amr/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tangle-deploy: substitute CROWDSEC_LAPI_KEY from .env + verify after deploy

Browse Source
This commit is contained in:
root
2026-06-06 12:27:11 -04:00
parent 6ecfa3e0e9
commit 7556ed75f5
1 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tangle-deploy.sh
View File

@@ -1,6 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# tangle-deploy — Tangle infrastructure.org and restart affected services GITEA_URL='ssh://git@git.gharbeia.net:2222/amr/infrastructure.git'
GITEA_URL='http://amr:tangle-deploy-2026@10.10.10.201:3001/amr/infrastructure.git'
REPO_DIR="${1:-/docker/compose/infrastructure}" REPO_DIR="${1:-/docker/compose/infrastructure}"
ORG_FILE="${REPO_DIR}/infrastructure.org" ORG_FILE="${REPO_DIR}/infrastructure.org"
if [ -z "${1:-}" ]; then if [ -z "${1:-}" ]; then
@@ -18,14 +17,33 @@ echo "=== Tangling $ORG_FILE ==="
emacs --batch -Q --load /usr/share/emacs/28.2/lisp/org/org-loaddefs.el \ emacs --batch -Q --load /usr/share/emacs/28.2/lisp/org/org-loaddefs.el \
--eval "(require 'org)" \ --eval "(require 'org)" \
--eval "(org-babel-tangle-file \"$ORG_FILE\")" 2>&1 --eval "(org-babel-tangle-file \"$ORG_FILE\")" 2>&1
# Substitute env vars in tangled files
# Read key from .env directly (avoid sourcing due to quoting issues in other vars)
CROWDSEC_LAPI_KEY=$(grep ^CROWDSEC_LAPI_KEY /docker/compose/.env | cut -d= -f2-)
if [ -z "$CROWDSEC_LAPI_KEY" ] || [ "$CROWDSEC_LAPI_KEY" = "__CROWDSEC_LAPI_KEY__" ]; then
echo "ERROR: CROWDSEC_LAPI_KEY not set or still a placeholder in .env!"
exit 1
fi
sed -i "s|__CROWDSEC_LAPI_KEY__|${CROWDSEC_LAPI_KEY}|g" /docker/appdata/traefik/dynamic.yaml
echo "=== Restarting services ===" echo "=== Restarting services ==="
cd /docker/compose cd /docker/compose
if [ -f /docker/compose/traefik-static.yaml ] || \ if [ -f /docker/appdata/traefik/traefik.yaml ] || \
[ -f /docker/compose/traefik-internal.yaml ] || \ [ -f /docker/appdata/traefik/internal.yaml ] || \
[ -f /docker/compose/traefik-internal-noauth.yaml ] || \ [ -f /docker/appdata/traefik/internal-noauth.yaml ] || \
[ -f /docker/compose/traefik-dynamic.yaml ]; then [ -f /docker/appdata/traefik/dynamic.yaml ]; then
echo 'Traefik config changed -- restarting...' echo 'Traefik config changed -- restarting...'
docker compose up -d traefik docker compose up -d traefik
# Verify CrowdSec bouncer is working after restart
sleep 2
STATUS=$(docker exec traefik wget -q -O /dev/null -S http://traefik:8081/application/o/authorize/ --header="Host: auth.gharbeia.net" 2>&1 | head -1 | awk '{print $2}')
if [ "$STATUS" = "403" ]; then
echo "WARNING: auth.gharbeia.net still returns 403 after deploy!"
echo " CrowdSec bouncer may have a bad API key."
echo " Run: docker exec crowdsec cscli bouncers add traefik-bouncer"
echo " Then update CROWDSEC_LAPI_KEY in /docker/compose/.env and re-deploy."
else
echo "OK: auth.gharbeia.net returns $STATUS (expected: 400)"
fi
fi fi
if [ -f /docker/compose/docker-compose.yaml ]; then if [ -f /docker/compose/docker-compose.yaml ]; then
echo 'Docker compose changed -- restarting all services' echo 'Docker compose changed -- restarting all services'