Merge branch 'creds-env' into dev
This commit is contained in:
@@ -5,8 +5,8 @@
|
|||||||
# Expects in ${APP_HOME}/staging/:
|
# Expects in ${APP_HOME}/staging/:
|
||||||
# deepdrft-manager.tar.gz -- published self-contained linux-x64 binary tree
|
# deepdrft-manager.tar.gz -- published self-contained linux-x64 binary tree
|
||||||
#
|
#
|
||||||
# DeepDrftManager receives its API URL + API key credential via systemd LoadCredential
|
# DeepDrftManager reads its API URL and API key credential from environment/api.json at startup
|
||||||
# (api-manager.json -> $CREDENTIALS_DIRECTORY/api at runtime). No env file copy needed.
|
# (populated by setup-step10-creds.sh). The env-file copy block below keeps it current.
|
||||||
#
|
#
|
||||||
# Paths are derived at runtime — no hardcoded usernames or home dirs.
|
# Paths are derived at runtime — no hardcoded usernames or home dirs.
|
||||||
# APP_HOME comes from $HOME (sshd sets this for the app user).
|
# APP_HOME comes from $HOME (sshd sets this for the app user).
|
||||||
@@ -36,6 +36,18 @@ rm -f "${STAGING}/${ARCHIVE}"
|
|||||||
|
|
||||||
echo "[deploy-manager] archive extracted"
|
echo "[deploy-manager] archive extracted"
|
||||||
|
|
||||||
|
# ── Apply environment files (host-managed, not in archive) ────────────────
|
||||||
|
if [[ -d "${APPROOT}/environment" ]]; then
|
||||||
|
shopt -s nullglob
|
||||||
|
env_files=("${APPROOT}/environment/"*)
|
||||||
|
shopt -u nullglob
|
||||||
|
if [[ ${#env_files[@]} -gt 0 ]]; then
|
||||||
|
mkdir -p "${APPROOT}/bin/environment"
|
||||||
|
cp "${env_files[@]}" "${APPROOT}/bin/environment/"
|
||||||
|
echo "[deploy-manager] environment files applied"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# ── Enable and restart service ─────────────────────────────────────────────
|
# ── Enable and restart service ─────────────────────────────────────────────
|
||||||
systemctl --user enable deepdrftmanager.service
|
systemctl --user enable deepdrftmanager.service
|
||||||
systemctl --user restart deepdrftmanager.service
|
systemctl --user restart deepdrftmanager.service
|
||||||
|
|||||||
+14
-2
@@ -5,8 +5,8 @@
|
|||||||
# Expects in ${APP_HOME}/staging/:
|
# Expects in ${APP_HOME}/staging/:
|
||||||
# deepdrft-public.tar.gz -- published self-contained linux-x64 binary tree
|
# deepdrft-public.tar.gz -- published self-contained linux-x64 binary tree
|
||||||
#
|
#
|
||||||
# DeepDrftPublic receives its API URL credential via systemd LoadCredential
|
# DeepDrftPublic reads its API URL credential from environment/api.json at startup
|
||||||
# (api-public.json -> $CREDENTIALS_DIRECTORY/api at runtime). No env file copy needed.
|
# (populated by setup-step10-creds.sh). The env-file copy block below keeps it current.
|
||||||
#
|
#
|
||||||
# Paths are derived at runtime — no hardcoded usernames or home dirs.
|
# Paths are derived at runtime — no hardcoded usernames or home dirs.
|
||||||
# APP_HOME comes from $HOME (sshd sets this for the app user).
|
# APP_HOME comes from $HOME (sshd sets this for the app user).
|
||||||
@@ -36,6 +36,18 @@ rm -f "${STAGING}/${ARCHIVE}"
|
|||||||
|
|
||||||
echo "[deploy-public] archive extracted"
|
echo "[deploy-public] archive extracted"
|
||||||
|
|
||||||
|
# ── Apply environment files (host-managed, not in archive) ────────────────
|
||||||
|
if [[ -d "${APPROOT}/environment" ]]; then
|
||||||
|
shopt -s nullglob
|
||||||
|
env_files=("${APPROOT}/environment/"*)
|
||||||
|
shopt -u nullglob
|
||||||
|
if [[ ${#env_files[@]} -gt 0 ]]; then
|
||||||
|
mkdir -p "${APPROOT}/bin/environment"
|
||||||
|
cp "${env_files[@]}" "${APPROOT}/bin/environment/"
|
||||||
|
echo "[deploy-public] environment files applied"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# ── Enable and restart service ─────────────────────────────────────────────
|
# ── Enable and restart service ─────────────────────────────────────────────
|
||||||
systemctl --user enable deepdrftpublic.service
|
systemctl --user enable deepdrftpublic.service
|
||||||
systemctl --user restart deepdrftpublic.service
|
systemctl --user restart deepdrftpublic.service
|
||||||
|
|||||||
@@ -92,6 +92,7 @@ need_cred() {
|
|||||||
if need_cred "filedatabase"; then
|
if need_cred "filedatabase"; then
|
||||||
write_cred "filedatabase" \
|
write_cred "filedatabase" \
|
||||||
"{\"FileDatabaseSettings\":{\"VaultPath\":\"${APP_HOME}/api/deepdrft/vaults\"}}"
|
"{\"FileDatabaseSettings\":{\"VaultPath\":\"${APP_HOME}/api/deepdrft/vaults\"}}"
|
||||||
|
cp "${CREDDIR}/filedatabase.json" "${APP_HOME}/api/deepdrft/environment/filedatabase.json"
|
||||||
else
|
else
|
||||||
echo "[setup-step10-creds] filedatabase.json already exists, skipping"
|
echo "[setup-step10-creds] filedatabase.json already exists, skipping"
|
||||||
fi
|
fi
|
||||||
@@ -110,6 +111,7 @@ if need_cred "apikey"; then
|
|||||||
unset API_KEY_INPUT
|
unset API_KEY_INPUT
|
||||||
write_cred "apikey" \
|
write_cred "apikey" \
|
||||||
"{\"ApiKeySettings\":{\"ApiKey\":\"$(json_escape "${API_KEY}")\"}}"
|
"{\"ApiKeySettings\":{\"ApiKey\":\"$(json_escape "${API_KEY}")\"}}"
|
||||||
|
cp "${CREDDIR}/apikey.json" "${APP_HOME}/api/deepdrft/environment/apikey.json"
|
||||||
else
|
else
|
||||||
echo "[setup-step10-creds] apikey.json already exists, skipping"
|
echo "[setup-step10-creds] apikey.json already exists, skipping"
|
||||||
# Still need the value for api-manager.json if that's also being written.
|
# Still need the value for api-manager.json if that's also being written.
|
||||||
@@ -150,6 +152,7 @@ if need_cred "connections"; then
|
|||||||
AUTH_CONN="Host=localhost;Database=${DB_AUTH};Username=${PG_ROLE};Password=$(json_escape "${PG_PASSWORD}")"
|
AUTH_CONN="Host=localhost;Database=${DB_AUTH};Username=${PG_ROLE};Password=$(json_escape "${PG_PASSWORD}")"
|
||||||
write_cred "connections" \
|
write_cred "connections" \
|
||||||
"{\"ConnectionStrings\":{\"DefaultConnection\":\"${META_CONN}\",\"Auth\":\"${AUTH_CONN}\"}}"
|
"{\"ConnectionStrings\":{\"DefaultConnection\":\"${META_CONN}\",\"Auth\":\"${AUTH_CONN}\"}}"
|
||||||
|
cp "${CREDDIR}/connections.json" "${APP_HOME}/api/deepdrft/environment/connections.json"
|
||||||
unset PG_PASSWORD META_CONN AUTH_CONN
|
unset PG_PASSWORD META_CONN AUTH_CONN
|
||||||
else
|
else
|
||||||
echo "[setup-step10-creds] connections.json already exists, skipping"
|
echo "[setup-step10-creds] connections.json already exists, skipping"
|
||||||
@@ -204,6 +207,7 @@ if need_cred "authblocks"; then
|
|||||||
{"AuthBlocks":{"Jwt":{"Secret":"$(json_escape "${JWT_SECRET}")","Issuer":"$(json_escape "${JWT_ISSUER}")","Audience":"$(json_escape "${JWT_AUDIENCE}")"},"Email":{"Host":"$(json_escape "${EMAIL_HOST}")","Token":"$(json_escape "${EMAIL_TOKEN}")"},"Admin":{"UserName":"$(json_escape "${ADMIN_USERNAME}")","Email":"$(json_escape "${ADMIN_EMAIL}")","Password":"$(json_escape "${ADMIN_PASSWORD}")"},"SupportEmail":"$(json_escape "${SUPPORT_EMAIL}")"}}
|
{"AuthBlocks":{"Jwt":{"Secret":"$(json_escape "${JWT_SECRET}")","Issuer":"$(json_escape "${JWT_ISSUER}")","Audience":"$(json_escape "${JWT_AUDIENCE}")"},"Email":{"Host":"$(json_escape "${EMAIL_HOST}")","Token":"$(json_escape "${EMAIL_TOKEN}")"},"Admin":{"UserName":"$(json_escape "${ADMIN_USERNAME}")","Email":"$(json_escape "${ADMIN_EMAIL}")","Password":"$(json_escape "${ADMIN_PASSWORD}")"},"SupportEmail":"$(json_escape "${SUPPORT_EMAIL}")"}}
|
||||||
JSON
|
JSON
|
||||||
)"
|
)"
|
||||||
|
cp "${CREDDIR}/authblocks.json" "${APP_HOME}/api/deepdrft/environment/authblocks.json"
|
||||||
unset JWT_SECRET JWT_ISSUER JWT_AUDIENCE EMAIL_HOST EMAIL_TOKEN
|
unset JWT_SECRET JWT_ISSUER JWT_AUDIENCE EMAIL_HOST EMAIL_TOKEN
|
||||||
unset ADMIN_USERNAME ADMIN_EMAIL ADMIN_PASSWORD SUPPORT_EMAIL
|
unset ADMIN_USERNAME ADMIN_EMAIL ADMIN_PASSWORD SUPPORT_EMAIL
|
||||||
else
|
else
|
||||||
@@ -214,6 +218,7 @@ fi
|
|||||||
if need_cred "api-public"; then
|
if need_cred "api-public"; then
|
||||||
write_cred "api-public" \
|
write_cred "api-public" \
|
||||||
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\"}}"
|
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\"}}"
|
||||||
|
cp "${CREDDIR}/api-public.json" "${APP_HOME}/public/environment/api.json"
|
||||||
else
|
else
|
||||||
echo "[setup-step10-creds] api-public.json already exists, skipping"
|
echo "[setup-step10-creds] api-public.json already exists, skipping"
|
||||||
fi
|
fi
|
||||||
@@ -227,6 +232,7 @@ if need_cred "api-manager"; then
|
|||||||
fi
|
fi
|
||||||
write_cred "api-manager" \
|
write_cred "api-manager" \
|
||||||
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\",\"ContentApiKey\":\"$(json_escape "${API_KEY}")\"}}"
|
"{\"Api\":{\"ContentApiUrl\":\"http://localhost:${PORT_API:-5002}\",\"ContentApiKey\":\"$(json_escape "${API_KEY}")\"}}"
|
||||||
|
cp "${CREDDIR}/api-manager.json" "${APP_HOME}/manager/environment/api.json"
|
||||||
unset API_KEY
|
unset API_KEY
|
||||||
else
|
else
|
||||||
echo "[setup-step10-creds] api-manager.json already exists, skipping"
|
echo "[setup-step10-creds] api-manager.json already exists, skipping"
|
||||||
|
|||||||
Reference in New Issue
Block a user