mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-06-22 08:38:13 +02:00
17054e3f26
* feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose Per the discussion on #453, this takes the recommended path of extending the setup scripts rather than introducing a parallel compose file. - scripts/setup_remote.sh now generates REDIS_PASSWORD alongside OSS_JWT_SECRET and POSTGRES_PASSWORD and writes it to the rendered .env (with a short comment noting it can be rotated, unlike the postgres password which is baked into the volume on first init). - scripts/start_docker.sh now generates REDIS_PASSWORD on first run if missing, mirroring the existing OSS_JWT_SECRET pattern (reuses generate_secret, which falls back through python3 → openssl → /dev/urandom). - docker-compose.yaml and docker-compose-local.yaml now interpolate ${REDIS_PASSWORD:-redissecret} in the redis --requirepass, the redis healthcheck, and the api REDIS_URL. The :-redissecret fallback preserves backwards compatibility for users with an existing .env that predates this change — they keep the old value until they regenerate. New installs (via either script) get a secure random hex. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Harden local Docker secret setup --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
133 lines
3.5 KiB
Bash
Executable file
133 lines
3.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -e
|
|
|
|
ENV_FILE=".env"
|
|
REGISTRY="${REGISTRY:-ghcr.io/dograh-hq}"
|
|
ENABLE_TELEMETRY="${ENABLE_TELEMETRY:-true}"
|
|
|
|
fail() {
|
|
echo "Error: $*" >&2
|
|
exit 1
|
|
}
|
|
|
|
generate_secret() {
|
|
if command -v python3 >/dev/null 2>&1 && python3 -c 'import secrets; print(secrets.token_hex(32))'; then
|
|
return
|
|
fi
|
|
|
|
if command -v openssl >/dev/null 2>&1 && openssl rand -hex 32; then
|
|
return
|
|
fi
|
|
|
|
if [[ -r /dev/urandom ]] && command -v od >/dev/null 2>&1 && command -v tr >/dev/null 2>&1 && od -An -N32 -tx1 /dev/urandom | tr -d ' \n'; then
|
|
return
|
|
fi
|
|
|
|
fail "Could not generate a secret. Install python3 or openssl, or set secrets manually in .env."
|
|
}
|
|
|
|
dotenv_value() {
|
|
local key=$1
|
|
local line
|
|
|
|
[[ -f "$ENV_FILE" ]] || return 1
|
|
|
|
while IFS= read -r line || [[ -n "$line" ]]; do
|
|
case "$line" in
|
|
"$key"=*)
|
|
printf '%s\n' "${line#*=}"
|
|
return 0
|
|
;;
|
|
esac
|
|
done < "$ENV_FILE"
|
|
|
|
return 1
|
|
}
|
|
|
|
set_dotenv_value() {
|
|
local key=$1
|
|
local value=$2
|
|
local tmp_file="${ENV_FILE}.tmp.$$"
|
|
local line
|
|
local updated=false
|
|
|
|
if [[ -f "$ENV_FILE" ]]; then
|
|
while IFS= read -r line || [[ -n "$line" ]]; do
|
|
case "$line" in
|
|
"$key"=*)
|
|
printf '%s=%s\n' "$key" "$value"
|
|
updated=true
|
|
;;
|
|
*)
|
|
printf '%s\n' "$line"
|
|
;;
|
|
esac
|
|
done < "$ENV_FILE" > "$tmp_file"
|
|
|
|
if [[ "$updated" != "true" ]]; then
|
|
printf '%s=%s\n' "$key" "$value" >> "$tmp_file"
|
|
fi
|
|
|
|
mv "$tmp_file" "$ENV_FILE"
|
|
else
|
|
printf '%s=%s\n' "$key" "$value" > "$ENV_FILE"
|
|
fi
|
|
}
|
|
|
|
[[ -f docker-compose.yaml ]] || fail "docker-compose.yaml not found. Download it first, then re-run this script."
|
|
|
|
env_file_existed=false
|
|
if [[ -f "$ENV_FILE" ]]; then
|
|
env_file_existed=true
|
|
fi
|
|
|
|
existing_secret="$(dotenv_value OSS_JWT_SECRET || true)"
|
|
if [[ -z "$existing_secret" ]]; then
|
|
set_dotenv_value OSS_JWT_SECRET "$(generate_secret)"
|
|
echo "Created OSS_JWT_SECRET in $ENV_FILE."
|
|
else
|
|
echo "OSS_JWT_SECRET is already set in $ENV_FILE."
|
|
fi
|
|
|
|
existing_postgres_password="$(dotenv_value POSTGRES_PASSWORD || true)"
|
|
if [[ -z "$existing_postgres_password" ]]; then
|
|
if [[ "$env_file_existed" == "false" ]]; then
|
|
set_dotenv_value POSTGRES_PASSWORD "$(generate_secret)"
|
|
echo "Created POSTGRES_PASSWORD in $ENV_FILE."
|
|
else
|
|
echo "POSTGRES_PASSWORD is not set in $ENV_FILE; keeping the docker-compose fallback for existing local data volumes."
|
|
fi
|
|
else
|
|
echo "POSTGRES_PASSWORD is already set in $ENV_FILE."
|
|
fi
|
|
|
|
existing_redis_password="$(dotenv_value REDIS_PASSWORD || true)"
|
|
if [[ -z "$existing_redis_password" ]]; then
|
|
set_dotenv_value REDIS_PASSWORD "$(generate_secret)"
|
|
echo "Created REDIS_PASSWORD in $ENV_FILE."
|
|
else
|
|
echo "REDIS_PASSWORD is already set in $ENV_FILE."
|
|
fi
|
|
|
|
echo ""
|
|
echo "Docker registry: $REGISTRY"
|
|
echo "Telemetry enabled: $ENABLE_TELEMETRY"
|
|
echo ""
|
|
echo "This will run:"
|
|
echo " REGISTRY=$REGISTRY ENABLE_TELEMETRY=$ENABLE_TELEMETRY docker compose up --pull always"
|
|
echo ""
|
|
|
|
if [[ ! -t 0 ]]; then
|
|
echo "Run the command above from an interactive shell to start Dograh."
|
|
exit 0
|
|
fi
|
|
|
|
read -r -p "Start Dograh now? [Y/n]: " answer
|
|
case "$answer" in
|
|
[Nn]*)
|
|
echo "Dograh was not started."
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
REGISTRY="$REGISTRY" ENABLE_TELEMETRY="$ENABLE_TELEMETRY" docker compose up --pull always
|