recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit)

Sanitized single-commit public mirror of recipe-maintainer. - Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders. - Removed plans/ and planned-updates/ (deployment-planning docs) so no client/ deployment domains appear in the public repo. - All other secret stores were already gitignored. - docs.coopcloud.tech retained as a submodule (public upstream).
2026-06-16 20:18:24 +00:00
commit f283a371bb
253 changed files with 15975 additions and 0 deletions
--- a/scripts/sync_secrets.py
+++ b/scripts/sync_secrets.py
@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+"""Sync Docker secrets from running containers to local files.
+
+For each deployed recipe on an instance, SSHes into the server,
+reads /run/secrets/ from containers, and saves locally.
+
+Usage:
+    python3 scripts/sync_secrets.py                    # sync all recipes
+    python3 scripts/sync_secrets.py --recipe keycloak  # sync one recipe
+    python3 scripts/sync_secrets.py --instance t1cc    # sync on specific instance
+"""
+
+import argparse
+import os
+import sys
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from lib.config import paths
+from lib.models import load_default_instance, load_instance, load_deployment
+from lib.secrets import sync_secrets_for_deployment, sync_all_secrets
+from lib.log import SkillLogger
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Sync secrets from running containers"
+    )
+    parser.add_argument("--recipe", default=None,
+                        help="Sync only this recipe (default: all)")
+    parser.add_argument("--instance", default=None,
+                        help="Instance name (default: active)")
+    args = parser.parse_args()
+
+    log = SkillLogger("sync-secrets", args.recipe)
+
+    if args.instance:
+        inst = load_instance(args.instance)
+    else:
+        inst = load_default_instance()
+
+    log.info(f"Instance: {inst.name} ({inst.server})")
+
+    if args.recipe:
+        # Sync one recipe
+        dep = load_deployment(args.recipe, instance=inst.name)
+        log.step(f"Sync secrets for {args.recipe}")
+        secrets = sync_secrets_for_deployment(inst.server, dep.domain)
+        log.info(f"Synced {len(secrets)} secrets for {dep.domain}")
+    else:
+        # Sync all
+        log.step("Sync all secrets")
+        results = sync_all_secrets(inst.server)
+        total = sum(len(s) for s in results.values())
+        log.info(f"Synced {total} secrets across {len(results)} deployments")
+
+    log.save()
+
+
+if __name__ == "__main__":
+    main()