You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bin/install.sh clones the entire Anthias repo to ~/anthias and leaves it there forever. That tree is ~15 MB of git history, source, dockerfiles, ansible, tests, etc. — but very little of it is actually used after the playbook finishes.
Audit of what ~/anthias contributes at runtime / upgrade time:
Bind-mounted into anthias-server as /data/anthias/staticfiles. Container runs collectstatic --clear at startup and WhiteNoise serves from it. So the host dir is just a writable scratch path — the content comes from the container, not the repo. Resolved in #2846: collectstatic now runs at image build, STATIC_ROOT is read-only inside the image, host bind-mount removed.
docker-compose.yml.tmpl
yes
upgrade_containers.sh runs envsubst over it on every upgrade.
So the actual runtime/upgrade surface is one compose template, three shell scripts, and one bind-mount target dir. Everything else is install-only.
This came up while reviewing #2842 / #2843, where moving installer_venv to a mktemp -d made the same observation possible: install-time state shouldn't persist. Same logic applies to the cloned repo.
The handful of artifacts that need to persist get installed to the system paths above.
The tmpdir is wiped on EXIT.
After install, ~/anthias doesn't exist. Operators who want to inspect "what's running" use cat /usr/local/sbin/anthias-upgrade and ~/version.md (or a new anthias --version).
Sub-tasks
Drop the staticfiles/ host bind-mount. Done in chore(server): bake collectstatic into image, drop runtime scratch mount #2846: collectstatic now runs at image build (docker/Dockerfile.server.j2), STATIC_ROOT lives inside the read-only image layer (/usr/src/app/staticfiles), and the bind-mount + the runtime invocation are gone. Operators can rm -rf ~/anthias/staticfiles after upgrading.
Move runtime shell scripts to /usr/local/sbin/.upgrade_containers.sh and migrate_legacy_paths.sh should live in a system path, not in a user-owned git tree. Keep /usr/local/sbin/upgrade_anthias.sh (the install.sh re-download) as the upgrade entry point.
Move docker-compose.yml.tmpl to /etc/anthias/. The rendered docker-compose.yml lives next to it. Update the upgrade script's compose-file path accordingly.
Migration for existing installs.bin/migrate_legacy_paths.sh already handles ~/screenly → ~/anthias; add a phase that lifts artifacts out of ~/anthias to their new homes, leave a back-compat symlink for one release cycle. We just shipped the screenly→anthias rename in 3c96b541, so this would be the second path-migration generation in flight at once — needs careful handling.
Update install/upgrade docs. Hugo site under docs/ references ~/anthias paths; sweep them.
We just shipped the screenly→anthias rename; layering another path migration on top of that means existing devices run two migrations simultaneously and we ship two compat-symlink generations at once. User-facing disruption compounds.
The new architecture is straightforward; the migration for existing devices is the hard part, and warrants its own design pass and review cycle.
Acceptance criteria
After this work, on a fresh install:
~/anthias does not exist (no symlink either, after the migration cycle).
bin/install.sh does not leave any persistent state in $HOME other than ~/.anthias (data) and ~/anthias_assets (uploads).
upgrade_containers.sh (or its successor) reads/writes only /etc/anthias/ and /var/lib/anthias/.
Existing devices on the legacy layout migrate cleanly via migrate_legacy_paths.sh and keep working through one release cycle of back-compat symlinks.
Background
bin/install.shclones the entire Anthias repo to~/anthiasand leaves it there forever. That tree is ~15 MB of git history, source, dockerfiles, ansible, tests, etc. — but very little of it is actually used after the playbook finishes.Audit of what
~/anthiascontributes at runtime / upgrade time:~/anthiasstaticfiles/yesno (after #2846)Bind-mounted intoResolved in #2846: collectstatic now runs at image build, STATIC_ROOT is read-only inside the image, host bind-mount removed.anthias-serveras/data/anthias/staticfiles. Container runscollectstatic --clearat startup and WhiteNoise serves from it. So the host dir is just a writable scratch path — the content comes from the container, not the repo.docker-compose.yml.tmplupgrade_containers.shrunsenvsubstover it on every upgrade.bin/upgrade_containers.shbin/migrate_legacy_paths.shupgrade_containers.sh.bin/enable_ssl.shansible/,src/,docker/,tests/,static/,webview/, ...So the actual runtime/upgrade surface is one compose template, three shell scripts, and one bind-mount target dir. Everything else is install-only.
This came up while reviewing #2842 / #2843, where moving
installer_venvto amktemp -dmade the same observation possible: install-time state shouldn't persist. Same logic applies to the cloned repo.Proposed layout
Install-time:
clone_repowrites to amktemp -d(same pattern asinstaller_venvafter fix(install): tmpdir installer_venv on Bookworm; drop getmac dep #2843).After install,
~/anthiasdoesn't exist. Operators who want to inspect "what's running" usecat /usr/local/sbin/anthias-upgradeand~/version.md(or a newanthias --version).Sub-tasks
staticfiles/host bind-mount. Done in chore(server): bake collectstatic into image, drop runtime scratch mount #2846:collectstaticnow runs at image build (docker/Dockerfile.server.j2),STATIC_ROOTlives inside the read-only image layer (/usr/src/app/staticfiles), and the bind-mount + the runtime invocation are gone. Operators canrm -rf ~/anthias/staticfilesafter upgrading./usr/local/sbin/.upgrade_containers.shandmigrate_legacy_paths.shshould live in a system path, not in a user-owned git tree. Keep/usr/local/sbin/upgrade_anthias.sh(the install.sh re-download) as the upgrade entry point.docker-compose.yml.tmplto/etc/anthias/. The rendereddocker-compose.ymllives next to it. Update the upgrade script's compose-file path accordingly.clone_repoephemeral.mktemp -dfor the install-time tree, EXIT trap to clean up. Aligns the architecture with the post-fix(install): tmpdir installer_venv on Bookworm; drop getmac dep #2843installer_venvflow.bin/migrate_legacy_paths.shalready handles~/screenly→~/anthias; add a phase that lifts artifacts out of~/anthiasto their new homes, leave a back-compat symlink for one release cycle. We just shipped the screenly→anthias rename in3c96b541, so this would be the second path-migration generation in flight at once — needs careful handling.docs/references~/anthiaspaths; sweep them.Why this isn't part of #2843
--python+ tmpdir fix needs to land first and get to users.Acceptance criteria
After this work, on a fresh install:
~/anthiasdoes not exist (no symlink either, after the migration cycle).bin/install.shdoes not leave any persistent state in$HOMEother than~/.anthias(data) and~/anthias_assets(uploads).upgrade_containers.sh(or its successor) reads/writes only/etc/anthias/and/var/lib/anthias/.migrate_legacy_paths.shand keep working through one release cycle of back-compat symlinks.