88 lines
3.0 KiB
Bash
Executable File
88 lines
3.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# 🚀 Script to Generate Secure Secrets for Deployment
|
|
|
|
# Define root directory relative to the script location
|
|
|
|
# Stelle sicher, dass ROOT_DIR gesetzt ist
|
|
if [ -z "$ROOT_DIR" ]; then
|
|
echo "❌ WARN: ROOT_DIR ist nicht gesetzt! Setze ROOT_DIR..."
|
|
source ./set-project-root.sh
|
|
fi
|
|
|
|
SECRET_FILE="$ROOT_DIR/env/secrets.env"
|
|
GITIGNORE_FILE="$ROOT_DIR/.gitignore"
|
|
|
|
# ✅ Function to check if a command is installed
|
|
check_dependency() {
|
|
command -v "$1" >/dev/null 2>&1
|
|
}
|
|
|
|
# 🔍 Check for OpenSSL, and prompt user to install if missing
|
|
if ! check_dependency "openssl"; then
|
|
echo "⚠️ OpenSSL is not installed. It is required to generate secure secrets."
|
|
echo "Would you like to install OpenSSL now? (yes/no)"
|
|
read -r install_choice
|
|
if [[ "$install_choice" == "yes" ]]; then
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
sudo apt update && sudo apt install -y openssl
|
|
elif [[ "$OSTYPE" == "darwin"* ]]; then
|
|
brew install openssl
|
|
else
|
|
echo "❌ Unsupported OS. Please install OpenSSL manually."
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "❌ OpenSSL is required but was not installed. Exiting."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# ✅ Securely generate random values
|
|
generate_secret() {
|
|
openssl rand -base64 32
|
|
}
|
|
|
|
# 🔄 Check if the secret file already exists
|
|
if [ -f "$SECRET_FILE" ]; then
|
|
echo "⚠️ $SECRET_FILE already exists. Overwrite? (yes/no)"
|
|
read -r response
|
|
if [[ "$response" != "yes" ]]; then
|
|
echo "❌ Secret file creation canceled."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# ✏️ Write secrets to file
|
|
echo "🔐 Generating $SECRET_FILE ..."
|
|
mkdir -p "$(dirname "$SECRET_FILE")" # Ensure the env directory exists
|
|
> "$SECRET_FILE" # Clear file if it exists
|
|
|
|
# 🔑 Define and write secrets
|
|
echo "ADMIN_PASSWORD_HASH=$(openssl passwd -6 admin)" >> "$SECRET_FILE"
|
|
echo "JWT_SECRET=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "MARIADB_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "MARIADB_ROOT_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "REDIS_HOST_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "TRAEFIK_BASIC_AUTH_USERS=admin:$(openssl passwd -6 traefikpass)" >> "$SECRET_FILE"
|
|
echo "GITEA_MYSQL_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "NEXTCLOUD_ADMIN_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
echo "MAIL_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
|
|
|
|
# 🛑 Ensure secrets.env is ignored by Git **without overwriting last line**
|
|
if [ -f "$SECRET_FILE" ]; then
|
|
# Check if the last line is missing a newline and fix it
|
|
if [ -s "$GITIGNORE_FILE" ] && [ "$(tail -c1 "$GITIGNORE_FILE")" != "" ]; then
|
|
echo "" >> "$GITIGNORE_FILE"
|
|
fi
|
|
|
|
# Append 'env/secrets.env' only if it's not already in .gitignore
|
|
if ! grep -q "^env/secrets.env$" "$GITIGNORE_FILE"; then
|
|
echo "env/secrets.env" >> "$GITIGNORE_FILE"
|
|
echo "✅ Added 'env/secrets.env' to .gitignore"
|
|
fi
|
|
fi
|
|
|
|
echo "✅ Secrets have been generated and stored in $SECRET_FILE."
|
|
echo "⚠️ Keep this file secure and do NOT commit it to Git!"
|