feat(scripts): intégrer Auto_scripts dans le repo pour déploiement multi-machine

2026-04-06 21:41:42 +02:00 · 2026-03-26 16:22:27 +01:00
parent 163b3835b6
commit 53bba76612
4 changed files with 217 additions and 2 deletions
--- a/scripts/load-global-secrets.sh
+++ b/scripts/load-global-secrets.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+
+_load_global_secrets() {
+  local _env_paths
+  if [ -f "$HOME/AI_RULES/Auto_scripts/env_paths.sh" ]; then
+    _env_paths="$HOME/AI_RULES/Auto_scripts/env_paths.sh"
+  elif [ -f "/srv/shared/scripts/env_paths.sh" ]; then
+    _env_paths="/srv/shared/scripts/env_paths.sh"
+  else
+    echo "env_paths.sh introuvable" >&2
+    return 1
+  fi
+  source "$_env_paths" || return 1
+
+  if [ ! -f "$SECRETS_KDBX" ]; then
+    echo "Coffre introuvable : $SECRETS_KDBX" >&2
+    return 1
+  fi
+
+  if ! command -v keepassxc-cli >/dev/null 2>&1; then
+    echo "keepassxc-cli introuvable" >&2
+    return 1
+  fi
+
+  if ! command -v expect >/dev/null 2>&1; then
+    echo "expect introuvable" >&2
+    return 1
+  fi
+
+  if [ -z "${KDBX_PASSWORD:-}" ]; then
+    printf "Mot de passe KeePassXC : " >&2
+    stty -echo
+    IFS= read -r KDBX_PASSWORD
+    stty echo
+    printf '\n' >&2
+  fi
+
+  echo "Chargement des secrets globaux..." >&2
+
+  # Export CSV complet — une seule ouverture du coffre
+  local csv
+  csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
+    log_user 0
+    set timeout 30
+    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
+    expect "Saisir le mot de passe pour déverrouiller*"
+    send -- "$env(KDBX_PASSWORD)\r"
+    expect eof
+    catch wait result
+    puts -nonewline $expect_out(buffer)
+    exit [lindex $result 3]
+EOF
+  ) || {
+    echo "Impossible d'exporter le coffre." >&2
+    return 1
+  }
+
+  local loaded=0
+
+  while IFS=',' read -r group title username password rest; do
+    group="${group//\"/}"
+    title="${title//\"/}"
+    password="${password//\"/}"
+
+    [[ "$group" != "Racine/global" && "$group" != "Racine/global/"* ]] && continue
+
+    local var_name="$title"
+    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
+      echo "Nom invalide ignoré : $var_name" >&2
+      continue
+    fi
+
+    [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }
+
+    export "$var_name=$password"
+    loaded=$((loaded + 1))
+
+  done <<< "$csv"
+
+  if [ "$loaded" -eq 0 ]; then
+    echo "Aucun secret global chargé." >&2
+    return 1
+  fi
+
+  echo "Secrets chargés : $loaded"
+}
+
+_load_global_secrets
+unset -f _load_global_secrets