The vault.yml.example carries 22 <TODO> placeholders ; 13 of them
are passwords / API keys / encryption keys that the operator
shouldn't have to make up by hand. Phase 2 now generates them.
Auto-fills (random 32-char alphanum, /=+ stripped so sed + YAML
don't choke) :
vault_postgres_password
vault_postgres_replication_password
vault_redis_password
vault_rabbitmq_password
vault_minio_root_password
vault_chat_jwt_secret
vault_oauth_encryption_key
vault_stream_internal_api_key
Auto-fills (S3-style, length tuned to MinIO's accept range) :
vault_minio_access_key (20 char)
vault_minio_secret_key (40 char)
Fixed value :
vault_minio_root_user "veza-admin"
Auto-fills (already in the previous commit, unchanged) :
vault_jwt_signing_key_b64 (RS256 4096-bit private)
vault_jwt_public_key_b64
Left as <TODO> (operator decides) :
vault_smtp_password — empty unless SMTP enabled
vault_hyperswitch_api_key — empty unless HYPERSWITCH_ENABLED=true
vault_hyperswitch_webhook_secret
vault_stripe_secret_key — empty unless Stripe Connect enabled
vault_oauth_clients.{google,spotify}.{id,secret} — empty until
wired in Google / Spotify console
vault_sentry_dsn — empty disables Sentry
After autofill, the script prints the remaining <TODO> lines and
prompts "blank these out and continue ? (y/n)". Answering y
replaces every remaining "<TODO ...>" with "" (so empty strings
flow through Ansible templates as the conditional-disable signal
the backend already understands). Answering n exits with a
suggestion to edit vault.yml manually.
The autofill is idempotent — re-running phase 2 on a vault.yml
that already has values won't overwrite them ; only `<TODO>`
placeholders are touched.
Helper functions live at the top of bootstrap-local.sh :
_rand_token <len> — URL-safe random alphanum
_autofill_field <file> <key> <value>
— sed-replace one TODO line
_autogen_jwt_keys <file> — RS256 keypair → both b64 fields
_autofill_vault_secrets <file>
— drives the per-field map above
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
46954db96b