From 53bba76612de38e9f796e35c70756a41ed672f7e Mon Sep 17 00:00:00 2001 From: MaksTinyWorkshop Date: Thu, 26 Mar 2026 16:22:27 +0100 Subject: [PATCH] =?UTF-8?q?feat(scripts):=20int=C3=A9grer=20Auto=5Fscripts?= =?UTF-8?q?=20dans=20le=20repo=20pour=20d=C3=A9ploiement=20multi-machine?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/aliases.sh | 4 +- scripts/env_paths.sh | 16 +++++ scripts/load-global-secrets.sh | 89 ++++++++++++++++++++++++++ scripts/sync-service-secrets.sh | 110 ++++++++++++++++++++++++++++++++ 4 files changed, 217 insertions(+), 2 deletions(-) create mode 100755 scripts/env_paths.sh create mode 100755 scripts/load-global-secrets.sh create mode 100755 scripts/sync-service-secrets.sh diff --git a/scripts/aliases.sh b/scripts/aliases.sh index 28e4ba2..dc45697 100755 --- a/scripts/aliases.sh +++ b/scripts/aliases.sh @@ -30,7 +30,7 @@ alias bmad-init='"$LEADTECH/scripts/bmad-init-project.sh"' alias projects='cd /Volumes/TeraSSD/Projets_Dev 2>/dev/null || cd /srv/projects' # Load global secrets (KeePass → env) -alias loadg='source ~/AI_RULES/Auto_scripts/load-global-secrets.sh || source /srv/shared/scripts/load-global-secrets.sh' +alias loadg='source "$LEADTECH/scripts/load-global-secrets.sh"' # Sync service secrets (KeePass → service.env) -alias sync-service='source ~/AI_RULES/Auto_scripts/sync-service-secrets.sh || source /srv/shared/scripts/sync-service-secrets.sh' +alias sync-service='source "$LEADTECH/scripts/sync-service-secrets.sh"' diff --git a/scripts/env_paths.sh b/scripts/env_paths.sh new file mode 100755 index 0000000..37afa6f --- /dev/null +++ b/scripts/env_paths.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +case "$(uname -s)" in + Darwin) + export SECRETS_KDBX="/Volumes/TeraSSD/Max_Perso/Pièces Importantes/MDPs/env_and_co.kdbx" + export AUTO_SCRIPTS_DIR="$HOME/AI_RULES/Auto_scripts" + ;; + Linux) + export SECRETS_KDBX="/srv/shared/env/env_and_co.kdbx" + export AUTO_SCRIPTS_DIR="/srv/shared/scripts" + ;; + *) + echo "OS non supporté" >&2 + return 1 + ;; +esac diff --git a/scripts/load-global-secrets.sh b/scripts/load-global-secrets.sh new file mode 100755 index 0000000..96f4503 --- /dev/null +++ b/scripts/load-global-secrets.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env bash + +_load_global_secrets() { + local _env_paths + if [ -f "$HOME/AI_RULES/Auto_scripts/env_paths.sh" ]; then + _env_paths="$HOME/AI_RULES/Auto_scripts/env_paths.sh" + elif [ -f "/srv/shared/scripts/env_paths.sh" ]; then + _env_paths="/srv/shared/scripts/env_paths.sh" + else + echo "env_paths.sh introuvable" >&2 + return 1 + fi + source "$_env_paths" || return 1 + + if [ ! -f "$SECRETS_KDBX" ]; then + echo "Coffre introuvable : $SECRETS_KDBX" >&2 + return 1 + fi + + if ! command -v keepassxc-cli >/dev/null 2>&1; then + echo "keepassxc-cli introuvable" >&2 + return 1 + fi + + if ! command -v expect >/dev/null 2>&1; then + echo "expect introuvable" >&2 + return 1 + fi + + if [ -z "${KDBX_PASSWORD:-}" ]; then + printf "Mot de passe KeePassXC : " >&2 + stty -echo + IFS= read -r KDBX_PASSWORD + stty echo + printf '\n' >&2 + fi + + echo "Chargement des secrets globaux..." >&2 + + # Export CSV complet — une seule ouverture du coffre + local csv + csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF' + log_user 0 + set timeout 30 + spawn keepassxc-cli export --format csv $env(SECRETS_KDBX) + expect "Saisir le mot de passe pour déverrouiller*" + send -- "$env(KDBX_PASSWORD)\r" + expect eof + catch wait result + puts -nonewline $expect_out(buffer) + exit [lindex $result 3] +EOF + ) || { + echo "Impossible d'exporter le coffre." >&2 + return 1 + } + + local loaded=0 + + while IFS=',' read -r group title username password rest; do + group="${group//\"/}" + title="${title//\"/}" + password="${password//\"/}" + + [[ "$group" != "Racine/global" && "$group" != "Racine/global/"* ]] && continue + + local var_name="$title" + if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then + echo "Nom invalide ignoré : $var_name" >&2 + continue + fi + + [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; } + + export "$var_name=$password" + loaded=$((loaded + 1)) + + done <<< "$csv" + + if [ "$loaded" -eq 0 ]; then + echo "Aucun secret global chargé." >&2 + return 1 + fi + + echo "Secrets chargés : $loaded" +} + +_load_global_secrets +unset -f _load_global_secrets diff --git a/scripts/sync-service-secrets.sh b/scripts/sync-service-secrets.sh new file mode 100755 index 0000000..7319f85 --- /dev/null +++ b/scripts/sync-service-secrets.sh @@ -0,0 +1,110 @@ +#!/usr/bin/env bash + +_sync_service_secrets() { + local _env_paths + if [ -f "$HOME/AI_RULES/Auto_scripts/env_paths.sh" ]; then + _env_paths="$HOME/AI_RULES/Auto_scripts/env_paths.sh" + elif [ -f "/srv/shared/scripts/env_paths.sh" ]; then + _env_paths="/srv/shared/scripts/env_paths.sh" + else + echo "env_paths.sh introuvable" >&2 + return 1 + fi + source "$_env_paths" || return 1 + + if [ ! -f "$SECRETS_KDBX" ]; then + echo "Coffre introuvable : $SECRETS_KDBX" >&2 + return 1 + fi + + if ! command -v keepassxc-cli >/dev/null 2>&1; then + echo "keepassxc-cli introuvable" >&2 + return 1 + fi + + if ! command -v expect >/dev/null 2>&1; then + echo "expect introuvable" >&2 + return 1 + fi + + local target_file + case "$(uname -s)" in + Darwin) target_file="$HOME/.config/auto-secrets/service.env" ;; + Linux) target_file="/srv/shared/env/service.env" ;; + *) echo "OS non supporté" >&2; return 1 ;; + esac + + mkdir -p "$(dirname "$target_file")" + touch "$target_file" + chmod 600 "$target_file" + + if [ -z "${KDBX_PASSWORD:-}" ]; then + printf "Mot de passe KeePassXC : " >&2 + stty -echo + IFS= read -r KDBX_PASSWORD + stty echo + printf '\n' >&2 + fi + + echo "Sync des secrets de service..." >&2 + + # Export CSV complet — une seule ouverture du coffre + local csv + csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF' + log_user 0 + set timeout 30 + spawn keepassxc-cli export --format csv $env(SECRETS_KDBX) + expect "Saisir le mot de passe pour déverrouiller*" + send -- "$env(KDBX_PASSWORD)\r" + expect eof + catch wait result + puts -nonewline $expect_out(buffer) + exit [lindex $result 3] +EOF + ) || { + echo "Impossible d'exporter le coffre." >&2 + return 1 + } + + # Parse CSV : colonnes "Group","Title","Username","Password",... + # On garde les entrées dont le Group commence par "services/" + # ou dont le Group est exactement "services" (selon la structure KeePass) + local rendered_lines="" + local loaded=0 + + while IFS=',' read -r group title username password rest; do + # Retirer les guillemets CSV + group="${group//\"/}" + title="${title//\"/}" + password="${password//\"/}" + + # Filtrer le groupe services + [[ "$group" != "Racine/services" && "$group" != "Racine/services/"* ]] && continue + + # Le nom de variable = titre de l'entrée + local var_name="$title" + if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then + echo "Nom invalide ignoré : $var_name" >&2 + continue + fi + + [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; } + + rendered_lines+="$var_name=$password"$'\n' + loaded=$((loaded + 1)) + done <<< "$csv" + + if [ "$loaded" -eq 0 ]; then + echo "Aucun secret de service chargé." >&2 + return 1 + fi + + printf '%s' "$rendered_lines" > "$target_file" + chmod 600 "$target_file" + + echo "Secrets de service écrits dans : $target_file" + echo "Secrets de service chargés : $loaded" +} + +_sync_service_secrets +unset -f _sync_service_secrets