mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-06-22 08:38:13 +02:00
17054e3f26
* feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose Per the discussion on #453, this takes the recommended path of extending the setup scripts rather than introducing a parallel compose file. - scripts/setup_remote.sh now generates REDIS_PASSWORD alongside OSS_JWT_SECRET and POSTGRES_PASSWORD and writes it to the rendered .env (with a short comment noting it can be rotated, unlike the postgres password which is baked into the volume on first init). - scripts/start_docker.sh now generates REDIS_PASSWORD on first run if missing, mirroring the existing OSS_JWT_SECRET pattern (reuses generate_secret, which falls back through python3 → openssl → /dev/urandom). - docker-compose.yaml and docker-compose-local.yaml now interpolate ${REDIS_PASSWORD:-redissecret} in the redis --requirepass, the redis healthcheck, and the api REDIS_URL. The :-redissecret fallback preserves backwards compatibility for users with an existing .env that predates this change — they keep the old value until they regenerate. New installs (via either script) get a secure random hex. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Harden local Docker secret setup --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
117 lines
3.5 KiB
PowerShell
117 lines
3.5 KiB
PowerShell
$ErrorActionPreference = 'Stop'
|
|
|
|
$EnvFile = '.env'
|
|
$Registry = if ([string]::IsNullOrEmpty($env:REGISTRY)) { 'ghcr.io/dograh-hq' } else { $env:REGISTRY }
|
|
$EnableTelemetry = if ([string]::IsNullOrEmpty($env:ENABLE_TELEMETRY)) { 'true' } else { $env:ENABLE_TELEMETRY }
|
|
$Utf8NoBom = [System.Text.UTF8Encoding]::new($false)
|
|
|
|
function New-HexSecret {
|
|
$bytes = [byte[]]::new(32)
|
|
[System.Security.Cryptography.RandomNumberGenerator]::Fill($bytes)
|
|
return -join ($bytes | ForEach-Object { $_.ToString('x2') })
|
|
}
|
|
|
|
function Get-DotEnvValue {
|
|
param(
|
|
[string]$Path,
|
|
[string]$Key
|
|
)
|
|
|
|
if (-not (Test-Path $Path)) {
|
|
return $null
|
|
}
|
|
|
|
$resolvedPath = (Resolve-Path $Path).Path
|
|
foreach ($line in [System.IO.File]::ReadLines($resolvedPath)) {
|
|
if ($line.StartsWith("$Key=")) {
|
|
return $line.Substring($Key.Length + 1)
|
|
}
|
|
}
|
|
|
|
return $null
|
|
}
|
|
|
|
function Set-DotEnvValue {
|
|
param(
|
|
[string]$Path,
|
|
[string]$Key,
|
|
[string]$Value
|
|
)
|
|
|
|
$lines = New-Object System.Collections.Generic.List[string]
|
|
$updated = $false
|
|
|
|
if (Test-Path $Path) {
|
|
$resolvedPath = (Resolve-Path $Path).Path
|
|
foreach ($line in [System.IO.File]::ReadLines($resolvedPath)) {
|
|
if ($line.StartsWith("$Key=")) {
|
|
$lines.Add("$Key=$Value")
|
|
$updated = $true
|
|
} else {
|
|
$lines.Add($line)
|
|
}
|
|
}
|
|
}
|
|
|
|
if (-not $updated) {
|
|
$lines.Add("$Key=$Value")
|
|
}
|
|
|
|
[System.IO.File]::WriteAllLines((Join-Path (Get-Location) $Path), $lines, $Utf8NoBom)
|
|
}
|
|
|
|
if (-not (Test-Path 'docker-compose.yaml')) {
|
|
Write-Error 'docker-compose.yaml not found. Download it first, then re-run this script.'
|
|
exit 1
|
|
}
|
|
|
|
$envFileExisted = Test-Path $EnvFile
|
|
|
|
$existingSecret = Get-DotEnvValue -Path $EnvFile -Key 'OSS_JWT_SECRET'
|
|
if ([string]::IsNullOrEmpty($existingSecret)) {
|
|
Set-DotEnvValue -Path $EnvFile -Key 'OSS_JWT_SECRET' -Value (New-HexSecret)
|
|
Write-Host "Created OSS_JWT_SECRET in $EnvFile."
|
|
} else {
|
|
Write-Host "OSS_JWT_SECRET is already set in $EnvFile."
|
|
}
|
|
|
|
$existingPostgresPassword = Get-DotEnvValue -Path $EnvFile -Key 'POSTGRES_PASSWORD'
|
|
if ([string]::IsNullOrEmpty($existingPostgresPassword)) {
|
|
if (-not $envFileExisted) {
|
|
Set-DotEnvValue -Path $EnvFile -Key 'POSTGRES_PASSWORD' -Value (New-HexSecret)
|
|
Write-Host "Created POSTGRES_PASSWORD in $EnvFile."
|
|
} else {
|
|
Write-Host "POSTGRES_PASSWORD is not set in $EnvFile; keeping the docker-compose fallback for existing local data volumes."
|
|
}
|
|
} else {
|
|
Write-Host "POSTGRES_PASSWORD is already set in $EnvFile."
|
|
}
|
|
|
|
$existingRedisPassword = Get-DotEnvValue -Path $EnvFile -Key 'REDIS_PASSWORD'
|
|
if ([string]::IsNullOrEmpty($existingRedisPassword)) {
|
|
Set-DotEnvValue -Path $EnvFile -Key 'REDIS_PASSWORD' -Value (New-HexSecret)
|
|
Write-Host "Created REDIS_PASSWORD in $EnvFile."
|
|
} else {
|
|
Write-Host "REDIS_PASSWORD is already set in $EnvFile."
|
|
}
|
|
|
|
Write-Host ''
|
|
Write-Host "Docker registry: $Registry"
|
|
Write-Host "Telemetry enabled: $EnableTelemetry"
|
|
Write-Host ''
|
|
Write-Host 'This will run:'
|
|
Write-Host " `$env:REGISTRY = '$Registry'; `$env:ENABLE_TELEMETRY = '$EnableTelemetry'; docker compose up --pull always"
|
|
Write-Host ''
|
|
|
|
$answer = Read-Host 'Start Dograh now? [Y/n]'
|
|
if ($answer -match '^[Nn]') {
|
|
Write-Host 'Dograh was not started.'
|
|
exit 0
|
|
}
|
|
|
|
$env:REGISTRY = $Registry
|
|
$env:ENABLE_TELEMETRY = $EnableTelemetry
|
|
docker compose up --pull always
|
|
if ($LASTEXITCODE -ne 0) {
|
|
exit $LASTEXITCODE
|
|
}
|