# Instalar o Tatuzim Agent

# Requisitos

• Linux x86_64 ou aarch64
• Ubuntu 22.04+ / Debian 12+ (glibc >= 2.38)
• systemd
• Acesso root (instalacao via apt-get install)

# 1. Obter o binario

Opcao A: download via CDN publico (recomendado)

O binario assinado fica em https://get.tatuzim.com. Detalhes completos em Distribuicao via CDN.

ssh root@vps-01 << 'EOF'
ARCH=$(uname -m)   # x86_64 ou aarch64
curl -fsSLo /usr/local/bin/tatuzim-agent     https://get.tatuzim.com/$ARCH/tatuzim-agent
curl -fsSLo /tmp/tatuzim-agent.minisig       https://get.tatuzim.com/$ARCH/tatuzim-agent.minisig
chmod +x /usr/local/bin/tatuzim-agent

# Recomendado: verificar assinatura (se minisign estiver instalado)
# minisign -V -P "RWSeTpgYV+16Z//WwZku61OpIYgaU8iyyN/dEYm7bOGru0vFTbdLSAcD" \
#     -x /tmp/tatuzim-agent.minisig -m /usr/local/bin/tatuzim-agent
EOF

Esse caminho nao instala systemd unit + user; voce precisa do .deb pra isso (Opcao B), ou rodar manualmente (skip pra secao 5).

Opcao B: usar build local + .deb

# No hub onde o codigo esta
cd /proj/tatuzim/server
cargo build --release --bin tatuzim-agent
cargo deb -p tatuzim-agent --no-build
ls target/debian/tatuzim-agent_*.deb

# 2. Copiar e instalar o .deb (so se Opcao B)

scp tatuzim-agent_0.1.0_amd64.deb root@vps-01:/tmp/
ssh root@vps-01 "apt-get install -y /tmp/tatuzim-agent_*.deb"

O postinst do .deb:

• Cria user UNIX tatuzim (uid 999) + group tatuzim
• Cria diretorios em /var/lib/tatuzim-agent/ (perm 0750, ownership tatuzim:tatuzim)
• Cria /etc/tatuzim-agent/ (perm 0755, root:root)
• Instala systemd unit /etc/systemd/system/tatuzim-agent.service (disabled)
• Reload do systemd

# 3. Validar instalacao

ssh root@vps-01 "
    /usr/local/bin/tatuzim-agent --help
    getent passwd tatuzim
    ls -la /var/lib/tatuzim-agent/
    systemctl status tatuzim-agent --no-pager | head
"

Saida esperada:

Tatuzim Agent daemon
Usage: tatuzim-agent <COMMAND>
Commands:
  enroll, identity, run, rotate, self-update

tatuzim:x:999:986:Tatuzim Agent:/home/tatuzim:/usr/sbin/nologin

drwxr-x---  5 tatuzim tatuzim 4096 ... .
drwxr-x---  2 tatuzim tatuzim 4096 ... identity
drwxr-x---  2 tatuzim tatuzim 4096 ... out
drwxr-x---  2 tatuzim tatuzim 4096 ... state

● tatuzim-agent.service - Tatuzim Agent
     Loaded: loaded (/etc/systemd/system/tatuzim-agent.service; disabled; ...)
     Active: inactive (dead)

# 4. Copiar o root CA do step-ca

O agent precisa do root CA do step-ca pra confiar no Tatuzim Server (mTLS):

# No hub
docker exec dev_stepca_tatuzim cat /home/step/certs/root_ca.crt > /tmp/stepca-root.pem

scp /tmp/stepca-root.pem root@vps-01:/etc/tatuzim-agent/stepca-root.pem
ssh root@vps-01 "chmod 0644 /etc/tatuzim-agent/stepca-root.pem"

# 5. Criar arquivo de config systemd

ssh root@vps-01 "cat > /etc/tatuzim-agent/env << 'EOF'
TATUZIM_SERVER_URL=https://tatuzim.dev.borlot.com.br
TATUZIM_SERVER_MTLS_URL=https://tatuzim.dev.borlot.com.br:8443
TATUZIM_SERVER_CA_PATH=/etc/tatuzim-agent/stepca-root.pem
TATUZIM_AGENT_HOSTNAME=vps-01
TATUZIM_AGENT_ROLE=mautic
TATUZIM_AGENT_DATA_DIR=/var/lib/tatuzim-agent
TATUZIM_AGENT_POLL_INTERVAL=30s
TATUZIM_AGENT_RENEWAL_THRESHOLD=6h
RUST_LOG=info
EOF
chmod 0644 /etc/tatuzim-agent/env"

A systemd unit (tatuzim-agent.service) ja referencia esse arquivo com EnvironmentFile=-/etc/tatuzim-agent/env.

# 6. Enroll inicial

Voce ainda nao habilita o systemd — precisa fazer o enrollment one-time primeiro.

Veja Primeiro Enrollment pra esse passo.

# Estrutura criada pelo .deb

/usr/local/bin/tatuzim-agent          (binario, root:root, 0755)

/etc/tatuzim-agent/                    (config, root:root, 0755)
└── env                                (env vars pra systemd)
└── stepca-root.pem                    (root CA do step-ca pra trust mTLS)

/var/lib/tatuzim-agent/                (dados, tatuzim:tatuzim, 0750)
├── identity/                          (cert + key apos enroll)
├── out/                               (artefatos pra outros processos)
├── state/                             (processed.json — idempotencia)
└── hooks/                             (criar e popular conforme uso)

/etc/systemd/system/tatuzim-agent.service   (unit, disabled por default)

# systemd unit (referencia)

[Unit]
Description=Tatuzim Agent
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=tatuzim
Group=tatuzim
EnvironmentFile=-/etc/tatuzim-agent/env
ExecStart=/usr/local/bin/tatuzim-agent run
Restart=on-failure
RestartSec=10s

# Hardening
ProtectSystem=strict
ReadWritePaths=/var/lib/tatuzim-agent
ProtectHome=true
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target

# Desinstalar

ssh root@vps-01 "
    systemctl stop tatuzim-agent
    apt-get remove tatuzim-agent     # mantem dados
    # ou
    apt-get purge tatuzim-agent      # apaga user + dados
"

# Self-update (apos primeira instalacao)

A partir da v0.1.0, o agent ja instalado se atualiza sozinho via CDN:

ARCH=$(uname -m)
sudo tatuzim-agent self-update --url https://get.tatuzim.com/$ARCH

Verifica minisign contra a pubkey embutida e faz swap atomico do binario.

# Proximos passos

• Primeiro Enrollment — enroll o agent contra o server
• Hooks Pos-Instalacao — automatizar reload de Traefik etc.
• Pipeline de Release — como versoes novas chegam no CDN
• Distribuicao — URLs, cache, verificacao de assinatura