31 lines
1.1 KiB
Bash
31 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
# deploy-secrets.sh — push .env.production.local to the correct remote host.
|
|
#
|
|
# Usage (source from a deploy.sh after setting REMOTE and SECRETS_DIR):
|
|
# source "$(dirname "$0")/../../deploy-secrets.sh"
|
|
# deploy_secrets "$SCRIPT_DIR" "$REMOTE" "$SECRETS_DIR"
|
|
#
|
|
# The function is a no-op when .env.production.local is absent — safe to call
|
|
# unconditionally even for services whose secrets are provisioned another way.
|
|
|
|
deploy_secrets() {
|
|
local script_dir="$1"
|
|
local remote="$2"
|
|
local secrets_dir="$3"
|
|
local env_file="${script_dir}/.env.production.local"
|
|
|
|
if [[ ! -f "$env_file" ]]; then
|
|
echo "==> [secrets] No .env.production.local — skipping"
|
|
return 0
|
|
fi
|
|
|
|
echo "==> [secrets] Deploying secrets to ${remote}:${secrets_dir}/secrets.env ..."
|
|
ssh "$remote" "sudo mkdir -p ${secrets_dir} && sudo chmod 700 ${secrets_dir}"
|
|
scp "$env_file" "${remote}:/tmp/_deploy_secrets.env"
|
|
ssh "$remote" "
|
|
sudo mv /tmp/_deploy_secrets.env ${secrets_dir}/secrets.env
|
|
sudo chown root:root ${secrets_dir}/secrets.env
|
|
sudo chmod 600 ${secrets_dir}/secrets.env
|
|
echo ' ✓ Secrets deployed'
|
|
"
|
|
}
|