b7d21daa24
All checks were successful
CI / test-bqas (push) Successful in 32s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 46s
CI / test-python-voice (push) Successful in 38s
- Install Gitleaks, Trivy, Grype, Syft, Semgrep, Bandit in backend-core Dockerfile - Add Woodpecker SQLite proxy API (fallback without API token) - Mount woodpecker_data volume read-only to backend-core - Add backend proxy fallback in admin-core Woodpecker route - Add Vault file-based persistent storage (config.hcl, init-vault.sh) - Auto-init, unseal and root-token persistence for Vault - Add 6 pitch-deck annex slides (Assumptions, Architecture, GTM, Regulatory, Engineering, AI Pipeline) - Dynamic margin/amortization KPIs in BusinessModelSlide - Market sources modal with citations in MarketSlide - Redesign nginx landing page to 3-column layout (Lehrer/Compliance/Core) - Extend MkDocs nav with Services and SDK documentation sections - Add SDK Protection architecture doc Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
53 lines
1.5 KiB
Bash
Executable File
53 lines
1.5 KiB
Bash
Executable File
#!/bin/sh
|
|
# Vault Init + Unseal Script for persistent (file) storage
|
|
set -e
|
|
|
|
export VAULT_ADDR="http://vault:8200"
|
|
KEYS_FILE="/vault/data/init-keys.json"
|
|
|
|
echo "=== Vault Init/Unseal ==="
|
|
echo "Waiting for Vault to be ready..."
|
|
|
|
until vault status >/dev/null 2>&1 || [ $? -eq 2 ]; do
|
|
sleep 1
|
|
done
|
|
|
|
INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | tr -d ' ,"' | cut -d: -f2)
|
|
|
|
if [ "$INITIALIZED" = "false" ]; then
|
|
echo "First start — initializing Vault..."
|
|
vault operator init -key-shares=1 -key-threshold=1 -format=json > "$KEYS_FILE"
|
|
chmod 600 "$KEYS_FILE"
|
|
echo "Vault initialized. Keys saved."
|
|
fi
|
|
|
|
SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | tr -d ' ,"' | cut -d: -f2)
|
|
|
|
if [ "$SEALED" = "true" ]; then
|
|
echo "Unsealing Vault..."
|
|
UNSEAL_KEY=$(grep -A1 unseal_keys_b64 "$KEYS_FILE" | tail -1 | tr -d ' ",')
|
|
echo "Using key: ${UNSEAL_KEY}"
|
|
vault operator unseal "$UNSEAL_KEY" > /dev/null
|
|
echo "Vault unsealed."
|
|
fi
|
|
|
|
# Extract root token
|
|
ROOT_TOKEN=$(grep root_token "$KEYS_FILE" | tr -d ' ",' | cut -d: -f2)
|
|
export VAULT_TOKEN="$ROOT_TOKEN"
|
|
echo "$ROOT_TOKEN" > /vault/data/root-token
|
|
chmod 600 /vault/data/root-token
|
|
|
|
echo "=== Vault ready (persistent file storage) ==="
|
|
|
|
# Run PKI init
|
|
if [ -f /vault/scripts/init-pki.sh ]; then
|
|
echo "Running PKI initialization..."
|
|
sh /vault/scripts/init-pki.sh
|
|
fi
|
|
|
|
# Run secrets init
|
|
if [ -f /vault/scripts/init-secrets.sh ]; then
|
|
echo "Running secrets initialization..."
|
|
sh /vault/scripts/init-secrets.sh
|
|
fi
|