gb/prod.md

# Production: Vault Container via LXD Socket

## Current Setup

- **botserver binary**: Already at `/opt/gbo/tenants/pragmatismo/system/bin/botserver` (inside pragmatismo-system container)
- **Target**: Install Vault in a NEW container on the **HOST** LXD (outside pragmatismo-system)
- **Connection**: botserver uses LXD socket proxy (`/tmp/lxd.sock` → host LXD)

## Execution Plan

### Step 1: Pull latest botserver code on pragmatismo-system

```bash
cd /opt/gbo/tenants/pragmatismo/system
git pull alm main
```

### Step 2: Build botserver (if needed)

```bash
cargo build -p botserver
cp target/debug/botserver /opt/gbo/tenants/pragmatismo/system/bin/botserver
```

### Step 3: Install Vault container via botserver (FROM pragmatismo-system)

```bash
/opt/gbo/tenants/pragmatismo/system/bin/botserver install vault --container
```

**This runs INSIDE pragmatismo-system container but installs Vault on HOST LXD**

### Step 4: Verify Vault is running on host

```bash
# From pragmatismo-system, via socket proxy
lxc list

# Or directly on host (from Proxmox)
lxc list
```

### Step 5: Update botserver to use external Vault

After Vault is installed in its own container, update `/opt/gbo/tenants/pragmatismo/system/bin/.env`:

```
VAULT_ADDR=https://<vault-container-ip>:8200
```