21 lines
867 B
Bash
Executable file
21 lines
867 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# Standalone secure launch: decrypt the SOPS secrets in-memory and inject them
|
|
# as ENV for the server (nothing plaintext hits disk). email.ncl reads
|
|
# ${SMTP_*}/${EMAIL_FROM} from that injected env.
|
|
#
|
|
# ./run-secure.sh
|
|
#
|
|
# Secrets file + age identity are overridable:
|
|
# SECRETS=/path/to/x.sops.env SOPS_AGE_KEY_FILE=/path/to/id.kage ./run-secure.sh
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
cd "$SCRIPT_DIR"
|
|
export HTMX_ASSETS_PATH="${HTMX_ASSETS_PATH:-$SCRIPT_DIR/htmx-assets}"
|
|
|
|
SECRETS="${SECRETS:-$SCRIPT_DIR/../../vault/ontoref-site.sops.env}"
|
|
# Default to the ontoref vault identity; in infra, SOPS_AGE_KEY_FILE points at
|
|
# the libre-wuji key (also a recipient of the blob).
|
|
export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$SCRIPT_DIR/../../vault/ontoref.kage}"
|
|
|
|
exec sops exec-env "$SECRETS" ./run.sh
|