fix(omnl-portal): auth-source mapping for omdnl LXCs and LXC env fragments
Some checks failed
CI/CD Pipeline / Solidity Contracts (push) Failing after 1m35s
CI/CD Pipeline / Security Scanning (push) Successful in 2m27s
CI/CD Pipeline / Lint and Format (push) Failing after 55s
CI/CD Pipeline / Terraform Validation (push) Failing after 28s
CI/CD Pipeline / Kubernetes Validation (push) Successful in 27s
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 46s
Validation / validate-genesis (push) Successful in 35s
Validation / validate-terraform (push) Failing after 27s
Validation / validate-kubernetes (push) Failing after 13s
Validation / validate-smart-contracts (push) Failing after 13s
Validation / validate-security (push) Failing after 1m24s
Validation / validate-documentation (push) Failing after 20s
Verify Deployment / Verify Deployment (push) Failing after 1m9s

Allow nginx auth snippets to use super-admin keys from paired d-bis.org VMIDs
(5820→5826 exchange, etc.), generate snippets for all 5820–5828 on deploy, and
add build-portal-lxc-env-fragment.sh for sync-time .env push with internal secret.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
defiQUG
2026-07-01 02:16:25 -07:00
parent a748a504f5
commit d80ebe146a
3 changed files with 64 additions and 6 deletions

View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bash
# Build portal .env fragment for LXC sync (stdout). Never commit output.
# Usage: build-portal-lxc-env-fragment.sh CTID [AUTH_SOURCE_CTID]
set -euo pipefail
CTID="${1:?CTID required}"
AUTH_SOURCE_CTID="${2:-$CTID}"
REPO_DIR="${OMNL_BANK_ROOT:-$HOME/smom-dbis-138}"
ENV_FILE="${OMNL_BANK_ENV:-$REPO_DIR/.env}"
CONFIG="$REPO_DIR/config/omnl-super-admins.v1.json"
[[ -f "$ENV_FILE" ]] || { echo "Missing $ENV_FILE" >&2; exit 1; }
set -a
set +u
# shellcheck disable=SC1090
source "$ENV_FILE"
set -u
set +a
grep -E '^(OMNL_FINERACT_|OMNL_PUBLIC_MONEY_SUPPLY=|OMNL_REQUIRE_API_KEY=|OMNL_CUSTOMER_SECURITY_PRODUCTION=|OMNL_CUSTOMER_API_KEYS=|OFFICE24_OPENING_M1_USD=|OMNL_PORTAL_INTERNAL_SECRET=|JWT_SECRET=|DATABASE_URL=|RPC_URL_138=|CHAIN_138_RPC_URL=|SETTLEMENT_ALLOW_CHAIN_MINT_EXECUTE=|SETTLEMENT_ALLOW_HYBX_PRODUCTION=|OMNL_ALLOW_CHAIN_MINT_EXECUTE=|OMNL_MINT_OPERATOR_PRIVATE_KEY=|TOKEN_AGGREGATION_URL=|SWIFT_LISTENER_URL=|HYBX_MIFOS_FINERACT_SIDECAR_URL=|INFURA_PROJECT_ID=|INFURA_PROJECT_SECRET=)' "$ENV_FILE" || true
for key in OMNL_SUPER_ADMIN_OFFICE24_KEY OMNL_SUPER_ADMIN_EXCHANGE_KEY OMNL_SUPER_ADMIN_SECURE_KEY OMNL_SUPER_ADMIN_FOREX_KEY; do
val="${!key:-}"
[[ -n "$val" ]] && echo "${key}=${val}"
done
ADMIN_ENV_KEY="$(node -e "
const fs = require('fs');
const cfg = JSON.parse(fs.readFileSync('$CONFIG', 'utf8'));
const ct = Number('$AUTH_SOURCE_CTID');
const admin = cfg.superAdmins.find(a => a.portalCtid === ct);
if (!admin) process.exit(0);
console.log(admin.envKey);
")"
if [[ -n "$ADMIN_ENV_KEY" ]]; then
API_VAL="${!ADMIN_ENV_KEY:-}"
if [[ -n "$API_VAL" ]]; then
echo "OMNL_API_KEY=${API_VAL}"
fi
elif [[ -n "${OMNL_API_KEY:-}" ]]; then
echo "OMNL_API_KEY=${OMNL_API_KEY}"
fi

View File

@@ -56,10 +56,18 @@ if [[ -f "$ENV_FILE" ]] && ! grep -q '^OMNL_SUPER_ADMIN_OFFICE24_KEY=' "$ENV_FIL
fi
if [[ -f "$ENV_FILE" ]]; then
for CTID in 5825 5826 5827 5828; do
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" "$CTID" "$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc" || true
# omdnl.org LXCs (58205824) reuse super-admin keys from d-bis.org twins (58265828 / 5825).
declare -A PORTAL_AUTH_SOURCE=(
[5820]=5826 [5821]=5827 [5822]=5827 [5823]=5828 [5824]=5825
[5825]=5825 [5826]=5826 [5827]=5827 [5828]=5828
)
for CTID in 5820 5821 5822 5823 5824 5825 5826 5827 5828; do
AUTH_SRC="${PORTAL_AUTH_SOURCE[$CTID]}"
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" \
"$CTID" "$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc" "$AUTH_SRC" || true
done
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" 5827 "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" || true
bash "$REPO_DIR/scripts/deployment/generate-portal-nginx-auth-snippet.sh" \
5827 "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" 5827 || true
if [[ -f "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" ]]; then
sudo cp "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" /etc/nginx/omnl-portal-auth-current.conf.inc 2>/dev/null || \
cp "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" "$REPO_DIR/deploy/nginx/omnl-portal-auth-current.conf.inc" 2>/dev/null || true

View File

@@ -6,6 +6,7 @@ REPO_DIR="${OMNL_BANK_ROOT:-$HOME/smom-dbis-138}"
ENV_FILE="${OMNL_BANK_ENV:-$REPO_DIR/.env}"
CTID="${1:-5827}"
OUT="${2:-$REPO_DIR/deploy/nginx/omnl-portal-auth-${CTID}.conf.inc}"
AUTH_SOURCE_CTID="${3:-$CTID}"
CONFIG="$REPO_DIR/config/omnl-super-admins.v1.json"
@@ -24,7 +25,7 @@ set +a
ENV_KEY="$(node -e "
const fs = require('fs');
const cfg = JSON.parse(fs.readFileSync('$CONFIG', 'utf8'));
const ct = Number('$CTID');
const ct = Number('$AUTH_SOURCE_CTID');
const admin = cfg.superAdmins.find(a => a.portalCtid === ct);
if (!admin) process.exit(2);
console.log(admin.envKey);
@@ -34,13 +35,18 @@ API_KEY="${!ENV_KEY:-${OMNL_API_KEY:-}}"
INTERNAL="${OMNL_PORTAL_INTERNAL_SECRET:-}"
if [[ -z "$API_KEY" ]]; then
echo "No API key for CT $CTID ($ENV_KEY unset)" >&2
echo "No API key for CT $CTID (auth source $AUTH_SOURCE_CTID, $ENV_KEY unset)" >&2
exit 1
fi
AUTH_NOTE="CT $CTID portal upstream auth"
if [[ "$AUTH_SOURCE_CTID" != "$CTID" ]]; then
AUTH_NOTE="CT $CTID portal upstream auth (key from CT $AUTH_SOURCE_CTID)"
fi
mkdir -p "$(dirname "$OUT")"
cat >"$OUT" <<EOF
# Auto-generated — do not commit. CT $CTID portal upstream auth.
# Auto-generated — do not commit. ${AUTH_NOTE}.
proxy_set_header Authorization "Bearer ${API_KEY}";
proxy_set_header X-OMNL-Portal-Auth "${INTERNAL}";
EOF