oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
f70b7e691c9bcb3256e2fa32ed7c4089abfc3cbf
aitbc/scripts/utils/load-keystore-secrets.sh
aitbc 652fe5e9fb
Some checks failed
Cross-Node Transaction Testing / transaction-test (push) Has been cancelled
Details
Deploy to Testnet / deploy-testnet (push) Has been cancelled
Details
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Details
feat: add secure PostgreSQL user password generation and loading 
- Generate secure random passwords for all PostgreSQL database users
- Store passwords in /etc/aitbc/credentials/postgres_*_password files
- Update load-keystore-secrets.sh to load PostgreSQL passwords into runtime .env
- Set passwords for both new and existing users with ALTER USER
- Fixes PostgreSQL authentication failures in services
- Ensures secure password management for database access
2026-05-26 10:34:16 +02:00

46 lines
1.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Load AITBC secrets from credentials directory
# This script is called by systemd services before main process starts
set -e
CREDENTIALS_DIR="/etc/aitbc/credentials"
RUN_DIR="/run/aitbc/secrets"
# Create runtime directory (tmpfs, cleared on reboot)
mkdir -p "$RUN_DIR"
chmod 700 "$RUN_DIR"
# Create .env file from credentials
ENV_FILE="$RUN_DIR/.env"
if [ -f "$CREDENTIALS_DIR/api_hash_secret" ]; then
echo "API_KEY_HASH_SECRET=$(cat $CREDENTIALS_DIR/api_hash_secret)" >> "$ENV_FILE"
fi
if [ -f "$CREDENTIALS_DIR/proposer_id" ]; then
echo "proposer_id=$(cat $CREDENTIALS_DIR/proposer_id)" >> "$ENV_FILE"
fi
if [ -f "$CREDENTIALS_DIR/keystore_password" ]; then
echo "KEYSTORE_PASSWORD=$(cat $CREDENTIALS_DIR/keystore_password)" >> "$ENV_FILE"
fi
# Load PostgreSQL database passwords
for db_user in aitbc_user aitbc_marketplace aitbc_governance aitbc_trading aitbc_gpu aitbc_ai aitbc_mempool; do
if [ -f "$CREDENTIALS_DIR/postgres_${db_user}_password" ]; then
db_password=$(cat "$CREDENTIALS_DIR/postgres_${db_user}_password")
echo "POSTGRES_${db_user^^}_PASSWORD=$db_password" >> "$ENV_FILE"
fi
done
# Add non-sensitive config from main .env
if [ -f "/etc/aitbc/.env" ]; then
# Skip lines that are comments or contain migrated secrets
grep -v '^#' /etc/aitbc/.env | grep -v 'API_KEY_HASH_SECRET' | grep -v 'proposer_id' >> "$ENV_FILE" || true
fi
chmod 600 "$ENV_FILE"
echo "Secrets loaded to $ENV_FILE"
Reference in New Issue View Git Blame Copy Permalink