turnstone/scripts/update.sh

#!/usr/bin/env bash
# update.sh — pull a branch and rebuild the Turnstone container.
#
# Usage (must run as root):
#   sudo bash /opt/turnstone/scripts/update.sh              # pull main
#   sudo bash /opt/turnstone/scripts/update.sh feat/live-watch   # test a branch
#
# Local files preserved across updates:
#   patterns/watch.yaml              — site-specific watch source config
#   data/corpus_watermark.txt        — corpus export watermark (last exported rowid)
#   data/incident_watermark.txt      — incident export watermark (last exported timestamp)
#   data/                            — database and live journal files (bind-mounted, untouched)

set -euo pipefail

BRANCH="${1:-main}"
REPO_DIR=/opt/turnstone
IMAGE=localhost/turnstone:latest

cd "$REPO_DIR"

echo "==> Turnstone update: branch=$BRANCH"

# ── Preserve site-local config ────────────────────────────────────────────────
# watch.yaml is tracked in git as a template but overridden per-host.
# Corpus watermarks track the last exported entry/incident — must survive updates
# or the next export run will re-push everything from the beginning.
# Back them up before the pull and restore after.
WATCH_YAML="$REPO_DIR/patterns/watch.yaml"
WATCH_BACKUP=""
if [ -f "$WATCH_YAML" ]; then
  WATCH_BACKUP=$(mktemp /tmp/watch-yaml.XXXXXX)
  cp "$WATCH_YAML" "$WATCH_BACKUP"
fi

CORPUS_WM="$REPO_DIR/data/corpus_watermark.txt"
INCIDENT_WM="$REPO_DIR/data/incident_watermark.txt"
CORPUS_WM_BACKUP=""
INCIDENT_WM_BACKUP=""
if [ -f "$CORPUS_WM" ]; then
  CORPUS_WM_BACKUP=$(mktemp /tmp/corpus-wm.XXXXXX)
  cp "$CORPUS_WM" "$CORPUS_WM_BACKUP"
fi
if [ -f "$INCIDENT_WM" ]; then
  INCIDENT_WM_BACKUP=$(mktemp /tmp/incident-wm.XXXXXX)
  cp "$INCIDENT_WM" "$INCIDENT_WM_BACKUP"
fi

# ── Pull ──────────────────────────────────────────────────────────────────────
git fetch --all --tags --quiet

# Switch branch if needed, creating a local tracking branch on first use
CURRENT=$(git rev-parse --abbrev-ref HEAD)
if [ "$CURRENT" != "$BRANCH" ]; then
  echo "==> Switching $CURRENT -> $BRANCH"
  git checkout "$BRANCH" 2>/dev/null \
    || git checkout -b "$BRANCH" "origin/$BRANCH"
fi

git pull --ff-only origin "$BRANCH"
COMMIT=$(git log -1 --format='%h %s')
echo "==> At: $COMMIT"

# ── Restore site-local config ─────────────────────────────────────────────────
if [ -n "$WATCH_BACKUP" ]; then
  cp "$WATCH_BACKUP" "$WATCH_YAML"
  rm -f "$WATCH_BACKUP"
  echo "==> Restored patterns/watch.yaml"
fi
if [ -n "$CORPUS_WM_BACKUP" ]; then
  cp "$CORPUS_WM_BACKUP" "$CORPUS_WM"
  rm -f "$CORPUS_WM_BACKUP"
  echo "==> Restored data/corpus_watermark.txt"
fi
if [ -n "$INCIDENT_WM_BACKUP" ]; then
  cp "$INCIDENT_WM_BACKUP" "$INCIDENT_WM"
  rm -f "$INCIDENT_WM_BACKUP"
  echo "==> Restored data/incident_watermark.txt"
fi

# ── Build ─────────────────────────────────────────────────────────────────────
echo "==> Building $IMAGE ..."
podman build -t "$IMAGE" "$REPO_DIR"

# ── Restart ───────────────────────────────────────────────────────────────────
echo "==> Restarting turnstone service ..."
systemctl restart turnstone

# ── Health check ─────────────────────────────────────────────────────────────
echo "==> Waiting for health check ..."
for i in $(seq 1 12); do
  sleep 3
  if curl -sf http://localhost:8534/turnstone/health > /dev/null 2>&1; then
    echo "==> OK — Turnstone up on branch '$BRANCH' @ ${COMMIT%% *}"
    exit 0
  fi
  echo "    attempt $i/12 ..."
done

echo "ERROR: health check timed out — check: journalctl -u turnstone -n 50"
exit 1