26 lines
955 B
Bash
26 lines
955 B
Bash
|
#!/bin/bash
|
||
|
|
# Generate and upload Forgejo secrets to Google Secret Manager.
|
||
|
|
# Run once per project before the first `terraform apply`.
|
||
|
|
# Idempotent: skips secrets that already exist.
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
if [[ -z "$(gcloud config get-value project 2>/dev/null)" ]]; then
|
||
|
|
echo "ERROR: no active gcloud project. Run 'gcloud config set project YOUR_PROJECT' first." >&2
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
for SECRET in forgejo-secret-key forgejo-internal-token; do
|
||
|
|
if gcloud secrets describe "$SECRET" >/dev/null 2>&1; then
|
||
|
|
echo "$SECRET already exists, skipping"
|
||
|
|
else
|
||
|
|
openssl rand -hex 32 \
|
||
|
|
| gcloud secrets create "$SECRET" --replication-policy=automatic --data-file=-
|
||
|
|
echo "Created $SECRET"
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
|
||
|
|
echo
|
||
|
|
echo "Tip: also save these values in your password manager for cross-project recovery."
|
||
|
|
echo " gcloud secrets versions access latest --secret=forgejo-secret-key"
|
||
|
|
echo " gcloud secrets versions access latest --secret=forgejo-internal-token"
|