deemanone/beanflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95f881827e7cc18b4e44dbdc5c4093fa41c2dd21
beanflows/infra/setup_server.sh
Deeman 95f881827e feat(infra): replace Pulumi ESC with SOPS in bootstrap + setup scripts 
- bootstrap_supervisor.sh: remove esc CLI + PULUMI_ACCESS_TOKEN; install
  sops+age; check age keypair exists; decrypt .env.prod.sops → .env;
  checkout latest release tag; use uv sync --all-packages
- setup_server.sh: add age keypair generation at /opt/materia/age-key.txt;
  install age binary; print public key with .sops.yaml instructions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 12:03:11 +01:00

75 lines
2.5 KiB
Bash
Raw Blame History

#!/bin/bash
# One-time server setup: create data directories, generate age keypair.
# Run as root on a fresh Hetzner server before running bootstrap_supervisor.sh.
#
# Usage:
# bash infra/setup_server.sh
set -euo pipefail
REPO_DIR="/opt/materia"
AGE_KEY_FILE="$REPO_DIR/age-key.txt"
if [ "$EUID" -ne 0 ]; then
echo "ERROR: This script must be run as root"
exit 1
fi
# ── Create data directories ────────────────────────────────
echo "--- Creating data directories ---"
mkdir -p /data/materia/landing
mkdir -p "$REPO_DIR"
echo "Data dir: /data/materia"
# ── Install age ────────────────────────────────────────────
echo "--- Installing age ---"
ARCH=$(uname -m)
case "$ARCH" in
x86_64) ARCH_AGE="amd64" ;;
aarch64) ARCH_AGE="arm64" ;;
*) echo "Unsupported architecture: $ARCH"; exit 1 ;;
esac
if ! command -v age-keygen &>/dev/null; then
AGE_VERSION="v1.3.1"
curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
chmod +x /usr/local/bin/age /usr/local/bin/age-keygen
rm /tmp/age.tar.gz
echo "age installed to /usr/local/bin"
fi
# ── Generate age keypair ───────────────────────────────────
echo "--- Setting up age keypair ---"
if [ -f "$AGE_KEY_FILE" ]; then
echo "Keypair already exists at $AGE_KEY_FILE — skipping generation"
else
age-keygen -o "$AGE_KEY_FILE" 2>/dev/null
chmod 600 "$AGE_KEY_FILE"
echo "Generated: $AGE_KEY_FILE"
fi
AGE_PUB=$(grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}')
echo ""
echo "=================================================================="
echo " Server age public key:"
echo ""
echo " $AGE_PUB"
echo ""
echo " Add this key to .sops.yaml on your workstation:"
echo ""
echo " creation_rules:"
echo " - path_regex: \\.env\\.(dev|prod)\\.sops\$"
echo " age: >-"
echo " <dev-key>"
echo " + $AGE_PUB"
echo ""
echo " Then re-encrypt the prod secrets file:"
echo " sops updatekeys .env.prod.sops"
echo " git add .sops.yaml .env.prod.sops && git commit -m 'chore: add server age key'"
echo " git push"
echo ""
echo " Then run infra/bootstrap_supervisor.sh to complete setup."
echo "=================================================================="
Reference in New Issue View Git Blame Copy Permalink