#!/bin/bash # inject-secrets.sh # Writes GitLab CI File type variables to the secrets directory # for K8s-style secret mounting in Docker Compose # # GitLab File variables provide the PATH to a temporary file containing the secret. # This script copies those files to the expected secrets/app/ location. # # IMPORTANT: In GitLab, variables MUST be set as "File" type, not "Variable" type. # File type variables provide a PATH to a temp file containing the secret. # Variable type provides the raw value, which will NOT work with this script. # # Required GitLab CI/CD Variables (File type): # - POSTGRES_PASSWORD # - AUTH0_CLIENT_SECRET # - GOOGLE_MAPS_API_KEY # - GOOGLE_MAPS_MAP_ID # - CF_DNS_API_TOKEN (Cloudflare DNS API token for Let's Encrypt certificates) # - RESEND_API_KEY (Resend API key for email notifications) # # Required GitLab CI/CD Variables (Variable type): # - DEPLOY_PATH set -euo pipefail # Configuration DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}" SECRETS_DIR="${DEPLOY_PATH}/secrets/app" # List of all secret files (must match docker-compose volume mounts) SECRET_FILES=( "postgres-password.txt" "auth0-client-secret.txt" "google-maps-api-key.txt" "google-maps-map-id.txt" "cloudflare-dns-token.txt" "resend-api-key.txt" ) echo "Injecting secrets..." echo " Deploy path: $DEPLOY_PATH" echo " Secrets dir: $SECRETS_DIR" # Step 1: Clean up any incorrectly created directories # Docker creates directories when bind-mounting files that don't exist echo "" echo "Cleaning up any corrupted secret paths..." for file in "${SECRET_FILES[@]}"; do target_path="${SECRETS_DIR}/${file}" if [ -d "$target_path" ]; then echo " Removing directory: $file" rm -rf "$target_path" fi done # Step 2: Ensure secrets directory exists if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then echo " Removing invalid secrets path..." rm -rf "$SECRETS_DIR" fi mkdir -p "$SECRETS_DIR" chmod 700 "$SECRETS_DIR" # Function to inject a secret inject_secret() { local var_name="$1" local file_name="$2" local target_path="${SECRETS_DIR}/${file_name}" # GitLab File variables contain the PATH to a temp file local source_path="${!var_name:-}" if [ -z "$source_path" ]; then echo " ERROR: Variable $var_name is not set" echo " Ensure it exists in GitLab CI/CD Variables" return 1 fi # Check if it looks like a raw value instead of a file path if [[ ! "$source_path" =~ ^/ ]]; then echo " ERROR: $var_name appears to be a raw value, not a file path" echo " In GitLab, change the variable Type from 'Variable' to 'File'" return 1 fi if [ ! -f "$source_path" ]; then echo " ERROR: File not found for $var_name at $source_path" echo " Ensure the variable is set as 'File' type in GitLab" return 1 fi # Copy the secret file (644 so container users can read) cp "$source_path" "$target_path" chmod 644 "$target_path" echo " OK: $file_name" } # Inject all secrets FAILED=0 inject_secret "POSTGRES_PASSWORD" "postgres-password.txt" || FAILED=1 inject_secret "AUTH0_CLIENT_SECRET" "auth0-client-secret.txt" || FAILED=1 inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1 inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1 inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1 inject_secret "RESEND_API_KEY" "resend-api-key.txt" || FAILED=1 if [ $FAILED -eq 1 ]; then echo "" echo "ERROR: One or more secrets failed to inject" echo "Ensure all required CI/CD variables are configured as File type in GitLab" exit 1 fi echo "" echo "Secrets injected successfully" echo "Files created in $SECRETS_DIR:" ls -la "$SECRETS_DIR"