#!/bin/bash # Generate strong secrets for production environment set -e ENV_FILE="infra/compose/.env.production" if [ ! -f "$ENV_FILE" ]; then echo "❌ Error: $ENV_FILE not found" exit 1 fi echo "🔐 Generating strong secrets for production..." # Function to generate a strong password (alphanumeric only, no special chars) generate_password() { openssl rand -base64 32 | tr -d "=+/\n" | cut -c1-32 } # Function to generate a hex token generate_hex_token() { openssl rand -hex 32 } # Generate all secrets POSTGRES_PASSWORD=$(generate_password) NEO4J_PASSWORD=$(generate_password) AUTHENTIK_DB_PASSWORD=$(generate_password) MINIO_ROOT_PASSWORD=$(generate_password) MINIO_SECRET_KEY=$(generate_password) VAULT_ROOT_TOKEN=$(generate_hex_token) AUTHENTIK_SECRET_KEY=$(generate_password) AUTHENTIK_OUTPOST_TOKEN=$(generate_hex_token) ADMIN_PASSWORD=$(generate_password) GRAFANA_PASSWORD=$(generate_password) GRAFANA_OAUTH_SECRET=$(generate_password) API_CLIENT_SECRET=$(generate_password) UI_REVIEW_CLIENT_SECRET=$(generate_password) GRAFANA_CLIENT_SECRET=$(generate_password) MINIO_CLIENT_SECRET=$(generate_password) VAULT_CLIENT_SECRET=$(generate_password) NEXTAUTH_SECRET=$(generate_password) # Create a backup cp "$ENV_FILE" "$ENV_FILE.backup" # Use perl for more reliable replacement (works on macOS) perl -i -pe "s/CHANGE_ME_STRONG_PASSWORD_1/$POSTGRES_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_STRONG_PASSWORD_2/$NEO4J_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_STRONG_PASSWORD_3/$AUTHENTIK_DB_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_STRONG_PASSWORD_4/$MINIO_ROOT_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_STRONG_PASSWORD_5/$MINIO_SECRET_KEY/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_VAULT_ROOT_TOKEN/$VAULT_ROOT_TOKEN/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_AUTHENTIK_SECRET_KEY/$AUTHENTIK_SECRET_KEY/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_AUTHENTIK_OUTPOST_TOKEN/$AUTHENTIK_OUTPOST_TOKEN/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_ADMIN_PASSWORD/$ADMIN_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_GRAFANA_PASSWORD/$GRAFANA_PASSWORD/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_GRAFANA_OAUTH_SECRET/$GRAFANA_OAUTH_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_API_CLIENT_SECRET/$API_CLIENT_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_UI_REVIEW_CLIENT_SECRET/$UI_REVIEW_CLIENT_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_GRAFANA_CLIENT_SECRET/$GRAFANA_CLIENT_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_MINIO_CLIENT_SECRET/$MINIO_CLIENT_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_VAULT_CLIENT_SECRET/$VAULT_CLIENT_SECRET/g" "$ENV_FILE" perl -i -pe "s/CHANGE_ME_NEXTAUTH_SECRET/$NEXTAUTH_SECRET/g" "$ENV_FILE" echo "✅ Secrets generated successfully!" echo "" echo "📝 Important credentials (save these securely!):" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "Admin Email: admin@harkon.co.uk" echo "Admin Password: $ADMIN_PASSWORD" echo "Vault Root Token: $VAULT_ROOT_TOKEN" echo "Grafana Password: $GRAFANA_PASSWORD" echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" echo "⚠️ IMPORTANT:" echo "1. Save these credentials in a password manager" echo "2. The .env.production file contains all secrets" echo "3. Never commit .env.production to git" echo "4. A backup was created at $ENV_FILE.backup" echo "" echo "🔒 To view all secrets: cat $ENV_FILE"