Andrey
16c254510a
Refactor README, architecture, and backup documentation to emphasize the use of Vaultwarden for credential management across various services. Update scripts for Nextcloud, Gitea, Paperless, and others to reference Vaultwarden for sensitive information. Remove outdated references to previous backup strategies and ensure clarity on credential retrieval processes. This improves security practices and streamlines backup operations.
118 lines
3.1 KiB
Bash
118 lines
3.1 KiB
Bash
#!/bin/bash
|
|
# deploy-gitea-credentials.sh — деплой кредов Gitea в CT 103
|
|
# Секреты из Vaultwarden (объект GITEA). Атомарная запись .env.
|
|
#
|
|
# Использование:
|
|
# /root/scripts/deploy-gitea-credentials.sh
|
|
# /root/scripts/deploy-gitea-credentials.sh --dry-run
|
|
#
|
|
# Ротация: сменил пароль/токен в Vaultwarden → запустил скрипт → docker compose up -d --force-recreate
|
|
#
|
|
# Требования: bw, jq, /root/.bw-master (chmod 600)
|
|
|
|
set -e
|
|
|
|
CT_ID=103
|
|
GITEA_PATH="/opt/gitea"
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}"
|
|
DRY_RUN=false
|
|
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--dry-run) DRY_RUN=true ;;
|
|
esac
|
|
done
|
|
|
|
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}"
|
|
|
|
log() { echo "[$(date -Iseconds)] $*"; }
|
|
err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; }
|
|
|
|
ensure_bw_unlocked() {
|
|
local status
|
|
status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown")
|
|
if [ "$status" = "unlocked" ]; then
|
|
log "bw already unlocked, reusing session"
|
|
return 0
|
|
fi
|
|
if [ ! -f "$BW_MASTER_FILE" ]; then
|
|
err "Missing $BW_MASTER_FILE"
|
|
exit 1
|
|
fi
|
|
export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || {
|
|
err "bw unlock failed"
|
|
exit 1
|
|
}
|
|
log "bw unlocked"
|
|
}
|
|
|
|
get_secrets() {
|
|
local item
|
|
item=$(bw get item "GITEA" 2>/dev/null)
|
|
POSTGRES_PASSWORD=$(bw get password "GITEA" 2>/dev/null)
|
|
GITEA_RUNNER_REGISTRATION_TOKEN=$(echo "$item" | jq -r '.fields[] | select(.name=="GITEA_RUNNER_REGISTRATION_TOKEN") | .value // empty')
|
|
|
|
if [ -z "$POSTGRES_PASSWORD" ]; then
|
|
err "GITEA: missing password (POSTGRES_PASSWORD)"
|
|
exit 1
|
|
fi
|
|
if [ -z "$GITEA_RUNNER_REGISTRATION_TOKEN" ]; then
|
|
err "GITEA: missing GITEA_RUNNER_REGISTRATION_TOKEN field"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
gen_env() {
|
|
local tmp
|
|
tmp=$(mktemp)
|
|
cat > "$tmp" << EOF
|
|
POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
|
GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
|
|
EOF
|
|
echo "$tmp"
|
|
}
|
|
|
|
push_env_atomic() {
|
|
local tmp="$1"
|
|
< "$tmp" pct exec "$CT_ID" -- bash -c "cat > ${GITEA_PATH}/.env.tmp && chmod 600 ${GITEA_PATH}/.env.tmp && mv ${GITEA_PATH}/.env.tmp ${GITEA_PATH}/.env"
|
|
log ".env written (atomic), chmod 600"
|
|
}
|
|
|
|
push_compose() {
|
|
local compose_src="${SCRIPT_DIR}/gitea/docker-compose.yml"
|
|
if [ -f "$compose_src" ]; then
|
|
pct push "$CT_ID" "$compose_src" "${GITEA_PATH}/docker-compose.yml"
|
|
log "docker-compose.yml pushed"
|
|
else
|
|
log "WARN: ${compose_src} not found, skipping compose push"
|
|
fi
|
|
}
|
|
|
|
run_compose() {
|
|
pct exec "$CT_ID" -- bash -c "cd ${GITEA_PATH} && docker compose up -d --force-recreate"
|
|
log "Gitea started"
|
|
}
|
|
|
|
main() {
|
|
log "deploy-gitea-credentials start (dry_run=$DRY_RUN)"
|
|
ensure_bw_unlocked
|
|
get_secrets
|
|
|
|
if [ "$DRY_RUN" = true ]; then
|
|
log "DRY-RUN: would push .env and run compose"
|
|
log " POSTGRES_PASSWORD=***"
|
|
log " GITEA_RUNNER_REGISTRATION_TOKEN=***"
|
|
exit 0
|
|
fi
|
|
|
|
tmp=$(gen_env)
|
|
trap "rm -f $tmp" EXIT
|
|
push_env_atomic "$tmp"
|
|
push_compose
|
|
run_compose
|
|
log "done"
|
|
}
|
|
|
|
main
|