b3a8fe4496
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- Config, docs, scripts, and backup manifests - Submodule refs unchanged (m = modified content in submodules) Made-with: Cursor
118 lines
5.4 KiB
Bash
118 lines
5.4 KiB
Bash
#!/usr/bin/env bash
|
|
# Consolidate all .env secrets into one file for backup/download.
|
|
# Run from proxmox repo root. Output: one .env-style file (path as first argument).
|
|
# Usage: bash scripts/consolidate-secrets-into-file.sh [OUTPUT_FILE]
|
|
# Example: bash scripts/consolidate-secrets-into-file.sh ~/secrets-consolidated.env
|
|
# SECURITY: Run locally only. Output contains real secrets; chmod 600 and never commit.
|
|
set -euo pipefail
|
|
|
|
PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
|
|
cd "$PROJECT_ROOT"
|
|
OUTPUT="${1:-secrets-consolidated.env}"
|
|
|
|
# Keys we care about (from SECRETS_CONSOLIDATED_DOWNLOAD.env); order preserved
|
|
KEYS=(
|
|
PROXMOX_ML110 PROXMOX_R630_01 PROXMOX_R630_02 PROXMOX_HOST PROXMOX_PORT PROXMOX_USER
|
|
PROXMOX_TOKEN_NAME PROXMOX_TOKEN_VALUE PROXMOX_ALLOW_ELEVATED
|
|
CLOUDFLARE_API_TOKEN CLOUDFLARE_EMAIL CLOUDFLARE_API_KEY CLOUDFLARE_ZONE_ID
|
|
CLOUDFLARE_ZONE_ID_D_BIS_ORG CLOUDFLARE_ZONE_ID_MIM4U_ORG CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO
|
|
CLOUDFLARE_TUNNEL_TOKEN CLOUDFLARE_TUNNEL_ID CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02
|
|
CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02 CLOUDFLARE_ORIGIN_CA_KEY CLOUDFLARE_ACCOUNT_ID
|
|
CLOUDNS_AUTH_ID CLOUDNS_AUTH_PASSWORD
|
|
NPM_URL NPM_EMAIL NPM_PASSWORD NPM_HOST NPM_PROXMOX_HOST NPMPLUS_HOST NPM_VMID NPMPLUS_VMID
|
|
NPMPLUS_ALLTRA_HYBX_VMID IP_NPMPLUS_ALLTRA_HYBX NPM_URL_MIFOS
|
|
FASTLY_API_TOKEN
|
|
PUBLIC_IP PROXMOX_HOST_FOR_TEST UNIFI_UDM_URL UNIFI_API_KEY UNIFI_API_MODE UNIFI_SITE_ID UNIFI_VERIFY_SSL
|
|
OMADA_API_KEY OMADA_CLIENT_SECRET
|
|
GITEA_URL GITEA_TOKEN GITEA_ORG
|
|
DATABASE_URL JWT_SECRET JWT_REFRESH_SECRET JWT_EXPIRES_IN JWT_REFRESH_EXPIRES_IN SESSION_SECRET
|
|
ADMIN_CENTRAL_API_KEY DBIS_CENTRAL_URL ADMIN_JWT_SECRET
|
|
STORAGE_TYPE STORAGE_PATH AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_S3_BUCKET
|
|
AZURE_STORAGE_CONNECTION_STRING AZURE_STORAGE_CONTAINER
|
|
PRIVATE_KEY RPC_URL_138 RPC_URL_138_PUBLIC ETHEREUM_MAINNET_RPC CHAIN_651940_RPC_URL ETHERLINK_RPC_URL TEZOS_RPC_URL
|
|
ETHERSCAN_API_KEY ETHERLINK_CCIP_SELECTOR TEZOS_BRIDGE_ENABLED ETHERLINK_BRIDGE_ENABLED
|
|
TEZOS_RELAY_ORACLE_KEY ETHERLINK_RELAY_BRIDGE ETHERLINK_RELAY_PRIVATE_KEY JUMPER_API_KEY
|
|
ONEINCH_API_KEY MOONPAY_API_KEY MOONPAY_SECRET_KEY RAMP_NETWORK_API_KEY ONRAMPER_API_KEY
|
|
SLACK_WEBHOOK_URL PAGERDUTY_INTEGRATION_KEY EMAIL_ALERT_API_URL EMAIL_ALERT_RECIPIENTS SENTRY_DSN
|
|
E_SIGNATURE_BASE_URL
|
|
CRYPTO_COM_API_KEY CRYPTO_COM_API_SECRET CRYPTO_COM_ENVIRONMENT BINANCE_API_KEY BINANCE_API_SECRET
|
|
KRAKEN_API_KEY KRAKEN_PRIVATE_KEY OANDA_API_KEY OANDA_ACCOUNT_ID OANDA_ENVIRONMENT FXCM_API_TOKEN
|
|
COINGECKO_API_KEY COINDESK_API_KEY COINMARKETCAP_API_KEY DEXSCREENER_API_KEY
|
|
MIFOS_BASE_URL MIFOS_TENANT MIFOS_USER MIFOS_PASSWORD MIFOS_INSECURE
|
|
OMNL_FINERACT_BASE_URL OMNL_FINERACT_TENANT OMNL_FINERACT_USER OMNL_FINERACT_PASSWORD
|
|
SANKOFA_PHOENIX_API_URL SANKOFA_PHOENIX_CLIENT_ID SANKOFA_PHOENIX_CLIENT_SECRET SANKOFA_PHOENIX_TENANT_ID
|
|
VITE_WALLETCONNECT_PROJECT_ID VITE_THIRDWEB_CLIENT_ID VITE_ETHERSCAN_API_KEY VITE_SENTRY_DSN
|
|
VITE_API_URL VITE_API_BASE_URL NEXT_PUBLIC_API_URL NEXT_PUBLIC_CHAIN_ID
|
|
METAMASK_API_KEY THIRDWEB_SECRET_KEY NPM_ACCESS_TOKEN
|
|
PARASWAP_API_KEY ZEROX_API_KEY
|
|
MONGO_USER MONGO_PASSWORD MONGO_IP MONGO_PORT MONGO_DATABASE
|
|
CHAIN138_RPC_URL RPC_URL_138_FIREBLOCKS WS_URL_138_FIREBLOCKS CHAIN_ID_138
|
|
PORT MARKET_REPORTING_API_KEY E_FILING_ENABLED NODE_ENV
|
|
)
|
|
|
|
# Sources: path -> prefix for comments
|
|
declare -A SOURCES
|
|
SOURCES["$PROJECT_ROOT/.env"]="root"
|
|
SOURCES["$PROJECT_ROOT/.env.master"]="root"
|
|
if [ -d "$PROJECT_ROOT/smom-dbis-138" ]; then
|
|
SOURCES["$PROJECT_ROOT/smom-dbis-138/.env"]="smom"
|
|
fi
|
|
if [ -d "$PROJECT_ROOT/dbis_core" ]; then
|
|
SOURCES["$PROJECT_ROOT/dbis_core/.env"]="dbis"
|
|
fi
|
|
if [ -d "$PROJECT_ROOT/OMNIS" ] && [ -f "$PROJECT_ROOT/OMNIS/backend/.env" ]; then
|
|
SOURCES["$PROJECT_ROOT/OMNIS/backend/.env"]="omnis"
|
|
fi
|
|
if [ -d "$PROJECT_ROOT/omada-api" ]; then
|
|
SOURCES["$PROJECT_ROOT/omada-api/.env"]="omada"
|
|
fi
|
|
if [ -d "$PROJECT_ROOT/phoenix-deploy-api" ]; then
|
|
SOURCES["$PROJECT_ROOT/phoenix-deploy-api/.env"]="phoenix"
|
|
fi
|
|
if [ -d "$PROJECT_ROOT/ProxmoxVE/api" ]; then
|
|
SOURCES["$PROJECT_ROOT/ProxmoxVE/api/.env"]="proxmoxve"
|
|
fi
|
|
|
|
# Export from a single file (no spaces around =, no export keyword in value)
|
|
export_from() {
|
|
local f="$1"
|
|
[ -f "$f" ] || return 0
|
|
while IFS= read -r line; do
|
|
[[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
|
|
key="${line%%=*}"
|
|
value="${line#*=}"
|
|
printf '%s\n' "$key=$value"
|
|
done < "$f"
|
|
}
|
|
|
|
# Collect key=value from all sources (first occurrence wins)
|
|
declare -A collected
|
|
for path in "${!SOURCES[@]}"; do
|
|
while IFS= read -r line; do
|
|
key="${line%%=*}"
|
|
[ -z "$key" ] && continue
|
|
[ -n "${collected[$key]:-}" ] && continue
|
|
collected[$key]="${line#*=}"
|
|
done < <(export_from "$path")
|
|
done
|
|
|
|
# Build output: header + each KEY from KEYS (use value from collected if present)
|
|
{
|
|
echo "# =============================================================================
|
|
# CONSOLIDATED SECRETS — Filled from local .env files
|
|
# Generated: $(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
|
# SECURITY: chmod 600 this file; never commit.
|
|
# ============================================================================="
|
|
for key in "${KEYS[@]}"; do
|
|
val="${collected[$key]:-}"
|
|
if [ -n "$val" ]; then
|
|
echo "${key}=${val}"
|
|
else
|
|
echo "${key}="
|
|
fi
|
|
done
|
|
} > "$OUTPUT"
|
|
|
|
chmod 600 "$OUTPUT"
|
|
echo "Written to $OUTPUT ($(wc -l < "$OUTPUT") lines). Keep secure; do not commit."
|