senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/scripts/bootstrap/reset-vault.sh

61 lines
2 KiB
Bash
Raw Normal View History

fix(bootstrap): handle workflows.disabled/ + self-signed Forgejo + better .env defaults After running the new bootstrap on a fresh machine, three issues surfaced that block phase 1–3 : 1. .forgejo/workflows/ may live under workflows.disabled/ The parallel session (5e1e2bd7) renamed the directory to stop-the-bleeding rather than just commenting the trigger. verify-local.sh now reports both states correctly. enable-auto-deploy.sh does `git mv workflows.disabled workflows` first, then proceeds to uncomment if needed. 2. Forgejo on 10.0.20.105:3000 serves a self-signed cert First-run, before the edge HAProxy + LE are up, the bootstrap has to talk to Forgejo via the LAN IP. lib.sh's forgejo_api helper now honours FORGEJO_INSECURE=1 (passes -k to curl). verify-local.sh's API checks pick up the same flag. .env.example documents the swap : FORGEJO_INSECURE=1 with https://10.0.20.105:3000 first ; flip to https://forgejo.talas.group + FORGEJO_INSECURE=0 once the edge HAProxy + LE cert are up. 3. SSH defaults wrong for the actual environment .env.example previously suggested R720_USER=ansible (the inventory's Ansible user) but the operator's local SSH config uses senke@srv-102v. Updated defaults : R720_HOST=srv-102v, R720_USER=senke. Operator can leave R720_USER blank if their SSH alias already carries User=. Plus two new helper scripts : reset-vault.sh — recovery path when the vault password in .vault-pass doesn't match what encrypted vault.yml. Confirms destructively, removes vault.yml + .vault-pass, clears the vault=DONE marker in local.state, points operator at PHASE=2. verify-remote-ssh.sh — wrapper that scp's lib.sh + verify-remote.sh to the R720 and runs verify-remote.sh under sudo. Removes the need to clone the repo on the R720. bootstrap-local.sh's phase 2 vault-decrypt failure now hints at reset-vault.sh. README.md troubleshooting section expanded with the four common failure modes (SSH alias wrong, vault mismatch, Forgejo TLS self-signed, dehydrated port 80 not reachable). --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 21:01:05 +00:00
#!/usr/bin/env bash
# reset-vault.sh — recover from a vault password mismatch.
#
# Symptoms : `verify-local.sh` or `bootstrap-local.sh phase 2` reports
# "can decrypt vault.yml" failing — the password in .vault-pass doesn't
# match what was used to encrypt vault.yml. Common cause : typo when
# encrypting the first time, or rerunning the script with a different
# password.
#
# This script :
# 1. Confirms with the operator (destructive — vault.yml content is lost)
# 2. Removes infra/ansible/group_vars/all/vault.yml
# 3. Removes infra/ansible/.vault-pass
# 4. Clears the `vault=DONE` marker in the local state file
# 5. Suggests `PHASE=2 ./bootstrap-local.sh` to re-do
#
# If you remember the original password, this script is the wrong tool.
# Edit .vault-pass to put the correct password instead.
set -Eeuo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "$SCRIPT_DIR/lib.sh"
trap_errors
REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel)
VAULT_YML="$REPO_ROOT/infra/ansible/group_vars/all/vault.yml"
VAULT_PASS="$REPO_ROOT/infra/ansible/.vault-pass"
STATE_FILE="$REPO_ROOT/.git/talas-bootstrap/local.state"
warn "This script DELETES the encrypted vault.yml + .vault-pass."
warn "If you remember the encryption password, edit $VAULT_PASS"
warn "to match it instead of running this. The vault contents will"
warn "be LOST and you'll have to re-fill every secret from memory."
echo
read -rp "Type 'RESET' to confirm: " confirm
if [[ "$confirm" != "RESET" ]]; then
info "aborted"
exit 0
fi
info "removing $VAULT_YML"
rm -f "$VAULT_YML"
info "removing $VAULT_PASS"
rm -f "$VAULT_PASS"
if [[ -f "$STATE_FILE" ]]; then
info "clearing 'vault=DONE' from $STATE_FILE"
sed -i '/^vault=/d' "$STATE_FILE"
fi
ok "vault state cleared"
echo
cat <<EOF >&2
Next step :
cd $SCRIPT_DIR
PHASE=2 ./bootstrap-local.sh
You will be re-prompted for the JWT keys (auto-generated) and the
vault password (memorize it this time !).
EOF
Reference in a new issue Copy permalink