feat(deploy): Faza A Infisical runtime migration

Stripped 35-var environment block from docker-compose.yml to 5 bootstrap vars (INFISICAL_CLIENT_ID/SECRET, NODE_ENV, PORT, HOSTNAME). All app secrets now fetched from Infisical /architools at container boot via docker-entrypoint.sh (modeled on gis-api's pattern, INFISICAL_APP_PATH =/architools). - docker-entrypoint.sh: universal-auth login, fetch /architools + / root, expand ${/VAR} refs, export, exec CMD. Fails loud on Infisical unreachable (exit 2/3). - Dockerfile runner: added curl+jq, COPY entrypoint + chmod +x, ENTRYPOINT ["/app/docker-entrypoint.sh"] - compose: build args (NEXT_PUBLIC_*) preserved — build-time inlining into JS bundle. martin/tile-cache/tippecanoe service env blocks untouched (legacy, removed in Faza E). Rotation workflow now: Infisical UI -> ssh satra "cd /opt/architools && docker compose up -d --force-recreate architools". Never docker compose restart (does not refetch). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 00:41:22 +03:00
parent 6b3d56e1e8
commit 54b78c2dcf
3 changed files with 79 additions and 63 deletions
@@ -0,0 +1,68 @@
+#!/bin/sh
+set -e
+
+# Infisical runtime bootstrap. Required:
+#   INFISICAL_CLIENT_ID      - universal-auth clientId for `architools-prod`
+#   INFISICAL_CLIENT_SECRET  - universal-auth clientSecret (bootstrap only)
+# Optional:
+#   INFISICAL_URL            default https://infisical.beletage.ro
+#   INFISICAL_WORKSPACE_ID   default 078c998d-43a9-420c-aec4-712011108410
+#   INFISICAL_ENV            default prod
+#   INFISICAL_APP_PATH       default /architools
+
+if [ -n "$INFISICAL_CLIENT_ID" ] && [ -n "$INFISICAL_CLIENT_SECRET" ]; then
+  INFISICAL_URL="${INFISICAL_URL:-https://infisical.beletage.ro}"
+  INFISICAL_WORKSPACE_ID="${INFISICAL_WORKSPACE_ID:-078c998d-43a9-420c-aec4-712011108410}"
+  INFISICAL_ENV="${INFISICAL_ENV:-prod}"
+  INFISICAL_APP_PATH="${INFISICAL_APP_PATH:-/architools}"
+
+  echo "[infisical] authenticating as architools-prod..."
+  AUTH_RESP=$(curl -sk --fail -m 10 -X POST "$INFISICAL_URL/api/v1/auth/universal-auth/login" \
+    -H "Content-Type: application/json" \
+    -d "{\"clientId\":\"$INFISICAL_CLIENT_ID\",\"clientSecret\":\"$INFISICAL_CLIENT_SECRET\"}") || {
+    echo "[infisical] FATAL: universal-auth login failed"; exit 2;
+  }
+  INFISICAL_TOKEN=$(printf '%s' "$AUTH_RESP" | jq -r '.accessToken')
+  unset AUTH_RESP
+  [ -n "$INFISICAL_TOKEN" ] && [ "$INFISICAL_TOKEN" != "null" ] || {
+    echo "[infisical] FATAL: no accessToken in login response"; exit 2;
+  }
+
+  fetch_path() {
+    curl -sk --fail -m 10 \
+      "$INFISICAL_URL/api/v3/secrets/raw?workspaceId=$INFISICAL_WORKSPACE_ID&environment=$INFISICAL_ENV&secretPath=$1" \
+      -H "Authorization: Bearer $INFISICAL_TOKEN"
+  }
+
+  APP_SECRETS=$(fetch_path "$INFISICAL_APP_PATH") || {
+    echo "[infisical] FATAL: fetch $INFISICAL_APP_PATH failed"; exit 3;
+  }
+  ROOT_SECRETS=$(fetch_path "/") || {
+    echo "[infisical] FATAL: fetch / failed"; exit 3;
+  }
+
+  APP_COUNT=$(printf '%s' "$APP_SECRETS" | jq '.secrets | length')
+  ROOT_COUNT=$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | length')
+  echo "[infisical] fetched $APP_COUNT app secrets, $ROOT_COUNT root secrets"
+
+  TMP=$(mktemp); trap "rm -f $TMP" EXIT
+  printf '%s' "$APP_SECRETS" | jq -r --argjson rootMap "$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | map({(.secretKey): .secretValue}) | add')" '
+    .secrets[] as $s |
+    ($s.secretValue
+      | gsub("\\$\\{/(?<n>[A-Z0-9_]+)\\}"; ($rootMap[.n] // ("${/" + .n + "}")))
+      | gsub("\\$\\{(?<n>[A-Z0-9_]+)\\}";  ($rootMap[.n] // ("${" + .n + "}")))
+    ) as $resolved |
+    "export " + $s.secretKey + "=" + ($resolved | @sh)
+  ' > "$TMP"
+
+  unset APP_SECRETS ROOT_SECRETS INFISICAL_TOKEN
+  # shellcheck disable=SC1090
+  . "$TMP"
+  rm -f "$TMP"; trap - EXIT
+  echo "[infisical] exported env - DATABASE_URL=${DATABASE_URL:+set} AUTHENTIK_CLIENT_ID=${AUTHENTIK_CLIENT_ID:+set} MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:+set} GIS_API_URL=${GIS_API_URL:+set}"
+else
+  echo "[infisical] INFISICAL_CLIENT_ID unset - skipping bootstrap (dev mode)"
+fi
+
+echo "[entrypoint] Starting app: $*"
+exec "$@"