Update documentation to centralize Vaultwarden integration details and enhance backup scripts

Refactor README, architecture, and backup documentation to emphasize the use of Vaultwarden for credential management across various services. Update scripts for Nextcloud, Gitea, Paperless, and others to reference Vaultwarden for sensitive information. Remove outdated references to previous backup strategies and ensure clarity on credential retrieval processes. This improves security practices and streamlines backup operations.

scripts/deploy-invidious-credentials.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+# deploy-invidious-credentials.sh — деплой кредов Invidious в CT 107
+# Секреты из Vaultwarden (объект INVIDIOUS). Атомарная запись .env.
+#
+# Использование:
+#   /root/scripts/deploy-invidious-credentials.sh
+#   /root/scripts/deploy-invidious-credentials.sh --dry-run
+#
+# Ротация: сменил пароль/ключи в Vaultwarden → запустил скрипт → docker compose up -d --force-recreate
+#
+# Требования: bw, jq, /root/.bw-master (chmod 600)
+
+set -e
+
+CT_ID=107
+INVIDIOUS_PATH="/opt/invidious"
+BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}"
+DRY_RUN=false
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=true ;;
+  esac
+done
+
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}"
+
+log() { echo "[$(date -Iseconds)] $*"; }
+err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; }
+
+ensure_bw_unlocked() {
+  local status
+  status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown")
+  if [ "$status" = "unlocked" ]; then
+    log "bw already unlocked, reusing session"
+    return 0
+  fi
+  if [ ! -f "$BW_MASTER_FILE" ]; then
+    err "Missing $BW_MASTER_FILE"
+    exit 1
+  fi
+  export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || {
+    err "bw unlock failed"
+    exit 1
+  }
+  log "bw unlocked"
+}
+
+get_secrets() {
+  local item
+  item=$(bw get item "INVIDIOUS" 2>/dev/null)
+  POSTGRES_USER=$(echo "$item" | jq -r '.login.username // empty')
+  POSTGRES_PASSWORD=$(bw get password "INVIDIOUS" 2>/dev/null)
+  INVIDIOUS_COMPANION_KEY=$(echo "$item" | jq -r '.fields[] | select(.name=="SERVER_SECRET_KEY") | .value // empty')
+  HMAC_KEY=$(echo "$item" | jq -r '.fields[] | select(.name=="HMAC_KEY") | .value // empty')
+
+  if [ -z "$POSTGRES_USER" ] || [ -z "$POSTGRES_PASSWORD" ]; then
+    err "INVIDIOUS: missing username or password"
+    exit 1
+  fi
+  if [ -z "$INVIDIOUS_COMPANION_KEY" ]; then
+    err "INVIDIOUS: missing SERVER_SECRET_KEY field"
+    exit 1
+  fi
+  if [ -z "$HMAC_KEY" ]; then
+    err "INVIDIOUS: missing HMAC_KEY field"
+    exit 1
+  fi
+}
+
+gen_env() {
+  local tmp
+  tmp=$(mktemp)
+  cat > "$tmp" << EOF
+POSTGRES_USER=${POSTGRES_USER}
+POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+POSTGRES_DB=invidious
+INVIDIOUS_COMPANION_KEY=${INVIDIOUS_COMPANION_KEY}
+HMAC_KEY=${HMAC_KEY}
+EOF
+  echo "$tmp"
+}
+
+push_env_atomic() {
+  local tmp="$1"
+  < "$tmp" pct exec "$CT_ID" -- bash -c "cat > ${INVIDIOUS_PATH}/.env.tmp && chmod 600 ${INVIDIOUS_PATH}/.env.tmp && mv ${INVIDIOUS_PATH}/.env.tmp ${INVIDIOUS_PATH}/.env"
+  log ".env written (atomic), chmod 600"
+}
+
+run_compose() {
+  pct exec "$CT_ID" -- bash -c "cd ${INVIDIOUS_PATH} && docker compose up -d --force-recreate"
+  log "Invidious started"
+}
+
+main() {
+  log "deploy-invidious-credentials start (dry_run=$DRY_RUN)"
+  ensure_bw_unlocked
+  get_secrets
+
+  if [ "$DRY_RUN" = true ]; then
+    log "DRY-RUN: would push .env and run compose"
+    log "  POSTGRES_USER=$POSTGRES_USER"
+    log "  POSTGRES_PASSWORD=***"
+    log "  INVIDIOUS_COMPANION_KEY=***"
+    log "  HMAC_KEY=***"
+    exit 0
+  fi
+
+  tmp=$(gen_env)
+  trap "rm -f $tmp" EXIT
+  push_env_atomic "$tmp"
+  run_compose
+  log "done"
+}
+
+main