motovaultpro/scripts/inject-secrets.sh

#!/bin/bash
# inject-secrets.sh
# Writes GitLab CI File type variables to the secrets directory
# for K8s-style secret mounting in Docker Compose
#
# GitLab File variables provide the PATH to a temporary file containing the secret.
# This script copies those files to the expected secrets/app/ location.
#
# IMPORTANT: In GitLab, variables MUST be set as "File" type, not "Variable" type.
# File type variables provide a PATH to a temp file containing the secret.
# Variable type provides the raw value, which will NOT work with this script.
#
# Required GitLab CI/CD Variables (File type):
#   - POSTGRES_PASSWORD
#   - AUTH0_CLIENT_SECRET
#   - GOOGLE_MAPS_API_KEY
#   - GOOGLE_MAPS_MAP_ID
#   - CF_DNS_API_TOKEN (Cloudflare DNS API token for Let's Encrypt certificates)
#
# Required GitLab CI/CD Variables (Variable type):
#   - DEPLOY_PATH

set -euo pipefail

# Configuration
DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}"
SECRETS_DIR="${DEPLOY_PATH}/secrets/app"

# List of all secret files (must match docker-compose volume mounts)
SECRET_FILES=(
    "postgres-password.txt"
    "auth0-client-secret.txt"
    "google-maps-api-key.txt"
    "google-maps-map-id.txt"
    "cloudflare-dns-token.txt"
)

echo "Injecting secrets..."
echo "  Deploy path: $DEPLOY_PATH"
echo "  Secrets dir: $SECRETS_DIR"

# Step 1: Clean up any incorrectly created directories
# Docker creates directories when bind-mounting files that don't exist
echo ""
echo "Cleaning up any corrupted secret paths..."
for file in "${SECRET_FILES[@]}"; do
    target_path="${SECRETS_DIR}/${file}"
    if [ -d "$target_path" ]; then
        echo "  Removing directory: $file"
        rm -rf "$target_path"
    fi
done

# Step 2: Ensure secrets directory exists
if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then
    echo "  Removing invalid secrets path..."
    rm -rf "$SECRETS_DIR"
fi
mkdir -p "$SECRETS_DIR"
chmod 700 "$SECRETS_DIR"

# Function to inject a secret
inject_secret() {
    local var_name="$1"
    local file_name="$2"
    local target_path="${SECRETS_DIR}/${file_name}"

    # GitLab File variables contain the PATH to a temp file
    local source_path="${!var_name:-}"

    if [ -z "$source_path" ]; then
        echo "  ERROR: Variable $var_name is not set"
        echo "         Ensure it exists in GitLab CI/CD Variables"
        return 1
    fi

    # Check if it looks like a raw value instead of a file path
    if [[ ! "$source_path" =~ ^/ ]]; then
        echo "  ERROR: $var_name appears to be a raw value, not a file path"
        echo "         In GitLab, change the variable Type from 'Variable' to 'File'"
        return 1
    fi

    if [ ! -f "$source_path" ]; then
        echo "  ERROR: File not found for $var_name at $source_path"
        echo "         Ensure the variable is set as 'File' type in GitLab"
        return 1
    fi

    # Copy the secret file (644 so container users can read)
    cp "$source_path" "$target_path"
    chmod 644 "$target_path"
    echo "  OK: $file_name"
}

# Inject all secrets
FAILED=0

inject_secret "POSTGRES_PASSWORD" "postgres-password.txt" || FAILED=1
inject_secret "AUTH0_CLIENT_SECRET" "auth0-client-secret.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1
inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1

if [ $FAILED -eq 1 ]; then
    echo ""
    echo "ERROR: One or more secrets failed to inject"
    echo "Ensure all required CI/CD variables are configured as File type in GitLab"
    exit 1
fi

echo ""
echo "Secrets injected successfully"
echo "Files created in $SECRETS_DIR:"
ls -la "$SECRETS_DIR"