#!/usr/bin/env bash # ============================================================================== # bootstrap-secrets.sh — Generate + push the 5 Dawarich app secrets to Infisical # # Run ONCE before the first deploy. Idempotent in the sense that re-running it # rotates every key — which will invalidate existing Rails sessions + the OTP- # encrypted columns. Do NOT re-run blindly on an existing install. # ============================================================================== set -euo pipefail INF_PROJECT="50062d7c-06ff-4d5c-8ca3-6c0cdba9f270" ENV="prod" PATH_PREFIX="/dawarich" command -v infisical >/dev/null || { echo "ERROR: infisical CLI not installed"; exit 1; } command -v openssl >/dev/null || { echo "ERROR: openssl not installed"; exit 1; } push() { local name="$1" value="$2" echo " -> $name" infisical secrets set "${name}=${value}" \ --projectId "$INF_PROJECT" --env "$ENV" --path "$PATH_PREFIX" \ --type shared >/dev/null } echo "==> Generating + pushing 5 Dawarich secrets to ${PATH_PREFIX}/ ..." push vault_dawarich_db_password "$(openssl rand -hex 32)" push vault_dawarich_secret_key_base "$(openssl rand -hex 64)" push vault_dawarich_otp_primary_key "$(openssl rand -hex 32)" push vault_dawarich_otp_deterministic_key "$(openssl rand -hex 32)" push vault_dawarich_otp_salt "$(openssl rand -hex 32)" echo "==> Done." echo echo "Next steps:" echo " 1) Apply terraform (module.dawarich) — provisions CT 459 on pve02 at .159." echo " 2) Bootstrap cbalders user + SSH keys + NOPASSWD sudo on the new CT (see README)." echo " 3) Generate + push 2 OIDC credentials (pi-auth uses these to CREATE the Authentik client — they are not fetched back):" echo " infisical secrets set \"vault_dawarich_oidc_client_id=\$(openssl rand -hex 20)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared" echo " infisical secrets set \"vault_dawarich_oidc_client_secret=\$(openssl rand -hex 32)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared" echo " 4) Confirm homelab-ansible-pi-auth/site.yml has the dawarich_oidc_client_{id,secret} set_fact mapping." echo " 5) First ./deploy.sh — picks up dawarich:1.7.11 (OIDC requires >= 1.7.8), runs migrations, comes up healthy." echo " 6) cd ../homelab-ansible-pi-auth && ./deploy.sh — creates Authentik provider + application." echo " 7) cd ../homelab-ansible-proxy && ./deploy.sh — adds Caddy vhost + Technitium CNAME." echo " 8) cd ../homelab-ansible-pve && ./deploy.sh — adds CTID 459 to pbs-prod-daily." echo " 9) Browser-test https://dawarich.balders.ca/users/sign_in → 'Sign in with Authentik'."