feat: self-provisioning deploy.sh — auto-installs sops+age, generates key

On first deploy to a new server, deploy.sh: 1. Installs age and sops binaries if missing 2. Generates an age keypair if missing 3. Prints the public key and exits with instructions All checks are idempotent — subsequent deploys skip to decryption. Removed duplicate sops/age setup from setup_server.sh (deploy.sh handles it). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 18:13:06 +01:00
parent dcc1c15d05
commit e4bd9378f5
2 changed files with 50 additions and 48 deletions
--- a/deploy.sh
+++ b/deploy.sh
@@ -1,8 +1,53 @@
 #!/usr/bin/env bash
 set -euo pipefail

+# ── Ensure sops + age are installed ───────────────────────
+ARCH=$(uname -m)
+case "$ARCH" in
+    x86_64)  ARCH_SOPS="amd64"; ARCH_AGE="amd64" ;;
+    aarch64) ARCH_SOPS="arm64"; ARCH_AGE="arm64" ;;
+    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
+esac
+
+if ! command -v age &>/dev/null; then
+    echo "==> Installing age..."
+    AGE_VERSION="v1.3.1"
+    curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
+    tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
+    chmod +x /usr/local/bin/age /usr/local/bin/age-keygen
+    rm /tmp/age.tar.gz
+fi
+
+if ! command -v sops &>/dev/null; then
+    echo "==> Installing sops..."
+    SOPS_VERSION="v3.12.1"
+    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o /usr/local/bin/sops
+    chmod +x /usr/local/bin/sops
+fi
+
+# ── Ensure age keypair exists ─────────────────────────────
+AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}"
+export SOPS_AGE_KEY_FILE="$AGE_KEY_FILE"
+
+if [ ! -f "$AGE_KEY_FILE" ]; then
+    echo "==> Generating age keypair..."
+    age-keygen -o "$AGE_KEY_FILE" 2>&1
+    chmod 600 "$AGE_KEY_FILE"
+    AGE_PUB=$(grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}')
+    echo ""
+    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    echo "!! NEW SERVER — add this public key to .sops.yaml:    !!"
+    echo "!!                                                     !!"
+    echo "!! $AGE_PUB !!"
+    echo "!!                                                     !!"
+    echo "!! Then run: sops updatekeys .env.prod.sops            !!"
+    echo "!! Commit, push, and re-deploy.                        !!"
+    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    echo ""
+    exit 1
+fi
+
 # ── Decrypt secrets ───────────────────────────────────────
-export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}"
 sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env
 chmod 600 .env