#!/bin/bash # deploy-gitea-credentials.sh — деплой кредов Gitea в CT 103 # Секреты из Vaultwarden (объект GITEA). Атомарная запись .env. # # Использование: # /root/scripts/deploy-gitea-credentials.sh # /root/scripts/deploy-gitea-credentials.sh --dry-run # # Ротация: сменил пароль/токен в Vaultwarden → запустил скрипт → docker compose up -d --force-recreate # # Требования: bw, jq, /root/.bw-master (chmod 600) set -e CT_ID=103 GITEA_PATH="/opt/gitea" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}" DRY_RUN=false for arg in "$@"; do case "$arg" in --dry-run) DRY_RUN=true ;; esac done export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}" log() { echo "[$(date -Iseconds)] $*"; } err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; } ensure_bw_unlocked() { local status status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown") if [ "$status" = "unlocked" ]; then log "bw already unlocked, reusing session" return 0 fi if [ ! -f "$BW_MASTER_FILE" ]; then err "Missing $BW_MASTER_FILE" exit 1 fi export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || { err "bw unlock failed" exit 1 } log "bw unlocked" } get_secrets() { local item item=$(bw get item "GITEA" 2>/dev/null) POSTGRES_PASSWORD=$(bw get password "GITEA" 2>/dev/null) GITEA_RUNNER_REGISTRATION_TOKEN=$(echo "$item" | jq -r '.fields[] | select(.name=="GITEA_RUNNER_REGISTRATION_TOKEN") | .value // empty') if [ -z "$POSTGRES_PASSWORD" ]; then err "GITEA: missing password (POSTGRES_PASSWORD)" exit 1 fi if [ -z "$GITEA_RUNNER_REGISTRATION_TOKEN" ]; then err "GITEA: missing GITEA_RUNNER_REGISTRATION_TOKEN field" exit 1 fi } gen_env() { local tmp tmp=$(mktemp) cat > "$tmp" << EOF POSTGRES_PASSWORD=${POSTGRES_PASSWORD} GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN} EOF echo "$tmp" } push_env_atomic() { local tmp="$1" < "$tmp" pct exec "$CT_ID" -- bash -c "cat > ${GITEA_PATH}/.env.tmp && chmod 600 ${GITEA_PATH}/.env.tmp && mv ${GITEA_PATH}/.env.tmp ${GITEA_PATH}/.env" log ".env written (atomic), chmod 600" } push_compose() { local compose_src="${SCRIPT_DIR}/gitea/docker-compose.yml" if [ -f "$compose_src" ]; then pct push "$CT_ID" "$compose_src" "${GITEA_PATH}/docker-compose.yml" log "docker-compose.yml pushed" else log "WARN: ${compose_src} not found, skipping compose push" fi } run_compose() { pct exec "$CT_ID" -- bash -c "cd ${GITEA_PATH} && docker compose up -d --force-recreate" log "Gitea started" } main() { log "deploy-gitea-credentials start (dry_run=$DRY_RUN)" ensure_bw_unlocked get_secrets if [ "$DRY_RUN" = true ]; then log "DRY-RUN: would push .env and run compose" log " POSTGRES_PASSWORD=***" log " GITEA_RUNNER_REGISTRATION_TOKEN=***" exit 0 fi tmp=$(gen_env) trap "rm -f $tmp" EXIT push_env_atomic "$tmp" push_compose run_compose log "done" } main