Your Name
e7b8d4df17
Self-hosted location history. 4-container compose: Rails 8 app + Sidekiq + PostGIS 16-3.4 + Redis 7, plus watchtower. Authentik OIDC end-to-end. Image pinned at freikin/dawarich:1.7.11 (OIDC support requires >= 1.7.8). PostGIS DB lives in this LXC, not on the central DB VM (.172) — central image is postgres:16-alpine without postgis, swapping it carries broader blast radius than colocating here. Convention exception captured in homelab-docs project_dawarich memory. Roles: - dawarich: system + Docker + compose + weekly prune timer - alloy: logs+journald → Loki, node metrics → Prometheus Bring-up sequence proven 2026-06-01. README documents the 5-trap build chain (image version, entrypoint scripts, solid_cache SQLite bind mount, APPLICATION_HOSTS+localhost, force_ssl+healthcheck). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
47 lines
2.7 KiB
Bash
Executable File
47 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# ==============================================================================
|
|
# bootstrap-secrets.sh — Generate + push the 5 Dawarich app secrets to Infisical
|
|
#
|
|
# Run ONCE before the first deploy. Idempotent in the sense that re-running it
|
|
# rotates every key — which will invalidate existing Rails sessions + the OTP-
|
|
# encrypted columns. Do NOT re-run blindly on an existing install.
|
|
# ==============================================================================
|
|
set -euo pipefail
|
|
|
|
INF_PROJECT="50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
|
|
ENV="prod"
|
|
PATH_PREFIX="/dawarich"
|
|
|
|
command -v infisical >/dev/null || { echo "ERROR: infisical CLI not installed"; exit 1; }
|
|
command -v openssl >/dev/null || { echo "ERROR: openssl not installed"; exit 1; }
|
|
|
|
push() {
|
|
local name="$1" value="$2"
|
|
echo " -> $name"
|
|
infisical secrets set "${name}=${value}" \
|
|
--projectId "$INF_PROJECT" --env "$ENV" --path "$PATH_PREFIX" \
|
|
--type shared >/dev/null
|
|
}
|
|
|
|
echo "==> Generating + pushing 5 Dawarich secrets to ${PATH_PREFIX}/ ..."
|
|
push vault_dawarich_db_password "$(openssl rand -hex 32)"
|
|
push vault_dawarich_secret_key_base "$(openssl rand -hex 64)"
|
|
push vault_dawarich_otp_primary_key "$(openssl rand -hex 32)"
|
|
push vault_dawarich_otp_deterministic_key "$(openssl rand -hex 32)"
|
|
push vault_dawarich_otp_salt "$(openssl rand -hex 32)"
|
|
|
|
echo "==> Done."
|
|
echo
|
|
echo "Next steps:"
|
|
echo " 1) Apply terraform (module.dawarich) — provisions CT 459 on pve02 at .159."
|
|
echo " 2) Bootstrap cbalders user + SSH keys + NOPASSWD sudo on the new CT (see README)."
|
|
echo " 3) Generate + push 2 OIDC credentials (pi-auth uses these to CREATE the Authentik client — they are not fetched back):"
|
|
echo " infisical secrets set \"vault_dawarich_oidc_client_id=\$(openssl rand -hex 20)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared"
|
|
echo " infisical secrets set \"vault_dawarich_oidc_client_secret=\$(openssl rand -hex 32)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared"
|
|
echo " 4) Confirm homelab-ansible-pi-auth/site.yml has the dawarich_oidc_client_{id,secret} set_fact mapping."
|
|
echo " 5) First ./deploy.sh — picks up dawarich:1.7.11 (OIDC requires >= 1.7.8), runs migrations, comes up healthy."
|
|
echo " 6) cd ../homelab-ansible-pi-auth && ./deploy.sh — creates Authentik provider + application."
|
|
echo " 7) cd ../homelab-ansible-proxy && ./deploy.sh — adds Caddy vhost + Technitium CNAME."
|
|
echo " 8) cd ../homelab-ansible-pve && ./deploy.sh — adds CTID 459 to pbs-prod-daily."
|
|
echo " 9) Browser-test https://dawarich.balders.ca/users/sign_in → 'Sign in with Authentik'."
|