Add ansible/scripts/deploy-bezalel.sh

ansible/scripts/deploy-bezalel.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# deploy-bezalel.sh — One-command Bezalel deployment
+#
+# Usage:
+#   ./deploy-bezalel.sh          # Full deploy
+#   ./deploy-bezalel.sh --check  # Dry run
+#   ./deploy-bezalel.sh --config # Config only
+#
+# Requires: ansible-playbook, SSH access to 159.203.146.185
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+INVENTORY="$SCRIPT_DIR/../inventory/hosts.yml"
+PLAYBOOK="$SCRIPT_DIR/../playbooks/site.yml"
+WIZARD="bezalel"
+VPS="159.203.146.185"
+
+log() { echo "[deploy-bezalel] $*"; }
+
+# Pre-flight checks
+if ! command -v ansible-playbook &>/dev/null; then
+    echo "ERROR: ansible-playbook not found" >&2
+    exit 1
+fi
+
+if [ ! -f "$INVENTORY" ]; then
+    echo "ERROR: Inventory not found at $INVENTORY" >&2
+    exit 1
+fi
+
+# Test SSH connectivity
+log "Testing SSH connectivity to $VPS..."
+if ! ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new "root@$VPS" "echo 'SSH OK'" 2>/dev/null; then
+    echo "ERROR: Cannot reach $VPS via SSH" >&2
+    exit 1
+fi
+
+# Parse args
+EXTRA_ARGS="--limit $WIZARD"
+if [ "${1:-}" = "--check" ]; then
+    EXTRA_ARGS="$EXTRA_ARGS --check --diff"
+    log "DRY RUN mode"
+elif [ "${1:-}" = "--config" ]; then
+    EXTRA_ARGS="$EXTRA_ARGS --tags golden,config"
+    log "CONFIG ONLY mode"
+fi
+
+log "Deploying $WIZARD to $VPS..."
+ansible-playbook -i "$INVENTORY" "$PLAYBOOK" $EXTRA_ARGS
+
+# Post-deploy validation
+log "Validating deployment..."
+ssh "root@$VPS" bash <<'REMOTE'
+echo "=== Systemd status ==="
+systemctl is-active hermes-bezalel 2>/dev/null || echo "hermes-bezalel service not active (may need manual start)"
+
+echo "=== Directory structure ==="
+ls -la /root/wizards/bezalel/ 2>/dev/null || echo "wizard dir missing"
+
+echo "=== Config check ==="
+if [ -f /root/wizards/bezalel/config.yaml ]; then
+    echo "config.yaml exists ($(wc -c < /root/wizards/bezalel/config.yaml) bytes)"
+else
+    echo "config.yaml MISSING"
+fi
+
+echo "=== Banned provider scan ==="
+grep -ri 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' /root/wizards/bezalel/config.yaml 2>/dev/null && echo "BANNED PROVIDER FOUND" || echo "Clean"
+REMOTE
+
+log "Deployment complete."

wizards/bezalel/README.md

@@ -0,0 +1,44 @@
+# Bezalel wizard house
+
+Bezalel is the forge-and-testbed wizard.
+
+Role:
+- Infrastructure, deployment, hardening
+- GPU orchestration and model serving
+- Testbed for new patterns before fleet-wide rollout
+- Builder — constructs what others dispatch
+
+This directory holds the remote house template:
+- `config.yaml` — Hermes house config
+- `hermes-bezalel.service` — systemd unit
+
+Secrets do not live here.
+`KIMI_API_KEY` and `OPENROUTER_API_KEY` must be injected at deploy time
+into `/root/wizards/bezalel/home/.env`.
+
+## Deployment
+
+```bash
+ansible-playbook -i ../inventory/hosts.yml ../playbooks/site.yml --limit bezalel
+```
+
+Or manual:
+
+```bash
+ssh root@159.203.146.185
+cd /root/wizards/bezalel
+# clone hermes-agent, create venv, install deps
+cp wizards/bezalel/config.yaml home/config.yaml
+systemctl enable --now hermes-bezalel
+```
+
+## Ports
+
+- API server: 8656
+- Webhook: 8646
+
+## VPS
+
+- Host: 159.203.146.185
+- User: root
+- Type: DigitalOcean s-1vcpu-2gb

wizards/bezalel/hermes-bezalel.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Hermes Bezalel Wizard House — Forge & Testbed
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=/root/wizards/bezalel/hermes-agent
+Environment=HERMES_HOME=/root/wizards/bezalel/home
+EnvironmentFile=/root/wizards/bezalel/home/.env
+ExecStart=/root/wizards/bezalel/hermes-agent/.venv/bin/hermes gateway run --replace
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target