lilith-platform.live/deployments/deploy-secrets.sh
2026-04-19 22:02:02 -07:00

31 lines
1.1 KiB
Bash

#!/usr/bin/env bash
# deploy-secrets.sh — push .env.production.local to the correct remote host.
#
# Usage (source from a deploy.sh after setting REMOTE and SECRETS_DIR):
# source "$(dirname "$0")/../../deploy-secrets.sh"
# deploy_secrets "$SCRIPT_DIR" "$REMOTE" "$SECRETS_DIR"
#
# The function is a no-op when .env.production.local is absent — safe to call
# unconditionally even for services whose secrets are provisioned another way.
deploy_secrets() {
local script_dir="$1"
local remote="$2"
local secrets_dir="$3"
local env_file="${script_dir}/.env.production.local"
if [[ ! -f "$env_file" ]]; then
echo "==> [secrets] No .env.production.local — skipping"
return 0
fi
echo "==> [secrets] Deploying secrets to ${remote}:${secrets_dir}/secrets.env ..."
ssh "$remote" "sudo mkdir -p ${secrets_dir} && sudo chmod 700 ${secrets_dir}"
scp "$env_file" "${remote}:/tmp/_deploy_secrets.env"
ssh "$remote" "
sudo mv /tmp/_deploy_secrets.env ${secrets_dir}/secrets.env
sudo chown root:root ${secrets_dir}/secrets.env
sudo chmod 600 ${secrets_dir}/secrets.env
echo ' ✓ Secrets deployed'
"
}