Update documentation to centralize Vaultwarden integration details and enhance backup scripts

Refactor README, architecture, and backup documentation to emphasize the use of Vaultwarden for credential management across various services. Update scripts for Nextcloud, Gitea, Paperless, and others to reference Vaultwarden for sensitive information. Remove outdated references to previous backup strategies and ensure clarity on credential retrieval processes. This improves security practices and streamlines backup operations.

scripts/deploy-galene-credentials.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+# deploy-galene-credentials.sh — деплой TURN-кредов Galene в CT 108
+# Секреты из Vaultwarden (объект GALENE, поле config — JSON ice-servers).
+#
+# Использование:
+#   /root/scripts/deploy-galene-credentials.sh
+#   /root/scripts/deploy-galene-credentials.sh --dry-run
+#
+# Ротация: сменил TURN username/credential в Vaultwarden → запустил скрипт → systemctl restart galene
+#
+# Требования: bw, jq, /root/.bw-master (chmod 600)
+
+set -e
+
+CT_ID=108
+ICE_SERVERS_PATH="/opt/galene-data/data/ice-servers.json"
+BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}"
+DRY_RUN=false
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=true ;;
+  esac
+done
+
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}"
+
+log() { echo "[$(date -Iseconds)] $*"; }
+err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; }
+
+ensure_bw_unlocked() {
+  local status
+  status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown")
+  if [ "$status" = "unlocked" ]; then
+    log "bw already unlocked, reusing session"
+    return 0
+  fi
+  if [ ! -f "$BW_MASTER_FILE" ]; then
+    err "Missing $BW_MASTER_FILE"
+    exit 1
+  fi
+  export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || {
+    err "bw unlock failed"
+    exit 1
+  }
+  log "bw unlocked"
+}
+
+get_secrets() {
+  local config
+  config=$(bw get item "GALENE" 2>/dev/null | jq -r '.fields[] | select(.name=="config") | .value // empty')
+  if [ -z "$config" ]; then
+    err "GALENE: missing config field (JSON ice-servers)"
+    exit 1
+  fi
+  if ! echo "$config" | jq . >/dev/null 2>&1; then
+    err "GALENE config: invalid JSON"
+    exit 1
+  fi
+  ICE_CONFIG="$config"
+}
+
+push_ice_servers() {
+  local tmp
+  tmp=$(mktemp)
+  echo "$ICE_CONFIG" | jq -c . > "$tmp"
+  pct push "$CT_ID" "$tmp" "${ICE_SERVERS_PATH}.tmp"
+  rm -f "$tmp"
+  pct exec "$CT_ID" -- bash -c "chmod 600 ${ICE_SERVERS_PATH}.tmp && mv ${ICE_SERVERS_PATH}.tmp ${ICE_SERVERS_PATH}"
+  log "ice-servers.json written (atomic), chmod 600"
+}
+
+restart_galene() {
+  pct exec "$CT_ID" -- systemctl restart galene
+  log "galene restarted"
+}
+
+main() {
+  log "deploy-galene-credentials start (dry_run=$DRY_RUN)"
+  ensure_bw_unlocked
+  get_secrets
+
+  if [ "$DRY_RUN" = true ]; then
+    log "DRY-RUN: would push ice-servers.json and restart galene"
+    log "  config: $(echo "$ICE_CONFIG" | jq -c .)"
+    exit 0
+  fi
+
+  push_ice_servers
+  restart_galene
+  log "done"
+}
+
+main