Some checks failed
continuous-integration/drone/push Build is failing
New recipe recipe-maintainers/Libre-Desk (abra TYPE=libredesk): app libredesk v2.4.0 on :9000 + postgres:17 + redis:7. Adds: - recipe_meta.py: /health probe, BACKUP_CAPABLE (backupbot db labels), upgrade EXPECTED_NA (only one published version so far), WARM_CANONICAL. - install_steps.sh: insert format-compliant enc_key (32-hex) + admin_pwd (upper+lower+num+special) before deploy — abra's generic generator doesn't satisfy LibreDesk's strict secret formats. - custom/: /health 200 probe + served-shell brand/asset probe (real app, not a fallback 200).
50 lines
2.7 KiB
Bash
Executable File
50 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
# libredesk — INSTALL-TIME secret hook.
|
||
#
|
||
# Runs during the install tier AFTER `abra app new` + EXTRA_ENV + `abra app secret generate --all`
|
||
# and BEFORE the single `abra app deploy` (lifecycle.py::_run_install_steps). LibreDesk validates
|
||
# two secrets with formats that abra's generic generator does not guarantee, so we insert compliant
|
||
# values here (at a bumped version — swarm forbids overwriting a secret at the same version) and
|
||
# point the .env at them, so the recipe deploys ONCE, healthy, with no reconverge:
|
||
# - enc_key : exactly 32 hex chars (AES-256 encryption_key) → openssl rand -hex 16
|
||
# - admin_pwd : 10–72 chars incl. upper+lower+number+special (the app rejects weaker "System"
|
||
# user passwords, which abra's alphanumeric generator can produce)
|
||
# db_password is fine as abra-generated (no special format), so it is left untouched.
|
||
#
|
||
# Env supplied by the harness:
|
||
# CCCI_APP_DOMAIN — the per-run libredesk app domain (== abra app name)
|
||
# CCCI_APP_ENV — path to the app's .env (the one `abra app deploy` reads)
|
||
set -euo pipefail
|
||
|
||
: "${CCCI_APP_DOMAIN:?missing}"
|
||
ENV_PATH="${CCCI_APP_ENV:?missing}"
|
||
|
||
# Insert a compliant value for <secret> and repoint SECRET_<VAR>_VERSION at the bumped version.
|
||
insert_secret() {
|
||
local secret="$1" env_var="$2" value="$3"
|
||
local cur new num
|
||
cur=$(grep -E "^\s*${env_var}=" "$ENV_PATH" | tail -1 | cut -d= -f2 | tr -d '"\r' || echo "v1")
|
||
cur=${cur:-v1}
|
||
num=$(( ${cur#v} + 1 )); new="v${num}"
|
||
# abra forbids overwriting an existing version; insert at the fresh version. -C creates it, -o
|
||
# allows overwrite if a stale one exists, --no-input for non-interactive.
|
||
local log
|
||
log=$(abra app secret insert "$CCCI_APP_DOMAIN" "$secret" "$new" "$value" --no-input -C -o 2>&1) ||
|
||
log=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN $secret $new $value --no-input -C -o" /dev/null 2>&1) ||
|
||
{ echo " install_steps: abra app secret insert ${secret}@${new} failed: $log"; exit 1; }
|
||
sed -i "s|^\s*${env_var}=.*|${env_var}=${new}|" "$ENV_PATH"
|
||
echo " install_steps: ${secret} inserted at ${new} (was ${cur})"
|
||
}
|
||
|
||
# 32 hex chars = 16 bytes (AES-256 key LibreDesk expects for encryption_key).
|
||
ENC_KEY=$(openssl rand -hex 16)
|
||
|
||
# 10–72 chars with upper+lower+number+special. Build deterministically-compliant: a fixed
|
||
# upper+lower+digit+special prefix plus random hex entropy (lowercase letters + digits).
|
||
ADMIN_PWD="Ci$(openssl rand -hex 12)Aa1!"
|
||
|
||
insert_secret enc_key SECRET_ENC_KEY_VERSION "$ENC_KEY"
|
||
insert_secret admin_pwd SECRET_ADMIN_PWD_VERSION "$ADMIN_PWD"
|
||
|
||
echo " libredesk install_steps: enc_key (32-hex) + admin_pwd (complex) inserted; deploy will use them"
|