9eabe0d699
- upgrade.sh/rollback.sh: backup→pull→rolling restart→healthcheck→auto-rollback - backup.sh/restore.sh: mysqldump+redis BGSAVE+config tar, SHA256 manifest, restore with checksum verification - healthcheck.sh: Docker/container/MySQL/Redis/HTTP/disk checks, JSON output to .deploy-state/ - doctor.sh: sanitized diagnostics archive, vendor API TCP connectivity, cert expiry - export-offline-bundle.sh: docker pull+save for all profile images, load-images.sh, SHA256 - configure.sh: interactive/non-interactive mode, MySQL/Redis mode selection, domain prompts - enable-service.sh: domain validation, docker pull + compose up, healthcheck - disable-service.sh: compose stop+rm, profile removal, render-config - renew-cert.sh: acme.sh/certbot, --dry-run, backup old cert, nginx reload on success - alert-webhook.sh: WeCom/DingTalk/Feishu webhook, message sanitization - bench.sh: ab/wrk/curl benchmark, JSON report with docker stats - rotate-secrets.sh: JWT and internal token rotation - vendor credential templates: push.env and store-submit.env with full credential comments - render-config.sh: auto-sync SDK URL env vars (SDK_FILE_SERVICE_URL, SDK_IM_API_URL, SDK_IM_WS_URL) - All scripts pass bash -n syntax check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
46 行
1.8 KiB
Bash
可执行文件
46 行
1.8 KiB
Bash
可执行文件
#!/usr/bin/env bash
|
|
# Rotate secrets: generate new passwords, update secrets.env, restart services.
|
|
# This script does NOT automatically rotate external MySQL/Redis passwords.
|
|
# It only regenerates JWT and internal tokens. For MySQL/Redis, manual rotation is required.
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
. "$ROOT_DIR/scripts/lib.sh"
|
|
load_env
|
|
|
|
ROTATE_JWT="${ROTATE_JWT:-false}"
|
|
ROTATE_INTERNAL_TOKEN="${ROTATE_INTERNAL_TOKEN:-false}"
|
|
|
|
audit "rotate-secrets" "STARTED" "jwt=$ROTATE_JWT internal_token=$ROTATE_INTERNAL_TOKEN"
|
|
progress "rotate-secrets" "STARTED" ""
|
|
|
|
ensure_secret_file
|
|
|
|
if [ "$ROTATE_JWT" = "true" ]; then
|
|
NEW_JWT="$(random_secret)$(random_secret)"
|
|
set_env_value "$ROOT_DIR/config/secrets.env" "XUQM_JWT_SECRET" "$NEW_JWT"
|
|
audit "rotate-secrets" "JWT_ROTATED" "new key generated"
|
|
printf 'JWT secret rotated. All existing tokens will be invalidated on service restart.\n'
|
|
fi
|
|
|
|
if [ "$ROTATE_INTERNAL_TOKEN" = "true" ]; then
|
|
NEW_TOKEN="$(random_secret)"
|
|
set_env_value "$ROOT_DIR/config/secrets.env" "SDK_INTERNAL_TOKEN" "$NEW_TOKEN"
|
|
set_env_value "$ROOT_DIR/config/secrets.env" "LICENSE_INTERNAL_TOKEN" "$NEW_TOKEN"
|
|
audit "rotate-secrets" "INTERNAL_TOKEN_ROTATED" ""
|
|
printf 'Internal tokens rotated.\n'
|
|
fi
|
|
|
|
# Enforce permissions on secrets.env
|
|
chmod 600 "$ROOT_DIR/config/secrets.env"
|
|
|
|
printf '\nIMPORTANT: restart services for new secrets to take effect:\n'
|
|
printf ' docker compose --env-file .env -f docker-compose.yml -f docker-compose.infra.yml restart\n\n'
|
|
printf 'MySQL/Redis password rotation must be performed manually:\n'
|
|
printf ' 1. Set new password in the database\n'
|
|
printf ' 2. Update MYSQL_PASSWORD / REDIS_PASSWORD in config/secrets.env\n'
|
|
printf ' 3. Restart affected services\n'
|
|
|
|
audit "rotate-secrets" "DONE" ""
|
|
progress "rotate-secrets" "DONE" ""
|
