146 lines
5.6 KiB
Bash
146 lines
5.6 KiB
Bash
#!/bin/bash
|
|
|
|
# ACC Server Manager - Secret Generation Script (Unix/Linux)
|
|
# This script generates cryptographically secure secrets for the ACC Server Manager
|
|
|
|
echo -e "\033[32mACC Server Manager - Secret Generation Script\033[0m"
|
|
echo -e "\033[32m=============================================\033[0m"
|
|
echo ""
|
|
|
|
# Check if openssl is available
|
|
if ! command -v openssl &> /dev/null; then
|
|
echo -e "\033[31mError: openssl is required but not installed.\033[0m"
|
|
echo "Please install openssl and try again."
|
|
echo ""
|
|
echo "Ubuntu/Debian: sudo apt-get install openssl"
|
|
echo "CentOS/RHEL: sudo yum install openssl"
|
|
echo "macOS: brew install openssl"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate secrets using openssl
|
|
echo -e "\033[33mGenerating cryptographically secure secrets...\033[0m"
|
|
echo ""
|
|
|
|
JWT_SECRET=$(openssl rand -base64 64)
|
|
APP_SECRET=$(openssl rand -hex 32)
|
|
APP_SECRET_CODE=$(openssl rand -hex 32)
|
|
ENCRYPTION_KEY=$(openssl rand -hex 16)
|
|
|
|
# Display generated secrets
|
|
echo -e "\033[36mGenerated Secrets:\033[0m"
|
|
echo -e "\033[36m==================\033[0m"
|
|
echo ""
|
|
echo -e "\033[37mJWT_SECRET=\033[0m\033[33m$JWT_SECRET\033[0m"
|
|
echo ""
|
|
echo -e "\033[37mAPP_SECRET=\033[0m\033[33m$APP_SECRET\033[0m"
|
|
echo ""
|
|
echo -e "\033[37mAPP_SECRET_CODE=\033[0m\033[33m$APP_SECRET_CODE\033[0m"
|
|
echo ""
|
|
echo -e "\033[37mENCRYPTION_KEY=\033[0m\033[33m$ENCRYPTION_KEY\033[0m"
|
|
echo ""
|
|
|
|
# Check if .env file exists
|
|
ENV_FILE=".env"
|
|
if [ -f "$ENV_FILE" ]; then
|
|
echo -e "\033[31mWarning: .env file already exists!\033[0m"
|
|
read -p "Do you want to update it with new secrets? (y/N): " overwrite
|
|
if [[ $overwrite =~ ^[Yy]$ ]]; then
|
|
UPDATE_FILE=true
|
|
else
|
|
UPDATE_FILE=false
|
|
echo -e "\033[33mSecrets generated but not written to file.\033[0m"
|
|
fi
|
|
else
|
|
read -p "Create .env file with these secrets? (Y/n): " create_file
|
|
if [[ $create_file =~ ^[Nn]$ ]]; then
|
|
UPDATE_FILE=false
|
|
echo -e "\033[33mSecrets generated but not written to file.\033[0m"
|
|
else
|
|
UPDATE_FILE=true
|
|
fi
|
|
fi
|
|
|
|
if [ "$UPDATE_FILE" = true ]; then
|
|
if [ -f "$ENV_FILE" ]; then
|
|
# Backup existing file
|
|
BACKUP_FILE=".env.backup.$(date +%Y%m%d-%H%M%S)"
|
|
cp "$ENV_FILE" "$BACKUP_FILE"
|
|
echo -e "\033[32mBacked up existing .env to $BACKUP_FILE\033[0m"
|
|
|
|
# Update existing file
|
|
if command -v sed &> /dev/null; then
|
|
# Use sed to update secrets in place
|
|
sed -i.tmp "s/^JWT_SECRET=.*/JWT_SECRET=$JWT_SECRET/" "$ENV_FILE"
|
|
sed -i.tmp "s/^APP_SECRET=.*/APP_SECRET=$APP_SECRET/" "$ENV_FILE"
|
|
sed -i.tmp "s/^APP_SECRET_CODE=.*/APP_SECRET_CODE=$APP_SECRET_CODE/" "$ENV_FILE"
|
|
sed -i.tmp "s/^ENCRYPTION_KEY=.*/ENCRYPTION_KEY=$ENCRYPTION_KEY/" "$ENV_FILE"
|
|
rm -f "$ENV_FILE.tmp"
|
|
echo -e "\033[32mUpdated .env file with new secrets\033[0m"
|
|
else
|
|
echo -e "\033[31mError: sed command not found. Please update the .env file manually.\033[0m"
|
|
fi
|
|
else
|
|
# Create new .env file
|
|
if [ -f ".env.example" ]; then
|
|
# Create from template
|
|
cp ".env.example" "$ENV_FILE"
|
|
if command -v sed &> /dev/null; then
|
|
sed -i.tmp "s/^JWT_SECRET=.*/JWT_SECRET=$JWT_SECRET/" "$ENV_FILE"
|
|
sed -i.tmp "s/^APP_SECRET=.*/APP_SECRET=$APP_SECRET/" "$ENV_FILE"
|
|
sed -i.tmp "s/^APP_SECRET_CODE=.*/APP_SECRET_CODE=$APP_SECRET_CODE/" "$ENV_FILE"
|
|
sed -i.tmp "s/^ENCRYPTION_KEY=.*/ENCRYPTION_KEY=$ENCRYPTION_KEY/" "$ENV_FILE"
|
|
rm -f "$ENV_FILE.tmp"
|
|
echo -e "\033[32mCreated .env file from template with generated secrets\033[0m"
|
|
else
|
|
echo -e "\033[31mError: sed command not found. Please update the .env file manually.\033[0m"
|
|
fi
|
|
else
|
|
# Create minimal .env file
|
|
cat > "$ENV_FILE" << EOF
|
|
# ACC Server Manager Environment Configuration
|
|
# Generated on $(date '+%Y-%m-%d %H:%M:%S')
|
|
|
|
# CRITICAL SECURITY SETTINGS (REQUIRED)
|
|
JWT_SECRET=$JWT_SECRET
|
|
APP_SECRET=$APP_SECRET
|
|
APP_SECRET_CODE=$APP_SECRET_CODE
|
|
ENCRYPTION_KEY=$ENCRYPTION_KEY
|
|
|
|
# CORE APPLICATION SETTINGS
|
|
DB_NAME=acc.db
|
|
PORT=3000
|
|
CORS_ALLOWED_ORIGIN=http://localhost:5173
|
|
PASSWORD=change-this-default-admin-password
|
|
EOF
|
|
echo -e "\033[32mCreated minimal .env file with generated secrets\033[0m"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
echo -e "\033[31mSecurity Notes:\033[0m"
|
|
echo -e "\033[31m===============\033[0m"
|
|
echo -e "\033[33m1. Keep these secrets secure and never commit them to version control\033[0m"
|
|
echo -e "\033[33m2. Use different secrets for each environment (dev, staging, production)\033[0m"
|
|
echo -e "\033[33m3. Rotate secrets regularly in production environments\033[0m"
|
|
echo -e "\033[33m4. The ENCRYPTION_KEY is exactly 32 bytes as required for AES-256\033[0m"
|
|
echo -e "\033[33m5. Change the default PASSWORD immediately after first login\033[0m"
|
|
echo ""
|
|
|
|
# Verify encryption key length (32 characters = 32 bytes when converted to []byte in Go)
|
|
if [ ${#ENCRYPTION_KEY} -eq 32 ]; then
|
|
echo -e "\033[32m✓ Encryption key length verified (32 characters = 32 bytes for AES-256)\033[0m"
|
|
else
|
|
echo -e "\033[31m✗ Warning: Encryption key length is incorrect!\033[0m"
|
|
fi
|
|
|
|
echo ""
|
|
echo -e "\033[36mNext steps:\033[0m"
|
|
echo -e "\033[37m1. Review and customize the .env file if needed\033[0m"
|
|
echo -e "\033[37m2. Install Go 1.23.0 or later if not already installed\033[0m"
|
|
echo -e "\033[37m3. Build and run the application: go run cmd/api/main.go\033[0m"
|
|
echo -e "\033[37m4. Change the default admin password on first login\033[0m"
|
|
echo ""
|
|
echo -e "\033[32mHappy racing! 🏁\033[0m"
|