ontoref-outreach/site/run-secure.sh
2026-07-17 01:06:37 +01:00

21 lines
867 B
Bash
Executable file

#!/usr/bin/env bash
# Standalone secure launch: decrypt the SOPS secrets in-memory and inject them
# as ENV for the server (nothing plaintext hits disk). email.ncl reads
# ${SMTP_*}/${EMAIL_FROM} from that injected env.
#
# ./run-secure.sh
#
# Secrets file + age identity are overridable:
# SECRETS=/path/to/x.sops.env SOPS_AGE_KEY_FILE=/path/to/id.kage ./run-secure.sh
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"
export HTMX_ASSETS_PATH="${HTMX_ASSETS_PATH:-$SCRIPT_DIR/htmx-assets}"
SECRETS="${SECRETS:-$SCRIPT_DIR/../../vault/ontoref-site.sops.env}"
# Default to the ontoref vault identity; in infra, SOPS_AGE_KEY_FILE points at
# the libre-wuji key (also a recipient of the blob).
export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$SCRIPT_DIR/../../vault/ontoref.kage}"
exec sops exec-env "$SECRETS" ./run.sh