Add contained MEV backend CT runbook

scripts/deployment/provision-mev-control-backend-lxc.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# Provision a dedicated backend LXC for the MEV Control stack.
+#
+# Intended topology:
+# - Public GUI/static nginx remains on CT 2410 (info-defi-oracle-web)
+# - This backend CT runs mev-admin-api, mev-supervisor, pipeline services, and local infra
+# - CT 2410 proxies /api/* to this backend CT
+#
+# Usage:
+#   bash scripts/deployment/provision-mev-control-backend-lxc.sh [--dry-run]
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_04:-192.168.11.14}}"
+VMID="${MEV_CONTROL_BACKEND_VMID:-2421}"
+IP_CT="${MEV_CONTROL_BACKEND_IP:-192.168.11.219}"
+HOSTNAME_CT="${MEV_CONTROL_BACKEND_HOSTNAME:-mev-control-backend}"
+TEMPLATE_CT="${TEMPLATE:-local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst}"
+STORAGE="${STORAGE:-local-lvm}"
+NETWORK="${NETWORK:-vmbr0}"
+GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+DRY_RUN=false
+[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true
+
+echo "=== Provision MEV Control backend LXC ==="
+echo "Proxmox: ${PROXMOX_HOST}  VMID: ${VMID}  IP: ${IP_CT}"
+
+if $DRY_RUN; then
+  echo "[DRY-RUN] pct create ${VMID} on ${PROXMOX_HOST} with Docker-capable unprivileged settings"
+  exit 0
+fi
+
+if ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct list 2>/dev/null | grep -q '^${VMID} '"; then
+  echo "CT ${VMID} already exists — skipping pct create"
+else
+  echo "Creating CT ${VMID} (${HOSTNAME_CT}) @ ${IP_CT}/24..."
+  ssh $SSH_OPTS "root@${PROXMOX_HOST}" bash -s <<EOF
+set -euo pipefail
+pct create ${VMID} ${TEMPLATE_CT} \\
+  --hostname ${HOSTNAME_CT} \\
+  --memory 32768 \\
+  --swap 8192 \\
+  --cores 16 \\
+  --rootfs ${STORAGE}:200 \\
+  --net0 name=eth0,bridge=${NETWORK},ip=${IP_CT}/24,gw=${GATEWAY} \\
+  --nameserver ${DNS_PRIMARY:-1.1.1.1} \\
+  --description 'Dedicated backend LXC: MEV admin API, supervisor, pipeline, and local infra' \\
+  --features nesting=1,keyctl=1 \\
+  --onboot 1 \\
+  --start 1 \\
+  --unprivileged 1
+EOF
+  echo "Waiting for CT to boot..."
+  sleep 15
+fi
+
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct status ${VMID}" | grep -q running || {
+  echo "ERROR: CT ${VMID} not running — start with: ssh root@${PROXMOX_HOST} 'pct start ${VMID}'" >&2
+  exit 1
+}
+
+echo "Installing baseline packages inside CT ${VMID}..."
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"set -euo pipefail; export DEBIAN_FRONTEND=noninteractive; apt-get update -qq; apt-get install -y -qq curl jq git ca-certificates build-essential pkg-config libssl-dev gpg lsb-release uidmap\""
+
+echo ""
+echo "✅ Backend CT ${VMID} ready at ${IP_CT}"
+echo "   Next: deploy the MEV stack inside the CT and point CT 2410 /api to http://${IP_CT}:9090"
+