Michael Schiemer
36ef2a1e2c
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
- Remove middleware reference from Gitea Traefik labels (caused routing issues) - Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s) - Add explicit service reference in Traefik labels - Fix intermittent 504 timeouts by improving PostgreSQL connection handling Fixes Gitea unreachability via git.michaelschiemer.de
273 lines
9.5 KiB
Bash
Executable File
273 lines
9.5 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Initialize Ansible Secrets
|
|
# This script helps set up the Ansible vault file for the first time
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
ANSIBLE_DIR="$(dirname "$SCRIPT_DIR")"
|
|
SECRETS_DIR="$ANSIBLE_DIR/secrets"
|
|
|
|
# Helper function to generate random passwords
|
|
generate_password() {
|
|
local length=${1:-32}
|
|
openssl rand -base64 "$length" | tr -d "=+/" | cut -c1-"$length"
|
|
}
|
|
|
|
# Generate base64-encoded 32-byte key for APP_KEY
|
|
generate_app_key() {
|
|
openssl rand -base64 32
|
|
}
|
|
|
|
echo "🔐 Ansible Secrets Initialization"
|
|
echo "=================================="
|
|
echo ""
|
|
|
|
# Check if running from correct directory
|
|
if [ ! -f "$ANSIBLE_DIR/ansible.cfg" ]; then
|
|
echo "❌ Error: Must run from deployment/ansible directory"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 1: Create vault password file
|
|
echo "Step 1: Vault Password"
|
|
echo "----------------------"
|
|
|
|
if [ -f "$SECRETS_DIR/.vault_pass" ]; then
|
|
echo "⚠️ Vault password file already exists: $SECRETS_DIR/.vault_pass"
|
|
read -p "Do you want to replace it? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
echo "Keeping existing vault password file."
|
|
else
|
|
rm "$SECRETS_DIR/.vault_pass"
|
|
read -sp "Enter new vault password: " VAULT_PASS
|
|
echo
|
|
read -sp "Confirm vault password: " VAULT_PASS_CONFIRM
|
|
echo
|
|
|
|
if [ "$VAULT_PASS" != "$VAULT_PASS_CONFIRM" ]; then
|
|
echo "❌ Passwords don't match!"
|
|
exit 1
|
|
fi
|
|
|
|
echo "$VAULT_PASS" > "$SECRETS_DIR/.vault_pass"
|
|
chmod 600 "$SECRETS_DIR/.vault_pass"
|
|
echo "✅ Vault password file created"
|
|
fi
|
|
else
|
|
read -sp "Enter vault password: " VAULT_PASS
|
|
echo
|
|
read -sp "Confirm vault password: " VAULT_PASS_CONFIRM
|
|
echo
|
|
|
|
if [ "$VAULT_PASS" != "$VAULT_PASS_CONFIRM" ]; then
|
|
echo "❌ Passwords don't match!"
|
|
exit 1
|
|
fi
|
|
|
|
echo "$VAULT_PASS" > "$SECRETS_DIR/.vault_pass"
|
|
chmod 600 "$SECRETS_DIR/.vault_pass"
|
|
echo "✅ Vault password file created"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# Step 2: Create production vault file
|
|
echo "Step 2: Production Vault File"
|
|
echo "-----------------------------"
|
|
|
|
if [ -f "$SECRETS_DIR/production.vault.yml" ]; then
|
|
echo "⚠️ Production vault file already exists"
|
|
read -p "Do you want to decrypt and edit it? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
ansible-vault edit "$SECRETS_DIR/production.vault.yml" \
|
|
--vault-password-file "$SECRETS_DIR/.vault_pass"
|
|
echo "✅ Vault file updated"
|
|
fi
|
|
else
|
|
echo "Creating new vault file from example..."
|
|
cp "$SECRETS_DIR/production.vault.yml.example" "$SECRETS_DIR/production.vault.yml"
|
|
|
|
echo ""
|
|
echo "Generating secure passwords for all secrets..."
|
|
|
|
# Generate all passwords
|
|
DB_PASSWORD=$(generate_password 32)
|
|
DB_ROOT_PASSWORD=$(generate_password 32)
|
|
REDIS_PASSWORD=$(generate_password 32)
|
|
APP_KEY=$(generate_app_key)
|
|
JWT_SECRET=$(generate_password 32)
|
|
MAIL_PASSWORD=$(generate_password 24)
|
|
REGISTRY_PASSWORD=$(generate_password 32)
|
|
ENCRYPTION_KEY=$(generate_password 32)
|
|
SESSION_SECRET=$(generate_password 32)
|
|
GRAFANA_PASSWORD=$(generate_password 24)
|
|
PROMETHEUS_PASSWORD=$(generate_password 24)
|
|
MINIO_PASSWORD=$(generate_password 32)
|
|
|
|
# Replace all placeholders with generated passwords
|
|
sed -i "s|change-me-secure-db-password|$DB_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-secure-root-password|$DB_ROOT_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-secure-redis-password|$REDIS_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-base64-encoded-32-byte-key|$APP_KEY|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-jwt-signing-secret|$JWT_SECRET|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-mail-password|$MAIL_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-registry-password|$REGISTRY_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-encryption-key|$ENCRYPTION_KEY|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-session-secret|$SESSION_SECRET|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-secure-grafana-password|$GRAFANA_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-secure-prometheus-password|$PROMETHEUS_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
sed -i "s|change-me-secure-minio-password|$MINIO_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
|
|
|
|
# Replace Git Token placeholder with empty string first (will be set to actual token or stay empty)
|
|
sed -i "s|change-me-gitea-personal-access-token||g" "$SECRETS_DIR/production.vault.yml"
|
|
|
|
echo "✅ All passwords generated and replaced"
|
|
echo ""
|
|
|
|
# Optional: Ask for Git Token
|
|
read -p "Do you have a Gitea Personal Access Token? (y/N): " -n 1 -r
|
|
echo
|
|
GIT_TOKEN_SET=false
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
read -sp "Enter Git Token: " GIT_TOKEN
|
|
echo
|
|
# Replace empty value with actual token
|
|
sed -i "s|vault_git_token: \"\"|vault_git_token: \"$GIT_TOKEN\"|g" "$SECRETS_DIR/production.vault.yml"
|
|
echo "✅ Git Token set"
|
|
GIT_TOKEN_SET=true
|
|
else
|
|
echo "⚠️ Git Token not set. You can add it later with: ansible-vault edit secrets/production.vault.yml"
|
|
fi
|
|
|
|
echo ""
|
|
echo "Encrypting vault file..."
|
|
ansible-vault encrypt "$SECRETS_DIR/production.vault.yml" \
|
|
--vault-password-file "$SECRETS_DIR/.vault_pass"
|
|
|
|
echo "✅ Production vault file created and encrypted"
|
|
|
|
# Save passwords to file (gitignored) for reference
|
|
PASSWORDS_FILE="$SECRETS_DIR/.vault-passwords.txt"
|
|
cat > "$PASSWORDS_FILE" <<EOF
|
|
# Generated passwords for production.vault.yml
|
|
# DO NOT COMMIT THIS FILE!
|
|
# Generated: $(date)
|
|
|
|
vault_db_password: $DB_PASSWORD
|
|
vault_db_root_password: $DB_ROOT_PASSWORD
|
|
vault_redis_password: $REDIS_PASSWORD
|
|
vault_app_key: $APP_KEY
|
|
vault_jwt_secret: $JWT_SECRET
|
|
vault_mail_password: $MAIL_PASSWORD
|
|
vault_docker_registry_password: $REGISTRY_PASSWORD
|
|
vault_encryption_key: $ENCRYPTION_KEY
|
|
vault_session_secret: $SESSION_SECRET
|
|
vault_grafana_admin_password: $GRAFANA_PASSWORD
|
|
vault_prometheus_password: $PROMETHEUS_PASSWORD
|
|
vault_minio_root_password: $MINIO_PASSWORD
|
|
EOF
|
|
if [ "$GIT_TOKEN_SET" = true ]; then
|
|
echo "vault_git_token: $GIT_TOKEN" >> "$PASSWORDS_FILE"
|
|
else
|
|
echo "vault_git_token: (not set)" >> "$PASSWORDS_FILE"
|
|
fi
|
|
chmod 600 "$PASSWORDS_FILE"
|
|
echo "✅ Passwords saved to $PASSWORDS_FILE (for reference only - DO NOT COMMIT!)"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# Step 3: Verify vault file
|
|
echo "Step 3: Verification"
|
|
echo "-------------------"
|
|
|
|
echo "Testing vault decryption..."
|
|
if ansible-vault view "$SECRETS_DIR/production.vault.yml" \
|
|
--vault-password-file "$SECRETS_DIR/.vault_pass" > /dev/null 2>&1; then
|
|
echo "✅ Vault file can be decrypted successfully"
|
|
else
|
|
echo "❌ Failed to decrypt vault file!"
|
|
exit 1
|
|
fi
|
|
|
|
# Check for example values
|
|
echo "Checking for unchanged example values..."
|
|
EXAMPLE_VALUES=$(ansible-vault view "$SECRETS_DIR/production.vault.yml" \
|
|
--vault-password-file "$SECRETS_DIR/.vault_pass" | grep -c "change-me" || true)
|
|
|
|
if [ "$EXAMPLE_VALUES" -gt 0 ]; then
|
|
echo "⚠️ WARNING: Found $EXAMPLE_VALUES 'change-me' placeholder values!"
|
|
echo " These should have been replaced automatically."
|
|
echo " You may need to run the script again or edit manually."
|
|
echo ""
|
|
read -p "Do you want to edit the vault file now? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
ansible-vault edit "$SECRETS_DIR/production.vault.yml" \
|
|
--vault-password-file "$SECRETS_DIR/.vault_pass"
|
|
fi
|
|
else
|
|
echo "✅ No placeholder values found - all secrets are set"
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# Step 4: Setup SSH key
|
|
echo "Step 4: SSH Key Setup"
|
|
echo "--------------------"
|
|
|
|
SSH_KEY="$HOME/.ssh/production"
|
|
|
|
if [ -f "$SSH_KEY" ]; then
|
|
echo "✅ SSH key already exists: $SSH_KEY"
|
|
else
|
|
echo "SSH key not found. Creating new key..."
|
|
ssh-keygen -t ed25519 -f "$SSH_KEY" -C "ansible-deploy" -N ""
|
|
chmod 600 "$SSH_KEY"
|
|
chmod 644 "$SSH_KEY.pub"
|
|
echo "✅ SSH key created"
|
|
echo ""
|
|
echo "📋 Public key:"
|
|
cat "$SSH_KEY.pub"
|
|
echo ""
|
|
echo "⚠️ You must add this public key to the production server:"
|
|
echo " ssh-copy-id -i $SSH_KEY.pub deploy@94.16.110.151"
|
|
echo ""
|
|
read -p "Press ENTER to continue..."
|
|
fi
|
|
|
|
echo ""
|
|
|
|
# Step 5: Test connection
|
|
echo "Step 5: Connection Test"
|
|
echo "----------------------"
|
|
|
|
read -p "Do you want to test the connection to production? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
echo "Testing Ansible connection..."
|
|
if ansible production -m ping 2>&1 | grep -q "SUCCESS"; then
|
|
echo "✅ Connection successful!"
|
|
else
|
|
echo "❌ Connection failed!"
|
|
echo ""
|
|
echo "Troubleshooting steps:"
|
|
echo "1. Verify SSH key is added to server: ssh-copy-id -i $SSH_KEY.pub deploy@94.16.110.151"
|
|
echo "2. Test SSH manually: ssh -i $SSH_KEY deploy@94.16.110.151"
|
|
echo "3. Check inventory file: cat $ANSIBLE_DIR/inventory/production.yml"
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
echo "✅ Setup complete!"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo "1. Review vault file: ansible-vault view secrets/production.vault.yml --vault-password-file secrets/.vault_pass"
|
|
echo "2. Deploy secrets: ansible-playbook playbooks/setup-production-secrets.yml --vault-password-file secrets/.vault_pass"
|
|
echo "3. Deploy application: See README.md for deployment instructions"
|
|
echo ""
|
|
echo "📖 For more information, see: deployment/ansible/README.md"
|