XuqmGroup-PrivateDeploy/scripts/rotate-secrets.sh

#!/usr/bin/env bash
# Rotate secrets: generate new passwords, update secrets.env, restart services.
# This script does NOT automatically rotate external MySQL/Redis passwords.
# It only regenerates JWT and internal tokens. For MySQL/Redis, manual rotation is required.
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
. "$ROOT_DIR/scripts/lib.sh"
load_env

ROTATE_JWT="${ROTATE_JWT:-false}"
ROTATE_INTERNAL_TOKEN="${ROTATE_INTERNAL_TOKEN:-false}"

audit "rotate-secrets" "STARTED" "jwt=$ROTATE_JWT internal_token=$ROTATE_INTERNAL_TOKEN"
progress "rotate-secrets" "STARTED" ""

ensure_secret_file

if [ "$ROTATE_JWT" = "true" ]; then
  NEW_JWT="$(random_secret)$(random_secret)"
  set_env_value "$ROOT_DIR/config/secrets.env" "XUQM_JWT_SECRET" "$NEW_JWT"
  audit "rotate-secrets" "JWT_ROTATED" "new key generated"
  printf 'JWT secret rotated. All existing tokens will be invalidated on service restart.\n'
fi

if [ "$ROTATE_INTERNAL_TOKEN" = "true" ]; then
  NEW_TOKEN="$(random_secret)"
  set_env_value "$ROOT_DIR/config/secrets.env" "SDK_INTERNAL_TOKEN" "$NEW_TOKEN"
  set_env_value "$ROOT_DIR/config/secrets.env" "LICENSE_INTERNAL_TOKEN" "$NEW_TOKEN"
  audit "rotate-secrets" "INTERNAL_TOKEN_ROTATED" ""
  printf 'Internal tokens rotated.\n'
fi

# Enforce permissions on secrets.env
chmod 600 "$ROOT_DIR/config/secrets.env"

printf '\nIMPORTANT: restart services for new secrets to take effect:\n'
printf '  docker compose --env-file .env -f docker-compose.yml -f docker-compose.infra.yml restart\n\n'
printf 'MySQL/Redis password rotation must be performed manually:\n'
printf '  1. Set new password in the database\n'
printf '  2. Update MYSQL_PASSWORD / REDIS_PASSWORD in config/secrets.env\n'
printf '  3. Restart affected services\n'

audit "rotate-secrets" "DONE" ""
progress "rotate-secrets" "DONE" ""
feat: implement complete private deployment scripts (P1-P4) - upgrade.sh/rollback.sh: backup→pull→rolling restart→healthcheck→auto-rollback - backup.sh/restore.sh: mysqldump+redis BGSAVE+config tar, SHA256 manifest, restore with checksum verification - healthcheck.sh: Docker/container/MySQL/Redis/HTTP/disk checks, JSON output to .deploy-state/ - doctor.sh: sanitized diagnostics archive, vendor API TCP connectivity, cert expiry - export-offline-bundle.sh: docker pull+save for all profile images, load-images.sh, SHA256 - configure.sh: interactive/non-interactive mode, MySQL/Redis mode selection, domain prompts - enable-service.sh: domain validation, docker pull + compose up, healthcheck - disable-service.sh: compose stop+rm, profile removal, render-config - renew-cert.sh: acme.sh/certbot, --dry-run, backup old cert, nginx reload on success - alert-webhook.sh: WeCom/DingTalk/Feishu webhook, message sanitization - bench.sh: ab/wrk/curl benchmark, JSON report with docker stats - rotate-secrets.sh: JWT and internal token rotation - vendor credential templates: push.env and store-submit.env with full credential comments - render-config.sh: auto-sync SDK URL env vars (SDK_FILE_SERVICE_URL, SDK_IM_API_URL, SDK_IM_WS_URL) - All scripts pass bash -n syntax check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-18 20:49:25 +08:00			`#!/usr/bin/env bash`
			`# Rotate secrets: generate new passwords, update secrets.env, restart services.`
			`# This script does NOT automatically rotate external MySQL/Redis passwords.`
			`# It only regenerates JWT and internal tokens. For MySQL/Redis, manual rotation is required.`
			`set -euo pipefail`

			`ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"`
			`. "$ROOT_DIR/scripts/lib.sh"`
			`load_env`

			`ROTATE_JWT="${ROTATE_JWT:-false}"`
			`ROTATE_INTERNAL_TOKEN="${ROTATE_INTERNAL_TOKEN:-false}"`

			`audit "rotate-secrets" "STARTED" "jwt=$ROTATE_JWT internal_token=$ROTATE_INTERNAL_TOKEN"`
			`progress "rotate-secrets" "STARTED" ""`

			`ensure_secret_file`

			`if [ "$ROTATE_JWT" = "true" ]; then`
			`NEW_JWT="$(random_secret)$(random_secret)"`
			`set_env_value "$ROOT_DIR/config/secrets.env" "XUQM_JWT_SECRET" "$NEW_JWT"`
			`audit "rotate-secrets" "JWT_ROTATED" "new key generated"`
			`printf 'JWT secret rotated. All existing tokens will be invalidated on service restart.\n'`
			`fi`

			`if [ "$ROTATE_INTERNAL_TOKEN" = "true" ]; then`
			`NEW_TOKEN="$(random_secret)"`
			`set_env_value "$ROOT_DIR/config/secrets.env" "SDK_INTERNAL_TOKEN" "$NEW_TOKEN"`
			`set_env_value "$ROOT_DIR/config/secrets.env" "LICENSE_INTERNAL_TOKEN" "$NEW_TOKEN"`
			`audit "rotate-secrets" "INTERNAL_TOKEN_ROTATED" ""`
			`printf 'Internal tokens rotated.\n'`
			`fi`

			`# Enforce permissions on secrets.env`
			`chmod 600 "$ROOT_DIR/config/secrets.env"`

			`printf '\nIMPORTANT: restart services for new secrets to take effect:\n'`
			`printf ' docker compose --env-file .env -f docker-compose.yml -f docker-compose.infra.yml restart\n\n'`
			`printf 'MySQL/Redis password rotation must be performed manually:\n'`
			`printf ' 1. Set new password in the database\n'`
			`printf ' 2. Update MYSQL_PASSWORD / REDIS_PASSWORD in config/secrets.env\n'`
			`printf ' 3. Restart affected services\n'`

			`audit "rotate-secrets" "DONE" ""`
			`progress "rotate-secrets" "DONE" ""`