fix: wire credential files into service environment/ dirs on setup and deploy

This commit is contained in:
daniel-c-harvey
2026-06-04 14:01:18 -04:00
parent a54b0a8f8e
commit c49f28e619
3 changed files with 34 additions and 4 deletions
+14 -2
View File
@@ -5,8 +5,8 @@
# Expects in ${APP_HOME}/staging/:
# deepdrft-manager.tar.gz -- published self-contained linux-x64 binary tree
#
# DeepDrftManager receives its API URL + API key credential via systemd LoadCredential
# (api-manager.json -> $CREDENTIALS_DIRECTORY/api at runtime). No env file copy needed.
# DeepDrftManager reads its API URL and API key credential from environment/api.json at startup
# (populated by setup-step10-creds.sh). The env-file copy block below keeps it current.
#
# Paths are derived at runtime — no hardcoded usernames or home dirs.
# APP_HOME comes from $HOME (sshd sets this for the app user).
@@ -36,6 +36,18 @@ rm -f "${STAGING}/${ARCHIVE}"
echo "[deploy-manager] archive extracted"
# ── Apply environment files (host-managed, not in archive) ────────────────
if [[ -d "${APPROOT}/environment" ]]; then
shopt -s nullglob
env_files=("${APPROOT}/environment/"*)
shopt -u nullglob
if [[ ${#env_files[@]} -gt 0 ]]; then
mkdir -p "${APPROOT}/bin/environment"
cp "${env_files[@]}" "${APPROOT}/bin/environment/"
echo "[deploy-manager] environment files applied"
fi
fi
# ── Enable and restart service ─────────────────────────────────────────────
systemctl --user enable deepdrftmanager.service
systemctl --user restart deepdrftmanager.service
+14 -2
View File
@@ -5,8 +5,8 @@
# Expects in ${APP_HOME}/staging/:
# deepdrft-public.tar.gz -- published self-contained linux-x64 binary tree
#
# DeepDrftPublic receives its API URL credential via systemd LoadCredential
# (api-public.json -> $CREDENTIALS_DIRECTORY/api at runtime). No env file copy needed.
# DeepDrftPublic reads its API URL credential from environment/api.json at startup
# (populated by setup-step10-creds.sh). The env-file copy block below keeps it current.
#
# Paths are derived at runtime — no hardcoded usernames or home dirs.
# APP_HOME comes from $HOME (sshd sets this for the app user).
@@ -36,6 +36,18 @@ rm -f "${STAGING}/${ARCHIVE}"
echo "[deploy-public] archive extracted"
# ── Apply environment files (host-managed, not in archive) ────────────────
if [[ -d "${APPROOT}/environment" ]]; then
shopt -s nullglob
env_files=("${APPROOT}/environment/"*)
shopt -u nullglob
if [[ ${#env_files[@]} -gt 0 ]]; then
mkdir -p "${APPROOT}/bin/environment"
cp "${env_files[@]}" "${APPROOT}/bin/environment/"
echo "[deploy-public] environment files applied"
fi
fi
# ── Enable and restart service ─────────────────────────────────────────────
systemctl --user enable deepdrftpublic.service
systemctl --user restart deepdrftpublic.service
+6
View File
@@ -92,6 +92,7 @@ need_cred() {
if need_cred "filedatabase"; then
write_cred "filedatabase" \
"{\"FileDatabaseSettings\":{\"VaultPath\":\"${APP_HOME}/api/deepdrft/vaults\"}}"
cp "${CREDDIR}/filedatabase.json" "${APP_HOME}/api/deepdrft/environment/filedatabase.json"
else
echo "[setup-step10-creds] filedatabase.json already exists, skipping"
fi
@@ -110,6 +111,7 @@ if need_cred "apikey"; then
unset API_KEY_INPUT
write_cred "apikey" \
"{\"ApiKeySettings\":{\"ApiKey\":\"$(json_escape "${API_KEY}")\"}}"
cp "${CREDDIR}/apikey.json" "${APP_HOME}/api/deepdrft/environment/apikey.json"
else
echo "[setup-step10-creds] apikey.json already exists, skipping"
# Still need the value for api-manager.json if that's also being written.
@@ -150,6 +152,7 @@ if need_cred "connections"; then
AUTH_CONN="Host=localhost;Database=${DB_AUTH};Username=${PG_ROLE};Password=$(json_escape "${PG_PASSWORD}")"
write_cred "connections" \
"{\"ConnectionStrings\":{\"DefaultConnection\":\"${META_CONN}\",\"Auth\":\"${AUTH_CONN}\"}}"
cp "${CREDDIR}/connections.json" "${APP_HOME}/api/deepdrft/environment/connections.json"
unset PG_PASSWORD META_CONN AUTH_CONN
else
echo "[setup-step10-creds] connections.json already exists, skipping"
@@ -204,6 +207,7 @@ if need_cred "authblocks"; then
{"AuthBlocks":{"Jwt":{"Secret":"$(json_escape "${JWT_SECRET}")","Issuer":"$(json_escape "${JWT_ISSUER}")","Audience":"$(json_escape "${JWT_AUDIENCE}")"},"Email":{"Host":"$(json_escape "${EMAIL_HOST}")","Token":"$(json_escape "${EMAIL_TOKEN}")"},"Admin":{"UserName":"$(json_escape "${ADMIN_USERNAME}")","Email":"$(json_escape "${ADMIN_EMAIL}")","Password":"$(json_escape "${ADMIN_PASSWORD}")"},"SupportEmail":"$(json_escape "${SUPPORT_EMAIL}")"}}
JSON
)"
cp "${CREDDIR}/authblocks.json" "${APP_HOME}/api/deepdrft/environment/authblocks.json"
unset JWT_SECRET JWT_ISSUER JWT_AUDIENCE EMAIL_HOST EMAIL_TOKEN
unset ADMIN_USERNAME ADMIN_EMAIL ADMIN_PASSWORD SUPPORT_EMAIL
else
@@ -214,6 +218,7 @@ fi
if need_cred "api-public"; then
write_cred "api-public" \
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\"}}"
cp "${CREDDIR}/api-public.json" "${APP_HOME}/public/environment/api.json"
else
echo "[setup-step10-creds] api-public.json already exists, skipping"
fi
@@ -227,6 +232,7 @@ if need_cred "api-manager"; then
fi
write_cred "api-manager" \
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\",\"ContentApiKey\":\"$(json_escape "${API_KEY}")\"}}"
cp "${CREDDIR}/api-manager.json" "${APP_HOME}/manager/environment/api.json"
unset API_KEY
else
echo "[setup-step10-creds] api-manager.json already exists, skipping"