#!/usr/bin/env bash # bootstrap_analytics_ro.sh — create/refresh the analytics_ro read-only role. # ───────────────────────────────────────────────────────────────────────────── # Run ON THE HOST. Generates a strong password into ~/.analytics_ro.pw (0600) on # first run (reused thereafter), then applies scripts/analytics_ro_role.sql to the # prod DB as the postgres superuser. The password is NEVER printed and never # leaves the host — the MCP deploy script (deploy_analytics_mcp.sh) reads the same # ~/.analytics_ro.pw. # # Deploy: # scp scripts/analytics_ro_role.sql scripts/bootstrap_analytics_ro.sh \ # kianiadee@twala.rahamafresh.com:~/ # ssh kianiadee@twala.rahamafresh.com 'bash ~/bootstrap_analytics_ro.sh' # # Idempotent: re-running rotates nothing unless ~/.analytics_ro.pw is deleted # first (then it generates + sets a fresh password and you must redeploy the MCP). # ───────────────────────────────────────────────────────────────────────────── set -euo pipefail PW_FILE="${ANALYTICS_RO_PW_FILE:-$HOME/.analytics_ro.pw}" SQL_FILE="${1:-$HOME/analytics_ro_role.sql}" test -f "$SQL_FILE" || { echo "ERROR: role SQL not found at $SQL_FILE (scp scripts/analytics_ro_role.sql to ~ first)"; exit 1; } if [ ! -s "$PW_FILE" ]; then ( umask 077; openssl rand -hex 24 > "$PW_FILE" ) chmod 600 "$PW_FILE" echo "Generated new analytics_ro password -> $PW_FILE (0600)" else echo "Reusing existing analytics_ro password from $PW_FILE" fi PW=$(cat "$PW_FILE") DB=$(docker ps --filter name=timescale_db --format "{{.Names}}" | head -1) [ -n "$DB" ] || { echo "ERROR: timescale_db container not found"; exit 1; } echo "Applying analytics_ro role DDL to $DB as postgres ..." docker exec -i "$DB" psql -U postgres -d tracksolid_db -v ON_ERROR_STOP=1 -v ro_pw="$PW" < "$SQL_FILE" echo "analytics_ro ready (password not printed). Now deploy the MCP server (Coolify app, or deploy.sh on this host)."