update project
This commit is contained in:
ZOMBIIIIIII
18
scripts/bitok-entrypoint.sh
Normal file
18
scripts/bitok-entrypoint.sh
Normal file
@@ -0,0 +1,18 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
# Read Vault root token from shared volume (written by vault-init)
|
||||
TOKEN_FILE="/vault/file/root-token"
|
||||
if [ -f "$TOKEN_FILE" ]; then
|
||||
export VAULT_TOKEN=$(cat "$TOKEN_FILE" | tr -d '\n\r ')
|
||||
echo "[bitok-entrypoint] Loaded VAULT_TOKEN from $TOKEN_FILE"
|
||||
else
|
||||
echo "[bitok-entrypoint] WARNING: $TOKEN_FILE not found, using VAULT_TOKEN from env"
|
||||
fi
|
||||
|
||||
# Start BITOK auth service
|
||||
exec granian --interface asgi ${APP_MODULE:-src.main:app} \
|
||||
--host ${APP_HOST:-0.0.0.0} \
|
||||
--port ${APP_PORT:-8000} \
|
||||
--workers ${APP_WORKERS:-1} \
|
||||
--loop uvloop
|
||||
128
scripts/vault-init.sh
Normal file
128
scripts/vault-init.sh
Normal file
@@ -0,0 +1,128 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
export VAULT_ADDR=http://vault:8200
|
||||
INIT_FILE="/vault/file/init-keys.json"
|
||||
TOKEN_FILE="/vault/file/root-token"
|
||||
|
||||
echo "[vault-init] Waiting for Vault to respond..."
|
||||
until wget -qO- ${VAULT_ADDR}/v1/sys/seal-status > /dev/null 2>&1; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# Check if Vault is initialized (use HTTP API — vault CLI may suppress output when sealed)
|
||||
STATUS_JSON=$(wget -qO- ${VAULT_ADDR}/v1/sys/seal-status 2>/dev/null || echo '{}')
|
||||
INITIALIZED=$(echo "$STATUS_JSON" | grep -o '"initialized":[a-z]*' | cut -d: -f2)
|
||||
echo "[vault-init] Vault initialized=$INITIALIZED"
|
||||
|
||||
FIRST_RUN="false"
|
||||
|
||||
if [ "$INITIALIZED" != "true" ]; then
|
||||
echo "[vault-init] First run — initializing Vault..."
|
||||
FIRST_RUN="true"
|
||||
|
||||
# Init with 1 key share for dev simplicity
|
||||
vault operator init -key-shares=1 -key-threshold=1 -format=json > "$INIT_FILE"
|
||||
|
||||
UNSEAL_KEY=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"unseal_keys_b64":\["[^"]*"' | cut -d'"' -f4)
|
||||
ROOT_TOKEN=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"root_token":"[^"]*"' | cut -d'"' -f4)
|
||||
|
||||
echo "[vault-init] Unsealing with key: ${UNSEAL_KEY:0:8}..."
|
||||
vault operator unseal "$UNSEAL_KEY"
|
||||
export VAULT_TOKEN="$ROOT_TOKEN"
|
||||
|
||||
else
|
||||
echo "[vault-init] Vault already initialized."
|
||||
|
||||
SEALED=$(echo "$STATUS_JSON" | grep -o '"sealed":[a-z]*' | cut -d: -f2)
|
||||
echo "[vault-init] Vault sealed=$SEALED"
|
||||
|
||||
if [ "$SEALED" = "true" ]; then
|
||||
echo "[vault-init] Vault is sealed, unsealing..."
|
||||
if [ ! -f "$INIT_FILE" ]; then
|
||||
echo "[vault-init] ERROR: init-keys.json not found. Cannot unseal."
|
||||
exit 1
|
||||
fi
|
||||
UNSEAL_KEY=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"unseal_keys_b64":\["[^"]*"' | cut -d'"' -f4)
|
||||
vault operator unseal "$UNSEAL_KEY"
|
||||
echo "[vault-init] Vault unsealed."
|
||||
else
|
||||
echo "[vault-init] Vault already unsealed."
|
||||
fi
|
||||
|
||||
# Load root token
|
||||
if [ -f "$INIT_FILE" ]; then
|
||||
ROOT_TOKEN=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"root_token":"[^"]*"' | cut -d'"' -f4)
|
||||
export VAULT_TOKEN="$ROOT_TOKEN"
|
||||
fi
|
||||
fi
|
||||
|
||||
# ── Write root-token file for other containers ──
|
||||
echo "$ROOT_TOKEN" > "$TOKEN_FILE"
|
||||
|
||||
# ── Ensure secrets engines exist ──
|
||||
# Enable kv mount (wallet) — ignore error if already enabled
|
||||
vault secrets enable -path=kv -version=2 kv 2>/dev/null || true
|
||||
|
||||
# Enable secrets mount (BITOK) — ignore error if already enabled
|
||||
vault secrets enable -path=secrets -version=2 kv 2>/dev/null || true
|
||||
|
||||
# ── Wallet infrastructure secrets ──
|
||||
echo "[vault-init] Writing wallet secrets..."
|
||||
vault kv put kv/cryptowallet \
|
||||
db_host=postgres \
|
||||
db_port=5432 \
|
||||
db_user=postgres \
|
||||
db_password=postgres \
|
||||
db_name=cryptowallet_devphase3 \
|
||||
relay_api_key=""
|
||||
|
||||
# ── BITOK database secret ──
|
||||
echo "[vault-init] Writing BITOK secrets..."
|
||||
vault kv put secrets/database \
|
||||
HOST=postgres \
|
||||
PORT=5432 \
|
||||
USER=postgres \
|
||||
PASSWORD=postgres \
|
||||
NAME=bitok_dev
|
||||
|
||||
# ── BITOK RabbitMQ secret ──
|
||||
vault kv put secrets/rabbitmq \
|
||||
HOST=rabbitmq \
|
||||
PORT=5672 \
|
||||
USER=guest \
|
||||
PASSWORD=guest \
|
||||
VHOST=/
|
||||
|
||||
# ── BITOK CSRF secret ──
|
||||
vault kv put secrets/csrf \
|
||||
KEY=dev-csrf-secret-key-minimum-32-characters-long
|
||||
|
||||
# ── BITOK JWT RS256 key pair (only generate on first run) ──
|
||||
# Check if JWT keys already exist
|
||||
JWT_EXISTS=$(vault kv get -format=json secrets/jwt/kid 2>/dev/null && echo "yes" || echo "no")
|
||||
|
||||
if [ "$JWT_EXISTS" = "no" ]; then
|
||||
echo "[vault-init] Generating RSA-2048 key pair for JWT..."
|
||||
apk add --no-cache openssl > /dev/null 2>&1 || true
|
||||
openssl genrsa -out /tmp/jwt_private.pem 2048 2>/dev/null
|
||||
openssl rsa -in /tmp/jwt_private.pem -pubout -out /tmp/jwt_public.pem 2>/dev/null
|
||||
|
||||
PRIVATE_KEY=$(cat /tmp/jwt_private.pem)
|
||||
PUBLIC_KEY=$(cat /tmp/jwt_public.pem)
|
||||
|
||||
vault kv put secrets/jwt/kid \
|
||||
active=kid-dev-001 \
|
||||
previous=""
|
||||
|
||||
vault kv put secrets/jwt/kids/kid-dev-001 \
|
||||
private_key="$PRIVATE_KEY" \
|
||||
public_key="$PUBLIC_KEY"
|
||||
|
||||
rm -f /tmp/jwt_private.pem /tmp/jwt_public.pem
|
||||
echo "[vault-init] JWT keys generated."
|
||||
else
|
||||
echo "[vault-init] JWT keys already exist, skipping generation."
|
||||
fi
|
||||
|
||||
echo "[vault-init] All secrets ready (wallet + BITOK). Done."
|
||||
Reference in New Issue
Block a user