39 lines
2.1 KiB
Bash
39 lines
2.1 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
# bootstrap_dashboard_ro.sh — create/refresh the dashboard_ro read-only role.
|
||
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
# Run ON THE HOST. Generates a strong password into ~/.dashboard_ro.pw (0600) on
|
||
|
|
# first run (reused thereafter), then applies scripts/dashboard_ro_role.sql to the
|
||
|
|
# prod DB as the postgres superuser. The password is NEVER printed and never
|
||
|
|
# leaves the host — the staging deploy script reads the same ~/.dashboard_ro.pw.
|
||
|
|
#
|
||
|
|
# Deploy:
|
||
|
|
# scp scripts/dashboard_ro_role.sql scripts/bootstrap_dashboard_ro.sh \
|
||
|
|
# kianiadee@twala.rahamafresh.com:~/
|
||
|
|
# ssh kianiadee@twala.rahamafresh.com 'bash ~/bootstrap_dashboard_ro.sh'
|
||
|
|
#
|
||
|
|
# Idempotent: re-running rotates nothing unless ~/.dashboard_ro.pw is deleted
|
||
|
|
# first (then it generates + sets a fresh password and you must redeploy the API).
|
||
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
PW_FILE="${DASHBOARD_RO_PW_FILE:-$HOME/.dashboard_ro.pw}"
|
||
|
|
SQL_FILE="${1:-$HOME/dashboard_ro_role.sql}"
|
||
|
|
|
||
|
|
test -f "$SQL_FILE" || { echo "ERROR: role SQL not found at $SQL_FILE (scp scripts/dashboard_ro_role.sql to ~ first)"; exit 1; }
|
||
|
|
|
||
|
|
if [ ! -s "$PW_FILE" ]; then
|
||
|
|
( umask 077; openssl rand -hex 24 > "$PW_FILE" )
|
||
|
|
chmod 600 "$PW_FILE"
|
||
|
|
echo "Generated new dashboard_ro password -> $PW_FILE (0600)"
|
||
|
|
else
|
||
|
|
echo "Reusing existing dashboard_ro password from $PW_FILE"
|
||
|
|
fi
|
||
|
|
PW=$(cat "$PW_FILE")
|
||
|
|
|
||
|
|
DB=$(docker ps --filter name=timescale_db --format "{{.Names}}" | head -1)
|
||
|
|
[ -n "$DB" ] || { echo "ERROR: timescale_db container not found"; exit 1; }
|
||
|
|
|
||
|
|
echo "Applying dashboard_ro role DDL to $DB as postgres ..."
|
||
|
|
docker exec -i "$DB" psql -U postgres -d tracksolid_db -v ON_ERROR_STOP=1 -v ro_pw="$PW" < "$SQL_FILE"
|
||
|
|
echo "dashboard_ro ready (password not printed). Now (re)run deploy_dashboard_api_staging.sh."
|