54 lines
1.3 KiB
Bash
Executable File
54 lines
1.3 KiB
Bash
Executable File
#!/bin/sh
|
|
set -e
|
|
|
|
# --- Source .env if present ---
|
|
if [ -f /app/.env ]; then
|
|
printf '[entrypoint] Loading .env\n'
|
|
set -a
|
|
. /app/.env
|
|
set +a
|
|
fi
|
|
|
|
# --- Helper: generate a random hex secret ---
|
|
generate_secret() {
|
|
if command -v openssl >/dev/null 2>&1; then
|
|
openssl rand -hex 32
|
|
else
|
|
head -c 32 /dev/urandom | od -An -tx1 | tr -d ' \n'
|
|
fi
|
|
}
|
|
|
|
SECRETS_FILE="/app/.data/.generated-secrets"
|
|
|
|
# Ensure secrets file has restrictive permissions if it exists
|
|
if [ -f "$SECRETS_FILE" ]; then
|
|
chmod 600 "$SECRETS_FILE"
|
|
fi
|
|
|
|
# Load previously generated secrets if they exist
|
|
if [ -f "$SECRETS_FILE" ]; then
|
|
printf '[entrypoint] Loading persisted secrets from .data\n'
|
|
set -a
|
|
. "$SECRETS_FILE"
|
|
set +a
|
|
fi
|
|
|
|
# --- AUTH_SECRET ---
|
|
if [ -z "$AUTH_SECRET" ] || [ "$AUTH_SECRET" = "random-secret-for-legacy-cookies" ]; then
|
|
AUTH_SECRET=$(generate_secret)
|
|
printf '[entrypoint] Generated new AUTH_SECRET\n'
|
|
printf 'AUTH_SECRET=%s\n' "$AUTH_SECRET" >> "$SECRETS_FILE"
|
|
export AUTH_SECRET
|
|
fi
|
|
|
|
# --- API_KEY ---
|
|
if [ -z "$API_KEY" ] || [ "$API_KEY" = "generate-a-random-key" ]; then
|
|
API_KEY=$(generate_secret)
|
|
printf '[entrypoint] Generated new API_KEY\n'
|
|
printf 'API_KEY=%s\n' "$API_KEY" >> "$SECRETS_FILE"
|
|
export API_KEY
|
|
fi
|
|
|
|
printf '[entrypoint] Starting server\n'
|
|
exec node server.js
|