#!/usr/bin/env bash # bootstrap_dashboard_ro.sh — create/refresh the dashboard_ro read-only role. # ───────────────────────────────────────────────────────────────────────────── # Run ON THE HOST. Generates a strong password into ~/.dashboard_ro.pw (0600) on # first run (reused thereafter), then applies scripts/dashboard_ro_role.sql to the # prod DB as the postgres superuser. The password is NEVER printed and never # leaves the host — the staging deploy script reads the same ~/.dashboard_ro.pw. # # Deploy: # scp scripts/dashboard_ro_role.sql scripts/bootstrap_dashboard_ro.sh \ # kianiadee@twala.rahamafresh.com:~/ # ssh kianiadee@twala.rahamafresh.com 'bash ~/bootstrap_dashboard_ro.sh' # # Idempotent: re-running rotates nothing unless ~/.dashboard_ro.pw is deleted # first (then it generates + sets a fresh password and you must redeploy the API). # ───────────────────────────────────────────────────────────────────────────── set -euo pipefail PW_FILE="${DASHBOARD_RO_PW_FILE:-$HOME/.dashboard_ro.pw}" SQL_FILE="${1:-$HOME/dashboard_ro_role.sql}" test -f "$SQL_FILE" || { echo "ERROR: role SQL not found at $SQL_FILE (scp scripts/dashboard_ro_role.sql to ~ first)"; exit 1; } if [ ! -s "$PW_FILE" ]; then ( umask 077; openssl rand -hex 24 > "$PW_FILE" ) chmod 600 "$PW_FILE" echo "Generated new dashboard_ro password -> $PW_FILE (0600)" else echo "Reusing existing dashboard_ro password from $PW_FILE" fi PW=$(cat "$PW_FILE") DB=$(docker ps --filter name=timescale_db --format "{{.Names}}" | head -1) [ -n "$DB" ] || { echo "ERROR: timescale_db container not found"; exit 1; } echo "Applying dashboard_ro role DDL to $DB as postgres ..." docker exec -i "$DB" psql -U postgres -d tracksolid_db -v ON_ERROR_STOP=1 -v ro_pw="$PW" < "$SQL_FILE" echo "dashboard_ro ready (password not printed). Now (re)run deploy_dashboard_api_staging.sh."