michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2d5327005673bfad2f909bd3d6fd082a23f69ec0
michaelschiemer/deployment/ansible/scripts/add-registry-password-to-vault.sh
Michael Schiemer 36ef2a1e2c
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
Details
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Details
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Details
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
Details
fix: Gitea Traefik routing and connection pool optimization 
- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de
2025-11-09 14:46:15 +01:00

120 lines
4.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Script to extract registry password from server and add it to vault
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ANSIBLE_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
VAULT_FILE="$ANSIBLE_DIR/secrets/production.vault.yml"
VAULT_PASS_FILE="$ANSIBLE_DIR/secrets/.vault_pass"
# Check if vault file exists
if [ ! -f "$VAULT_FILE" ]; then
echo "❌ Vault file not found: $VAULT_FILE"
exit 1
fi
# Check if vault password file exists
if [ ! -f "$VAULT_PASS_FILE" ]; then
echo "❌ Vault password file not found: $VAULT_PASS_FILE"
echo "Please create it or use --ask-vault-pass"
exit 1
fi
echo "📋 Extracting registry password from server..."
echo ""
# Read inventory file to get server connection details
INVENTORY_FILE="$ANSIBLE_DIR/inventory/production.yml"
if [ ! -f "$INVENTORY_FILE" ]; then
echo "❌ Inventory file not found: $INVENTORY_FILE"
exit 1
fi
# Extract server hostname
SERVER_HOST=$(grep -E '^[[:space:]]*ansible_host:' "$INVENTORY_FILE" | awk '{print $2}' | head -1)
DEPLOY_USER=$(grep -E '^[[:space:]]*ansible_user:' "$INVENTORY_FILE" | awk '{print $2}' | head -1 || echo "deploy")
if [ -z "$SERVER_HOST" ]; then
echo "❌ Could not determine server hostname from inventory"
exit 1
fi
echo "Server: $SERVER_HOST"
echo "User: $DEPLOY_USER"
echo ""
# Try to extract password from registry .env file on server
REGISTRY_ENV_PATH="/home/$DEPLOY_USER/deployment/stacks/registry/.env"
echo "Attempting to extract password from: $REGISTRY_ENV_PATH"
echo ""
# Use SSH to read the password (assuming SSH key is configured)
REGISTRY_PASSWORD=$(ssh "${DEPLOY_USER}@${SERVER_HOST}" "grep '^REGISTRY_AUTH_HTPASSWD_REALM=' $REGISTRY_ENV_PATH 2>/dev/null | cut -d'=' -f2- | head -1" 2>/dev/null || echo "")
if [ -z "$REGISTRY_PASSWORD" ]; then
echo "⚠️ Could not extract password from server .env file"
echo ""
echo "Generating new registry password..."
REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
echo ""
echo "⚠️ Note: This is a NEW password. If the registry is already deployed,"
echo " you may need to update the registry .env file on the server."
else
# Extract username from htpasswd format (username:password)
# The format is usually: username:$apr1$salt$hash
# We need to extract just the password part
echo "✅ Found password in registry .env file"
echo " (Password format: htpasswd hash)"
echo ""
echo "⚠️ Note: The password in .env is in htpasswd format."
echo " We need the plain password to add to vault."
echo ""
read -p "Enter the plain registry password (or press Enter to generate new): " REGISTRY_PASSWORD_INPUT
if [ -n "$REGISTRY_PASSWORD_INPUT" ]; then
REGISTRY_PASSWORD="$REGISTRY_PASSWORD_INPUT"
else
echo "Generating new registry password..."
REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
fi
fi
echo ""
echo "Adding password to vault file..."
echo ""
# Check if vault_docker_registry_password already exists
if ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null | grep -q "vault_docker_registry_password:"; then
echo "⚠️ vault_docker_registry_password already exists in vault"
read -p "Replace it? (y/N): " REPLACE
if [ "$REPLACE" != "y" ] && [ "$REPLACE" != "Y" ]; then
echo "Aborted."
exit 0
fi
# Replace existing password
ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
sed "s/^vault_docker_registry_password:.*/vault_docker_registry_password: \"$REGISTRY_PASSWORD\"/" | \
ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
else
# Add new password
ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
sed "/^vault_/a vault_docker_registry_password: \"$REGISTRY_PASSWORD\"" | \
ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
fi
echo ""
echo "✅ Password added to vault file!"
echo ""
echo "Next steps:"
echo "1. Verify the password is set:"
echo " ansible-vault view $VAULT_FILE --vault-password-file $VAULT_PASS_FILE | grep vault_docker_registry_password"
echo ""
echo "2. Re-run the playbook:"
echo " ansible-playbook -i inventory/production.yml playbooks/setup-infrastructure.yml --vault-password-file $VAULT_PASS_FILE"
Reference in New Issue View Git Blame Copy Permalink