#!/bin/bash # One-time server setup: create data directories, generate age keypair. # Run as root on a fresh Hetzner server before running bootstrap_supervisor.sh. # # Usage: # bash infra/setup_server.sh set -euo pipefail REPO_DIR="/opt/materia" AGE_KEY_FILE="$REPO_DIR/age-key.txt" if [ "$EUID" -ne 0 ]; then echo "ERROR: This script must be run as root" exit 1 fi # ── Create data directories ──────────────────────────────── echo "--- Creating data directories ---" mkdir -p /data/materia/landing mkdir -p "$REPO_DIR" echo "Data dir: /data/materia" # ── Install age ──────────────────────────────────────────── echo "--- Installing age ---" ARCH=$(uname -m) case "$ARCH" in x86_64) ARCH_AGE="amd64" ;; aarch64) ARCH_AGE="arm64" ;; *) echo "Unsupported architecture: $ARCH"; exit 1 ;; esac if ! command -v age-keygen &>/dev/null; then AGE_VERSION="v1.3.1" curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen chmod +x /usr/local/bin/age /usr/local/bin/age-keygen rm /tmp/age.tar.gz echo "age installed to /usr/local/bin" fi # ── Generate age keypair ─────────────────────────────────── echo "--- Setting up age keypair ---" if [ -f "$AGE_KEY_FILE" ]; then echo "Keypair already exists at $AGE_KEY_FILE — skipping generation" else age-keygen -o "$AGE_KEY_FILE" 2>/dev/null chmod 600 "$AGE_KEY_FILE" echo "Generated: $AGE_KEY_FILE" fi AGE_PUB=$(grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}') echo "" echo "==================================================================" echo " Server age public key:" echo "" echo " $AGE_PUB" echo "" echo " Add this key to .sops.yaml on your workstation:" echo "" echo " creation_rules:" echo " - path_regex: \\.env\\.(dev|prod)\\.sops\$" echo " age: >-" echo " " echo " + $AGE_PUB" echo "" echo " Then re-encrypt the prod secrets file:" echo " sops updatekeys .env.prod.sops" echo " git add .sops.yaml .env.prod.sops && git commit -m 'chore: add server age key'" echo " git push" echo "" echo " Then run infra/bootstrap_supervisor.sh to complete setup." echo "=================================================================="