#!/bin/bash # deploy-invidious-credentials.sh — деплой кредов Invidious в CT 107 # Секреты из Vaultwarden (объект INVIDIOUS). Атомарная запись .env. # # Использование: # /root/scripts/deploy-invidious-credentials.sh # /root/scripts/deploy-invidious-credentials.sh --dry-run # # Ротация: сменил пароль/ключи в Vaultwarden → запустил скрипт → docker compose up -d --force-recreate # # Требования: bw, jq, /root/.bw-master (chmod 600) set -e CT_ID=107 INVIDIOUS_PATH="/opt/invidious" BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}" DRY_RUN=false for arg in "$@"; do case "$arg" in --dry-run) DRY_RUN=true ;; esac done export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}" log() { echo "[$(date -Iseconds)] $*"; } err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; } ensure_bw_unlocked() { local status status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown") if [ "$status" = "unlocked" ]; then log "bw already unlocked, reusing session" return 0 fi if [ ! -f "$BW_MASTER_FILE" ]; then err "Missing $BW_MASTER_FILE" exit 1 fi export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || { err "bw unlock failed" exit 1 } log "bw unlocked" } get_secrets() { local item item=$(bw get item "INVIDIOUS" 2>/dev/null) POSTGRES_USER=$(echo "$item" | jq -r '.login.username // empty') POSTGRES_PASSWORD=$(bw get password "INVIDIOUS" 2>/dev/null) INVIDIOUS_COMPANION_KEY=$(echo "$item" | jq -r '.fields[] | select(.name=="SERVER_SECRET_KEY") | .value // empty') HMAC_KEY=$(echo "$item" | jq -r '.fields[] | select(.name=="HMAC_KEY") | .value // empty') if [ -z "$POSTGRES_USER" ] || [ -z "$POSTGRES_PASSWORD" ]; then err "INVIDIOUS: missing username or password" exit 1 fi if [ -z "$INVIDIOUS_COMPANION_KEY" ]; then err "INVIDIOUS: missing SERVER_SECRET_KEY field" exit 1 fi if [ -z "$HMAC_KEY" ]; then err "INVIDIOUS: missing HMAC_KEY field" exit 1 fi } gen_env() { local tmp tmp=$(mktemp) cat > "$tmp" << EOF POSTGRES_USER=${POSTGRES_USER} POSTGRES_PASSWORD=${POSTGRES_PASSWORD} POSTGRES_DB=invidious INVIDIOUS_COMPANION_KEY=${INVIDIOUS_COMPANION_KEY} HMAC_KEY=${HMAC_KEY} EOF echo "$tmp" } push_env_atomic() { local tmp="$1" < "$tmp" pct exec "$CT_ID" -- bash -c "cat > ${INVIDIOUS_PATH}/.env.tmp && chmod 600 ${INVIDIOUS_PATH}/.env.tmp && mv ${INVIDIOUS_PATH}/.env.tmp ${INVIDIOUS_PATH}/.env" log ".env written (atomic), chmod 600" } run_compose() { pct exec "$CT_ID" -- bash -c "cd ${INVIDIOUS_PATH} && docker compose up -d --force-recreate" log "Invidious started" } main() { log "deploy-invidious-credentials start (dry_run=$DRY_RUN)" ensure_bw_unlocked get_secrets if [ "$DRY_RUN" = true ]; then log "DRY-RUN: would push .env and run compose" log " POSTGRES_USER=$POSTGRES_USER" log " POSTGRES_PASSWORD=***" log " INVIDIOUS_COMPANION_KEY=***" log " HMAC_KEY=***" exit 0 fi tmp=$(gen_env) trap "rm -f $tmp" EXIT push_env_atomic "$tmp" run_compose log "done" } main