fix: deploy locking, safe eval replacement, first-boot error handling, script hardening
- S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -18,13 +18,20 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
|
||||
|
||||
# Try to fetch cert from server via SSH (most reliable)
|
||||
if [ -f "$SCRIPT_DIR/deploy-config.sh" ]; then
|
||||
SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"
|
||||
echo "Fetching certificate from server..."
|
||||
if [ -f "$SSH_KEY" ]; then
|
||||
ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" archipelago@${HOST} \
|
||||
'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
|
||||
elif [ -f "$SCRIPT_DIR/deploy-config.sh" ]; then
|
||||
# Last-resort fallback: password auth (leaks credentials to process list)
|
||||
. "$SCRIPT_DIR/deploy-config.sh"
|
||||
SSH_OPTS="-o StrictHostKeyChecking=no -o PreferredAuthentications=password -o PubkeyAuthentication=no"
|
||||
echo "WARNING: SSH key not found at $SSH_KEY — falling back to password auth"
|
||||
if command -v sshpass >/dev/null 2>&1; then
|
||||
echo "Fetching certificate from server..."
|
||||
sshpass -p "$ARCHIPELAGO_PASSWORD" ssh $SSH_OPTS archipelago@${HOST} \
|
||||
sshpass -p "$ARCHIPELAGO_PASSWORD" ssh -o StrictHostKeyChecking=no archipelago@${HOST} \
|
||||
'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
|
||||
else
|
||||
echo "WARNING: No SSH key and sshpass not installed — skipping SSH fetch"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user