Provision systemd auth env file during install

2026-02-24 22:57:05 -05:00
parent 45d527a8a6
commit 2fec127b1c
4 changed files with 41 additions and 0 deletions
--- a/deploy/scripts/install_server.sh
+++ b/deploy/scripts/install_server.sh
@@ -4,6 +4,7 @@ set -euo pipefail
 REPO_ROOT="${1:-/home/bestmidi/chgrid}"
 SERVER_DIR="$REPO_ROOT/server"
 PYTHON_SPEC="${PYTHON_SPEC:-3.13}"
+SYS_ENV_FILE="${CHGRID_SYSTEM_ENV_FILE:-/etc/sysconfig/chat-grid}"

 if ! command -v uv >/dev/null 2>&1; then
  echo "error: uv is required but not found in PATH" >&2
@@ -61,6 +62,21 @@ PY
  echo "created $SERVER_DIR/.env with CHGRID_AUTH_SECRET"
 fi

+# Ensure a systemd-friendly env file exists for service startup.
+if [[ -z "${CHGRID_AUTH_SECRET:-}" && -f .env ]]; then
+  set -a
+  # shellcheck disable=SC1091
+  source .env
+  set +a
+fi
+if [[ -n "${CHGRID_AUTH_SECRET:-}" ]]; then
+  sudo install -d -m 755 /etc/sysconfig
+  sudo sh -c "printf 'CHGRID_AUTH_SECRET=%s\n' \"\$1\" > \"\$2\"" _ "$CHGRID_AUTH_SECRET" "$SYS_ENV_FILE"
+  sudo chmod 600 "$SYS_ENV_FILE"
+  sudo chown root:root "$SYS_ENV_FILE"
+  echo "ensured system env file for service: $SYS_ENV_FILE"
+fi
+
 # Load generated/shared auth secret for bootstrap checks.
 if [[ -f .env ]]; then
  set -a
--- a/deploy/scripts/install_service.sh
+++ b/deploy/scripts/install_service.sh
@@ -5,6 +5,10 @@ REPO_ROOT="${1:-/home/bestmidi/chgrid}"
 UNIT_NAME="${2:-chat-grid.service}"
 SRC_UNIT="$REPO_ROOT/deploy/systemd/$UNIT_NAME"
 DST_UNIT="/etc/systemd/system/$UNIT_NAME"
+SERVER_ENV_FILE="$REPO_ROOT/server/.env"
+SYS_ENV_FILE="${CHGRID_SYSTEM_ENV_FILE:-/etc/sysconfig/chat-grid}"
+DROPIN_DIR="/etc/systemd/system/$UNIT_NAME.d"
+DROPIN_FILE="$DROPIN_DIR/env.conf"

 if [[ ! -f "$SRC_UNIT" ]]; then
  echo "error: unit file not found: $SRC_UNIT" >&2
@@ -12,6 +16,21 @@ if [[ ! -f "$SRC_UNIT" ]]; then
 fi

 sudo cp "$SRC_UNIT" "$DST_UNIT"
+if [[ -f "$SERVER_ENV_FILE" ]]; then
+  SECRET_LINE="$(grep -m1 '^CHGRID_AUTH_SECRET=' "$SERVER_ENV_FILE" || true)"
+  if [[ -n "$SECRET_LINE" ]]; then
+    sudo install -d -m 755 /etc/sysconfig
+    sudo sh -c "printf '%s\n' \"\$1\" > \"\$2\"" _ "$SECRET_LINE" "$SYS_ENV_FILE"
+    sudo chmod 600 "$SYS_ENV_FILE"
+    sudo chown root:root "$SYS_ENV_FILE"
+  fi
+fi
+sudo install -d -m 755 "$DROPIN_DIR"
+sudo tee "$DROPIN_FILE" >/dev/null <<EOF
+[Service]
+EnvironmentFile=
+EnvironmentFile=-$SYS_ENV_FILE
+EOF
 sudo install -d -m 0755 -o bestmidi -g bestmidi "$REPO_ROOT/server/runtime"
 sudo touch "$REPO_ROOT/server/runtime/server.log"
 sudo chown bestmidi:bestmidi "$REPO_ROOT/server/runtime/server.log"