installer:latest}" INSTALLER_PORT="${SRASTA_PORT:-9000}" CONTAINER_NAME="srasta-installer" BUNDLE_VERSION="" SRASTA_GITLAB_URL="${SRASTA_GITLAB_URL:-https://gitlab.com/gandiva-tech/srasta}" # Parse args while [ $# -gt 0 ]; do case "$1" in --port) INSTALLER_PORT="$2"; shift 2 ;; --image) INSTALLER_IMAGE="$2"; shift 2 ;; --name) CONTAINER_NAME="$2"; shift 2 ;; --bundle) BUNDLE_VERSION="$2"; shift 2 ;; *) echo "Unknown option: $1"; exit 1 ;; esac done echo "" echo " ┌─────────────────────────────────────┐" echo " │ Srasta Platform Installer │" echo " └─────────────────────────────────────┘" echo "" # ── Preflight ──────────────────────────────────────────────────────────────── if ! command -v docker >/dev/null 2>&1; then echo "ERROR: Docker is not installed." echo " Install Docker: https://docs.docker.com/get-docker/" exit 1 fi if ! docker info >/dev/null 2>&1; then echo "ERROR: Docker daemon is not running." echo " Start Docker and try again." exit 1 fi if command -v lsof >/dev/null 2>&1; then if lsof -i ":${INSTALLER_PORT}" >/dev/null 2>&1; then echo "ERROR: Port ${INSTALLER_PORT} is already in use." echo " Use --port N to choose a different port." exit 1 fi fi # ── Bundle mode ────────────────────────────────────────────────────────────── if [ -n "$BUNDLE_VERSION" ]; then echo "Bundle mode: ${BUNDLE_VERSION}" for cmd in curl tar sha256sum cosign jq; do if ! command -v "$cmd" >/dev/null 2>&1; then echo "ERROR: bundle mode requires '$cmd' (not found in PATH)." echo " cosign: brew install cosign / github.com/sigstore/cosign" echo " jq + tar: usually preinstalled or via your package manager" exit 1 fi done WORKDIR="$(mktemp -d -t srasta-install.XXXXXX)" trap 'rm -rf "$WORKDIR"' EXIT BASE_URL="${SRASTA_GITLAB_URL}/-/releases/${BUNDLE_VERSION}/downloads" BUNDLE="srasta-${BUNDLE_VERSION}.tar.gz" echo "Fetching bundle from ${BASE_URL}/${BUNDLE} ..." curl -fsSL -o "${WORKDIR}/${BUNDLE}" "${BASE_URL}/${BUNDLE}" curl -fsSL -o "${WORKDIR}/${BUNDLE}.sha256" "${BASE_URL}/${BUNDLE}.sha256" curl -fsSL -o "${WORKDIR}/${BUNDLE}.sig" "${BASE_URL}/${BUNDLE}.sig" echo "Verifying sha256 ..." ( cd "$WORKDIR" && sha256sum -c "${BUNDLE}.sha256" ) echo "Verifying cosign signature (Sigstore keyless) ..." cosign verify-blob \ --certificate-identity-regexp 'https://gitlab\.com/gandiva-tech/srasta//\.gitlab-ci\.yml@.+' \ --certificate-oidc-issuer 'https://gitlab.com' \ --bundle "${WORKDIR}/${BUNDLE}.sig" \ "${WORKDIR}/${BUNDLE}" >/dev/null echo "Extracting ..." ( cd "$WORKDIR" && tar -xzf "${BUNDLE}" ) EXTRACTED="$(find "$WORKDIR" -maxdepth 1 -type d -name 'srasta-*' | head -1)" if [ -z "$EXTRACTED" ]; then echo "ERROR: extracted bundle not found in $WORKDIR" >&2 exit 1 fi # Pull the installer by digest from the verified manifest. INSTALLER_DIGEST="$(jq -r '.images[] | select(.name | endswith("/installer")) | .digest' "${EXTRACTED}/release-manifest.json" | head -1)" INSTALLER_NAME="$(jq -r '.images[] | select(.name | endswith("/installer")) | .name' "${EXTRACTED}/release-manifest.json" | head -1)" if [ -z "$INSTALLER_DIGEST" ] || [ -z "$INSTALLER_NAME" ]; then echo "ERROR: installer image not found in bundle's release-manifest.json" >&2 exit 1 fi INSTALLER_IMAGE="${INSTALLER_NAME}@${INSTALLER_DIGEST}" echo "Cryptographically anchored installer: ${INSTALLER_IMAGE}" fi # ── Pull + Start ───────────────────────────────────────────────────────────── echo "Pulling installer image..." docker pull "${INSTALLER_IMAGE}" || { echo "ERROR: Failed to pull ${INSTALLER_IMAGE}" echo " Check your Docker Hub credentials or network." exit 1 } # Stop existing container if any docker rm -f "${CONTAINER_NAME}" 2>/dev/null || true echo "Starting installer on port ${INSTALLER_PORT}..." docker run -d \ --name "${CONTAINER_NAME}" \ --restart unless-stopped \ -p "${INSTALLER_PORT}:9000" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "${HOME}/.ssh:/home/srasta/.ssh:ro" \ "${INSTALLER_IMAGE}" # Wait for health echo "Waiting for installer to start..." for _ in $(seq 1 30); do if docker exec "${CONTAINER_NAME}" python3 -c "import urllib.request; urllib.request.urlopen('http://localhost:9000/api/version')" 2>/dev/null; then break fi sleep 1 done URL="http://localhost:${INSTALLER_PORT}" VERSION=$(docker exec "${CONTAINER_NAME}" python3 -c "import urllib.request, json; print(json.load(urllib.request.urlopen('http://localhost:9000/api/version'))['version'])" 2>/dev/null || echo "unknown") echo "" echo " Srasta Installer v${VERSION} is ready!" echo "" echo " Open your browser:" echo " ${URL}" echo "" echo " For multi-host installs, ensure SSH keys are at ~/.ssh/" echo " To stop: docker stop ${CONTAINER_NAME}" echo " To remove: docker rm ${CONTAINER_NAME}" echo "" # Try to open browser (best-effort) if command -v xdg-open >/dev/null 2>&1; then xdg-open "${URL}" 2>/dev/null || true elif command -v open >/dev/null 2>&1; then open "${URL}" 2>/dev/null || true fi