d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
a2645b5285734a85f2fb770e5069f81bca4e7352
proxmox/scripts/consolidate-secrets-into-file.sh
defiQUG b3a8fe4496
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
chore: sync all changes to Gitea 
- Config, docs, scripts, and backup manifests
- Submodule refs unchanged (m = modified content in submodules)

Made-with: Cursor
2026-03-02 11:37:34 -08:00

118 lines
5.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Consolidate all .env secrets into one file for backup/download.
# Run from proxmox repo root. Output: one .env-style file (path as first argument).
# Usage: bash scripts/consolidate-secrets-into-file.sh [OUTPUT_FILE]
# Example: bash scripts/consolidate-secrets-into-file.sh ~/secrets-consolidated.env
# SECURITY: Run locally only. Output contains real secrets; chmod 600 and never commit.
set -euo pipefail
PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
cd "$PROJECT_ROOT"
OUTPUT="${1:-secrets-consolidated.env}"
# Keys we care about (from SECRETS_CONSOLIDATED_DOWNLOAD.env); order preserved
KEYS=(
PROXMOX_ML110 PROXMOX_R630_01 PROXMOX_R630_02 PROXMOX_HOST PROXMOX_PORT PROXMOX_USER
PROXMOX_TOKEN_NAME PROXMOX_TOKEN_VALUE PROXMOX_ALLOW_ELEVATED
CLOUDFLARE_API_TOKEN CLOUDFLARE_EMAIL CLOUDFLARE_API_KEY CLOUDFLARE_ZONE_ID
CLOUDFLARE_ZONE_ID_D_BIS_ORG CLOUDFLARE_ZONE_ID_MIM4U_ORG CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO
CLOUDFLARE_TUNNEL_TOKEN CLOUDFLARE_TUNNEL_ID CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02
CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02 CLOUDFLARE_ORIGIN_CA_KEY CLOUDFLARE_ACCOUNT_ID
CLOUDNS_AUTH_ID CLOUDNS_AUTH_PASSWORD
NPM_URL NPM_EMAIL NPM_PASSWORD NPM_HOST NPM_PROXMOX_HOST NPMPLUS_HOST NPM_VMID NPMPLUS_VMID
NPMPLUS_ALLTRA_HYBX_VMID IP_NPMPLUS_ALLTRA_HYBX NPM_URL_MIFOS
FASTLY_API_TOKEN
PUBLIC_IP PROXMOX_HOST_FOR_TEST UNIFI_UDM_URL UNIFI_API_KEY UNIFI_API_MODE UNIFI_SITE_ID UNIFI_VERIFY_SSL
OMADA_API_KEY OMADA_CLIENT_SECRET
GITEA_URL GITEA_TOKEN GITEA_ORG
DATABASE_URL JWT_SECRET JWT_REFRESH_SECRET JWT_EXPIRES_IN JWT_REFRESH_EXPIRES_IN SESSION_SECRET
ADMIN_CENTRAL_API_KEY DBIS_CENTRAL_URL ADMIN_JWT_SECRET
STORAGE_TYPE STORAGE_PATH AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_S3_BUCKET
AZURE_STORAGE_CONNECTION_STRING AZURE_STORAGE_CONTAINER
PRIVATE_KEY RPC_URL_138 RPC_URL_138_PUBLIC ETHEREUM_MAINNET_RPC CHAIN_651940_RPC_URL ETHERLINK_RPC_URL TEZOS_RPC_URL
ETHERSCAN_API_KEY ETHERLINK_CCIP_SELECTOR TEZOS_BRIDGE_ENABLED ETHERLINK_BRIDGE_ENABLED
TEZOS_RELAY_ORACLE_KEY ETHERLINK_RELAY_BRIDGE ETHERLINK_RELAY_PRIVATE_KEY JUMPER_API_KEY
ONEINCH_API_KEY MOONPAY_API_KEY MOONPAY_SECRET_KEY RAMP_NETWORK_API_KEY ONRAMPER_API_KEY
SLACK_WEBHOOK_URL PAGERDUTY_INTEGRATION_KEY EMAIL_ALERT_API_URL EMAIL_ALERT_RECIPIENTS SENTRY_DSN
E_SIGNATURE_BASE_URL
CRYPTO_COM_API_KEY CRYPTO_COM_API_SECRET CRYPTO_COM_ENVIRONMENT BINANCE_API_KEY BINANCE_API_SECRET
KRAKEN_API_KEY KRAKEN_PRIVATE_KEY OANDA_API_KEY OANDA_ACCOUNT_ID OANDA_ENVIRONMENT FXCM_API_TOKEN
COINGECKO_API_KEY COINDESK_API_KEY COINMARKETCAP_API_KEY DEXSCREENER_API_KEY
MIFOS_BASE_URL MIFOS_TENANT MIFOS_USER MIFOS_PASSWORD MIFOS_INSECURE
OMNL_FINERACT_BASE_URL OMNL_FINERACT_TENANT OMNL_FINERACT_USER OMNL_FINERACT_PASSWORD
SANKOFA_PHOENIX_API_URL SANKOFA_PHOENIX_CLIENT_ID SANKOFA_PHOENIX_CLIENT_SECRET SANKOFA_PHOENIX_TENANT_ID
VITE_WALLETCONNECT_PROJECT_ID VITE_THIRDWEB_CLIENT_ID VITE_ETHERSCAN_API_KEY VITE_SENTRY_DSN
VITE_API_URL VITE_API_BASE_URL NEXT_PUBLIC_API_URL NEXT_PUBLIC_CHAIN_ID
METAMASK_API_KEY THIRDWEB_SECRET_KEY NPM_ACCESS_TOKEN
PARASWAP_API_KEY ZEROX_API_KEY
MONGO_USER MONGO_PASSWORD MONGO_IP MONGO_PORT MONGO_DATABASE
CHAIN138_RPC_URL RPC_URL_138_FIREBLOCKS WS_URL_138_FIREBLOCKS CHAIN_ID_138
PORT MARKET_REPORTING_API_KEY E_FILING_ENABLED NODE_ENV
)
# Sources: path -> prefix for comments
declare -A SOURCES
SOURCES["$PROJECT_ROOT/.env"]="root"
SOURCES["$PROJECT_ROOT/.env.master"]="root"
if [ -d "$PROJECT_ROOT/smom-dbis-138" ]; then
SOURCES["$PROJECT_ROOT/smom-dbis-138/.env"]="smom"
fi
if [ -d "$PROJECT_ROOT/dbis_core" ]; then
SOURCES["$PROJECT_ROOT/dbis_core/.env"]="dbis"
fi
if [ -d "$PROJECT_ROOT/OMNIS" ] && [ -f "$PROJECT_ROOT/OMNIS/backend/.env" ]; then
SOURCES["$PROJECT_ROOT/OMNIS/backend/.env"]="omnis"
fi
if [ -d "$PROJECT_ROOT/omada-api" ]; then
SOURCES["$PROJECT_ROOT/omada-api/.env"]="omada"
fi
if [ -d "$PROJECT_ROOT/phoenix-deploy-api" ]; then
SOURCES["$PROJECT_ROOT/phoenix-deploy-api/.env"]="phoenix"
fi
if [ -d "$PROJECT_ROOT/ProxmoxVE/api" ]; then
SOURCES["$PROJECT_ROOT/ProxmoxVE/api/.env"]="proxmoxve"
fi
# Export from a single file (no spaces around =, no export keyword in value)
export_from() {
local f="$1"
[ -f "$f" ] || return 0
while IFS= read -r line; do
[[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
key="${line%%=*}"
value="${line#*=}"
printf '%s\n' "$key=$value"
done < "$f"
}
# Collect key=value from all sources (first occurrence wins)
declare -A collected
for path in "${!SOURCES[@]}"; do
while IFS= read -r line; do
key="${line%%=*}"
[ -z "$key" ] && continue
[ -n "${collected[$key]:-}" ] && continue
collected[$key]="${line#*=}"
done < <(export_from "$path")
done
# Build output: header + each KEY from KEYS (use value from collected if present)
{
echo "# =============================================================================
# CONSOLIDATED SECRETS — Filled from local .env files
# Generated: $(date -u +"%Y-%m-%dT%H:%M:%SZ")
# SECURITY: chmod 600 this file; never commit.
# ============================================================================="
for key in "${KEYS[@]}"; do
val="${collected[$key]:-}"
if [ -n "$val" ]; then
echo "${key}=${val}"
else
echo "${key}="
fi
done
} > "$OUTPUT"
chmod 600 "$OUTPUT"
echo "Written to $OUTPUT ($(wc -l < "$OUTPUT") lines). Keep secure; do not commit."
Reference in New Issue View Git Blame Copy Permalink