Update documentation to centralize Vaultwarden integration details and enhance backup scripts

Refactor README, architecture, and backup documentation to emphasize the use of Vaultwarden for credential management across various services. Update scripts for Nextcloud, Gitea, Paperless, and others to reference Vaultwarden for sensitive information. Remove outdated references to previous backup strategies and ensure clarity on credential retrieval processes. This improves security practices and streamlines backup operations.

scripts/deploy-rag-credentials.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# deploy-rag-credentials.sh — деплой кредов RAG-service в CT 105
+# Секреты из Vaultwarden (объект RAG_SERVICE). Атомарная запись .env.
+#
+# Использование:
+#   /root/scripts/deploy-rag-credentials.sh
+#   /root/scripts/deploy-rag-credentials.sh --dry-run
+#
+# Ротация: сменил RAG_API_KEY в Vaultwarden → запустил скрипт → docker compose up -d --force-recreate
+#
+# Требования: bw, jq, /root/.bw-master (chmod 600)
+# Vaultwarden: создать запись RAG_SERVICE с полем RAG_API_KEY (тип hidden).
+
+set -e
+
+CT_ID=105
+RAG_PATH="/home/rag-service"
+BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}"
+DRY_RUN=false
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=true ;;
+  esac
+done
+
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}"
+
+log() { echo "[$(date -Iseconds)] $*"; }
+err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; }
+
+ensure_bw_unlocked() {
+  local status
+  status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown")
+  if [ "$status" = "unlocked" ]; then
+    log "bw already unlocked, reusing session"
+    return 0
+  fi
+  if [ ! -f "$BW_MASTER_FILE" ]; then
+    err "Missing $BW_MASTER_FILE"
+    exit 1
+  fi
+  export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || {
+    err "bw unlock failed"
+    exit 1
+  }
+  log "bw unlocked"
+}
+
+get_secrets() {
+  local item
+  item=$(bw get item "RAG_SERVICE" 2>/dev/null) || {
+    err "RAG_SERVICE not found in Vaultwarden. Create it: type Login, add custom field RAG_API_KEY (hidden)."
+    exit 1
+  }
+  RAG_API_KEY=$(echo "$item" | jq -r '.fields[] | select(.name=="RAG_API_KEY") | .value // empty')
+  if [ -z "$RAG_API_KEY" ]; then
+    err "RAG_SERVICE: missing RAG_API_KEY field"
+    exit 1
+  fi
+}
+
+gen_env() {
+  local tmp
+  tmp=$(mktemp)
+  cat > "$tmp" << EOF
+# RAG Service Configuration (generated from Vaultwarden)
+
+# Модель
+RAG_MODEL=sentence-transformers/all-MiniLM-L12-v2
+RAG_CACHE_DIR=data/models
+
+# VectorStore
+RAG_VECTORS_PATH=data/vectors/vectors.npz
+RAG_MAX_EXAMPLES=10000
+RAG_SCORE_MULTIPLIER=5.0
+
+# Батч-обработка
+RAG_BATCH_SIZE=16
+
+# Минимальная длина текста
+RAG_MIN_TEXT_LENGTH=3
+
+# API настройки
+RAG_API_HOST=0.0.0.0
+RAG_API_PORT=8000
+
+# Безопасность
+RAG_API_KEY=${RAG_API_KEY}
+RAG_ALLOW_NO_AUTH=false
+
+# Автосохранение векторов
+RAG_AUTOSAVE_INTERVAL=600
+
+# Логирование
+LOG_LEVEL=INFO
+EOF
+  echo "$tmp"
+}
+
+push_env_atomic() {
+  local tmp="$1"
+  < "$tmp" pct exec "$CT_ID" -- bash -c "cat > ${RAG_PATH}/.env.tmp && chmod 600 ${RAG_PATH}/.env.tmp && mv ${RAG_PATH}/.env.tmp ${RAG_PATH}/.env"
+  log ".env written (atomic), chmod 600"
+}
+
+run_compose() {
+  pct exec "$CT_ID" -- bash -c "cd ${RAG_PATH} && docker compose up -d --force-recreate"
+  log "RAG-service started"
+}
+
+main() {
+  log "deploy-rag-credentials start (dry_run=$DRY_RUN)"
+  ensure_bw_unlocked
+  get_secrets
+
+  if [ "$DRY_RUN" = true ]; then
+    log "DRY-RUN: would push .env and run compose"
+    log "  RAG_API_KEY=***"
+    exit 0
+  fi
+
+  tmp=$(gen_env)
+  trap "rm -f $tmp" EXIT
+  push_env_atomic "$tmp"
+  run_compose
+  log "done"
+}
+
+main