letsbe
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix setup.sh: use awk instead of sed for robustness
Build and Push Docker Image / build (push) Successful in 1m53s Details 

- Use openssl rand -hex for secrets (no special chars)
- Use awk instead of sed for .env updates (handles any chars)
- Use awk for kong.yml generation (handles JWT tokens)
- Suppress source errors for malformed .env

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-01-26 11:25:47 +01:00
parent 4f4d0dd42e
commit 35f9beabc6
1 changed files with 47 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
deploy/setup.sh
View File

@ -17,10 +17,10 @@ GREEN='\033[0;32m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
NC='\033[0m' # No Color NC='\033[0m' # No Color
# Function to generate random string # Function to generate random string (alphanumeric only to avoid sed issues)
generate_secret() { generate_secret() {
local length=${1:-32} local length=${1:-32}
openssl rand -base64 $length | tr -d '\n' openssl rand -hex $length | head -c $length
} }
# Function to generate JWT token # Function to generate JWT token
@ -30,19 +30,39 @@ generate_jwt() {
# JWT Header (base64url encoded) # JWT Header (base64url encoded)
local header='{"alg":"HS256","typ":"JWT"}' local header='{"alg":"HS256","typ":"JWT"}'
local header_b64=$(echo -n "$header" | base64 | tr '+/' '-_' | tr -d '=') local header_b64=$(echo -n "$header" | base64 | tr '+/' '-_' | tr -d '=' | tr -d '\n')
# JWT Payload - 100 years expiry # JWT Payload - 100 years expiry
local exp=$(($(date +%s) + 3153600000)) local exp=$(($(date +%s) + 3153600000))
local payload="{\"role\":\"$role\",\"iss\":\"supabase\",\"iat\":$(date +%s),\"exp\":$exp}" local payload="{\"role\":\"$role\",\"iss\":\"supabase\",\"iat\":$(date +%s),\"exp\":$exp}"
local payload_b64=$(echo -n "$payload" | base64 | tr '+/' '-_' | tr -d '=') local payload_b64=$(echo -n "$payload" | base64 | tr '+/' '-_' | tr -d '=' | tr -d '\n')
# Create signature # Create signature
local signature=$(echo -n "${header_b64}.${payload_b64}" | openssl dgst -sha256 -hmac "$secret" -binary | base64 | tr '+/' '-_' | tr -d '=') local signature=$(echo -n "${header_b64}.${payload_b64}" | openssl dgst -sha256 -hmac "$secret" -binary | base64 | tr '+/' '-_' | tr -d '=' | tr -d '\n')
echo "${header_b64}.${payload_b64}.${signature}" echo "${header_b64}.${payload_b64}.${signature}"
} }
# Function to update a variable in .env file using awk (more robust than sed)
update_env_var() {
local var_name=$1
local var_value=$2
local env_file=".env"
# Create temp file
local tmp_file=$(mktemp)
# Use awk to replace the line
awk -v name="$var_name" -v value="$var_value" '
BEGIN { FS="="; OFS="=" }
$1 == name { print name, value; next }
{ print }
' "$env_file" > "$tmp_file"
# Move temp file to .env
mv "$tmp_file" "$env_file"
}
# Check if .env exists # Check if .env exists
if [ ! -f .env ]; then if [ ! -f .env ]; then
if [ -f .env.example ]; then if [ -f .env.example ]; then
@ -56,10 +76,12 @@ if [ ! -f .env ]; then
fi fi
fi fi
# Load environment # Load environment (handle errors gracefully)
set +e
set -a set -a
source .env source .env 2>/dev/null
set +a set +a
set -e
echo "" echo ""
echo "Checking and generating secrets..." echo "Checking and generating secrets..."
@ -71,7 +93,7 @@ CHANGES_MADE=false
# Generate POSTGRES_PASSWORD if not set or is placeholder # Generate POSTGRES_PASSWORD if not set or is placeholder
if [ -z "$POSTGRES_PASSWORD" ] || [[ "$POSTGRES_PASSWORD" == *"CHANGE_ME"* ]] || [[ "$POSTGRES_PASSWORD" == *"change-this"* ]]; then if [ -z "$POSTGRES_PASSWORD" ] || [[ "$POSTGRES_PASSWORD" == *"CHANGE_ME"* ]] || [[ "$POSTGRES_PASSWORD" == *"change-this"* ]]; then
NEW_POSTGRES_PASSWORD=$(generate_secret 32) NEW_POSTGRES_PASSWORD=$(generate_secret 32)
sed -i.bak "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$NEW_POSTGRES_PASSWORD|" .env update_env_var "POSTGRES_PASSWORD" "$NEW_POSTGRES_PASSWORD"
POSTGRES_PASSWORD=$NEW_POSTGRES_PASSWORD POSTGRES_PASSWORD=$NEW_POSTGRES_PASSWORD
echo -e "${GREEN}[Generated]${NC} POSTGRES_PASSWORD" echo -e "${GREEN}[Generated]${NC} POSTGRES_PASSWORD"
CHANGES_MADE=true CHANGES_MADE=true
@ -82,7 +104,7 @@ fi
# Generate JWT_SECRET if not set or is placeholder # Generate JWT_SECRET if not set or is placeholder
if [ -z "$JWT_SECRET" ] || [[ "$JWT_SECRET" == *"CHANGE_ME"* ]] || [[ "$JWT_SECRET" == *"generate"* ]]; then if [ -z "$JWT_SECRET" ] || [[ "$JWT_SECRET" == *"CHANGE_ME"* ]] || [[ "$JWT_SECRET" == *"generate"* ]]; then
NEW_JWT_SECRET=$(generate_secret 32) NEW_JWT_SECRET=$(generate_secret 32)
sed -i.bak "s|^JWT_SECRET=.*|JWT_SECRET=$NEW_JWT_SECRET|" .env update_env_var "JWT_SECRET" "$NEW_JWT_SECRET"
JWT_SECRET=$NEW_JWT_SECRET JWT_SECRET=$NEW_JWT_SECRET
echo -e "${GREEN}[Generated]${NC} JWT_SECRET" echo -e "${GREEN}[Generated]${NC} JWT_SECRET"
CHANGES_MADE=true CHANGES_MADE=true
@ -93,7 +115,7 @@ fi
# Generate SECRET_KEY_BASE if not set or is placeholder # Generate SECRET_KEY_BASE if not set or is placeholder
if [ -z "$SECRET_KEY_BASE" ] || [[ "$SECRET_KEY_BASE" == *"CHANGE_ME"* ]] || [[ "$SECRET_KEY_BASE" == *"generate"* ]]; then if [ -z "$SECRET_KEY_BASE" ] || [[ "$SECRET_KEY_BASE" == *"CHANGE_ME"* ]] || [[ "$SECRET_KEY_BASE" == *"generate"* ]]; then
NEW_SECRET_KEY_BASE=$(generate_secret 64) NEW_SECRET_KEY_BASE=$(generate_secret 64)
sed -i.bak "s|^SECRET_KEY_BASE=.*|SECRET_KEY_BASE=$NEW_SECRET_KEY_BASE|" .env update_env_var "SECRET_KEY_BASE" "$NEW_SECRET_KEY_BASE"
SECRET_KEY_BASE=$NEW_SECRET_KEY_BASE SECRET_KEY_BASE=$NEW_SECRET_KEY_BASE
echo -e "${GREEN}[Generated]${NC} SECRET_KEY_BASE" echo -e "${GREEN}[Generated]${NC} SECRET_KEY_BASE"
CHANGES_MADE=true CHANGES_MADE=true
@ -104,7 +126,7 @@ fi
# Generate ANON_KEY if not set or is placeholder # Generate ANON_KEY if not set or is placeholder
if [ -z "$ANON_KEY" ] || [[ "$ANON_KEY" == *"CHANGE_ME"* ]] || [[ "$ANON_KEY" == *"your-"* ]]; then if [ -z "$ANON_KEY" ] || [[ "$ANON_KEY" == *"CHANGE_ME"* ]] || [[ "$ANON_KEY" == *"your-"* ]]; then
NEW_ANON_KEY=$(generate_jwt "anon" "$JWT_SECRET") NEW_ANON_KEY=$(generate_jwt "anon" "$JWT_SECRET")
sed -i.bak "s|^ANON_KEY=.*|ANON_KEY=$NEW_ANON_KEY|" .env update_env_var "ANON_KEY" "$NEW_ANON_KEY"
ANON_KEY=$NEW_ANON_KEY ANON_KEY=$NEW_ANON_KEY
echo -e "${GREEN}[Generated]${NC} ANON_KEY (JWT with role=anon)" echo -e "${GREEN}[Generated]${NC} ANON_KEY (JWT with role=anon)"
CHANGES_MADE=true CHANGES_MADE=true
@ -115,7 +137,7 @@ fi
# Generate SERVICE_ROLE_KEY if not set or is placeholder # Generate SERVICE_ROLE_KEY if not set or is placeholder
if [ -z "$SERVICE_ROLE_KEY" ] || [[ "$SERVICE_ROLE_KEY" == *"CHANGE_ME"* ]] || [[ "$SERVICE_ROLE_KEY" == *"your-"* ]]; then if [ -z "$SERVICE_ROLE_KEY" ] || [[ "$SERVICE_ROLE_KEY" == *"CHANGE_ME"* ]] || [[ "$SERVICE_ROLE_KEY" == *"your-"* ]]; then
NEW_SERVICE_ROLE_KEY=$(generate_jwt "service_role" "$JWT_SECRET") NEW_SERVICE_ROLE_KEY=$(generate_jwt "service_role" "$JWT_SECRET")
sed -i.bak "s|^SERVICE_ROLE_KEY=.*|SERVICE_ROLE_KEY=$NEW_SERVICE_ROLE_KEY|" .env update_env_var "SERVICE_ROLE_KEY" "$NEW_SERVICE_ROLE_KEY"
SERVICE_ROLE_KEY=$NEW_SERVICE_ROLE_KEY SERVICE_ROLE_KEY=$NEW_SERVICE_ROLE_KEY
echo -e "${GREEN}[Generated]${NC} SERVICE_ROLE_KEY (JWT with role=service_role)" echo -e "${GREEN}[Generated]${NC} SERVICE_ROLE_KEY (JWT with role=service_role)"
CHANGES_MADE=true CHANGES_MADE=true
@ -125,21 +147,20 @@ fi
# Also update PUBLIC_SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY if they exist # Also update PUBLIC_SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY if they exist
if grep -q "^PUBLIC_SUPABASE_ANON_KEY=" .env; then if grep -q "^PUBLIC_SUPABASE_ANON_KEY=" .env; then
sed -i.bak "s|^PUBLIC_SUPABASE_ANON_KEY=.*|PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY|" .env update_env_var "PUBLIC_SUPABASE_ANON_KEY" "\${ANON_KEY}"
fi fi
if grep -q "^SUPABASE_SERVICE_ROLE_KEY=" .env; then if grep -q "^SUPABASE_SERVICE_ROLE_KEY=" .env; then
sed -i.bak "s|^SUPABASE_SERVICE_ROLE_KEY=.*|SUPABASE_SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY|" .env update_env_var "SUPABASE_SERVICE_ROLE_KEY" "\${SERVICE_ROLE_KEY}"
fi fi
# Clean up backup files
rm -f .env.bak
echo "" echo ""
# Reload environment after changes # Reload environment after changes
set +e
set -a set -a
source .env source .env 2>/dev/null
set +a set +a
set -e
# Validate required variables # Validate required variables
echo "Validating required variables..." echo "Validating required variables..."
@ -177,7 +198,6 @@ echo ""
# Check for optional but recommended variables # Check for optional but recommended variables
OPTIONAL_VARS=( OPTIONAL_VARS=(
"ACME_EMAIL"
"SMTP_HOST" "SMTP_HOST"
"SMTP_USER" "SMTP_USER"
) )
@ -201,10 +221,14 @@ if [ ! -f kong.yml.template ]; then
exit 1 exit 1
fi fi
# Use sed to replace placeholders # Use awk to replace placeholders (more robust than sed for complex strings)
sed -e "s|__ANON_KEY__|$ANON_KEY|g" \ awk -v anon_key="$ANON_KEY" -v service_key="$SERVICE_ROLE_KEY" '
-e "s|__SERVICE_ROLE_KEY__|$SERVICE_ROLE_KEY|g" \ {
kong.yml.template > kong.yml gsub(/__ANON_KEY__/, anon_key)
gsub(/__SERVICE_ROLE_KEY__/, service_key)
print
}
' kong.yml.template > kong.yml
echo -e "${GREEN}Generated kong.yml with API keys.${NC}" echo -e "${GREEN}Generated kong.yml with API keys.${NC}"
echo "" echo ""