gitadmin/ArchiTools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ArchiTools/docker-entrypoint.sh
T
Claude VM 54b78c2dcf feat(deploy): Faza A Infisical runtime migration 
Stripped 35-var environment block from docker-compose.yml to 5 bootstrap
vars (INFISICAL_CLIENT_ID/SECRET, NODE_ENV, PORT, HOSTNAME). All app
secrets now fetched from Infisical /architools at container boot via
docker-entrypoint.sh (modeled on gis-api's pattern, INFISICAL_APP_PATH
=/architools).

- docker-entrypoint.sh: universal-auth login, fetch /architools + /
  root, expand ${/VAR} refs, export, exec CMD. Fails loud on Infisical
  unreachable (exit 2/3).
- Dockerfile runner: added curl+jq, COPY entrypoint + chmod +x,
  ENTRYPOINT ["/app/docker-entrypoint.sh"]
- compose: build args (NEXT_PUBLIC_*) preserved — build-time inlining
  into JS bundle. martin/tile-cache/tippecanoe service env blocks
  untouched (legacy, removed in Faza E).

Rotation workflow now: Infisical UI -> ssh satra "cd /opt/architools && docker compose up -d --force-recreate architools". Never docker compose restart (does not refetch).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 00:41:22 +03:00

69 lines
2.9 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
set -e
# Infisical runtime bootstrap. Required:
# INFISICAL_CLIENT_ID - universal-auth clientId for `architools-prod`
# INFISICAL_CLIENT_SECRET - universal-auth clientSecret (bootstrap only)
# Optional:
# INFISICAL_URL default https://infisical.beletage.ro
# INFISICAL_WORKSPACE_ID default 078c998d-43a9-420c-aec4-712011108410
# INFISICAL_ENV default prod
# INFISICAL_APP_PATH default /architools
if [ -n "$INFISICAL_CLIENT_ID" ] && [ -n "$INFISICAL_CLIENT_SECRET" ]; then
INFISICAL_URL="${INFISICAL_URL:-https://infisical.beletage.ro}"
INFISICAL_WORKSPACE_ID="${INFISICAL_WORKSPACE_ID:-078c998d-43a9-420c-aec4-712011108410}"
INFISICAL_ENV="${INFISICAL_ENV:-prod}"
INFISICAL_APP_PATH="${INFISICAL_APP_PATH:-/architools}"
echo "[infisical] authenticating as architools-prod..."
AUTH_RESP=$(curl -sk --fail -m 10 -X POST "$INFISICAL_URL/api/v1/auth/universal-auth/login" \
-H "Content-Type: application/json" \
-d "{\"clientId\":\"$INFISICAL_CLIENT_ID\",\"clientSecret\":\"$INFISICAL_CLIENT_SECRET\"}") || {
echo "[infisical] FATAL: universal-auth login failed"; exit 2;
}
INFISICAL_TOKEN=$(printf '%s' "$AUTH_RESP" | jq -r '.accessToken')
unset AUTH_RESP
[ -n "$INFISICAL_TOKEN" ] && [ "$INFISICAL_TOKEN" != "null" ] || {
echo "[infisical] FATAL: no accessToken in login response"; exit 2;
}
fetch_path() {
curl -sk --fail -m 10 \
"$INFISICAL_URL/api/v3/secrets/raw?workspaceId=$INFISICAL_WORKSPACE_ID&environment=$INFISICAL_ENV&secretPath=$1" \
-H "Authorization: Bearer $INFISICAL_TOKEN"
}
APP_SECRETS=$(fetch_path "$INFISICAL_APP_PATH") || {
echo "[infisical] FATAL: fetch $INFISICAL_APP_PATH failed"; exit 3;
}
ROOT_SECRETS=$(fetch_path "/") || {
echo "[infisical] FATAL: fetch / failed"; exit 3;
}
APP_COUNT=$(printf '%s' "$APP_SECRETS" | jq '.secrets | length')
ROOT_COUNT=$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | length')
echo "[infisical] fetched $APP_COUNT app secrets, $ROOT_COUNT root secrets"
TMP=$(mktemp); trap "rm -f $TMP" EXIT
printf '%s' "$APP_SECRETS" | jq -r --argjson rootMap "$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | map({(.secretKey): .secretValue}) | add')" '
.secrets[] as $s |
($s.secretValue
| gsub("\\$\\{/(?<n>[A-Z0-9_]+)\\}"; ($rootMap[.n] // ("${/" + .n + "}")))
| gsub("\\$\\{(?<n>[A-Z0-9_]+)\\}"; ($rootMap[.n] // ("${" + .n + "}")))
) as $resolved |
"export " + $s.secretKey + "=" + ($resolved | @sh)
' > "$TMP"
unset APP_SECRETS ROOT_SECRETS INFISICAL_TOKEN
# shellcheck disable=SC1090
. "$TMP"
rm -f "$TMP"; trap - EXIT
echo "[infisical] exported env - DATABASE_URL=${DATABASE_URL:+set} AUTHENTIK_CLIENT_ID=${AUTHENTIK_CLIENT_ID:+set} MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:+set} GIS_API_URL=${GIS_API_URL:+set}"
else
echo "[infisical] INFISICAL_CLIENT_ID unset - skipping bootstrap (dev mode)"
fi
echo "[entrypoint] Starting app: $*"
exec "$@"
Reference in New Issue View Git Blame Copy Permalink