#!/bin/bash # Generate secure secrets for AI Tax Agent deployment set -euo pipefail # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Function to generate random string generate_secret() { local length=${1:-32} openssl rand -base64 "$length" | tr -d "=+/\n" | cut -c1-"$length" } # Function to generate UUID generate_uuid() { python3 - <<'PY' import uuid print(uuid.uuid4()) PY } write_env() { local file=$1 local tmp="$file.tmp" local ts ts="$(date +%Y%m%d_%H%M%S)" if [ -f "$file" ]; then cp "$file" "${file}.backup.${ts}" echo -e "${YELLOW}📋 Backed up existing env to ${file}.backup.${ts}${NC}" fi cat > "$tmp" << EOF # AI Tax Agent Environment Configuration # Generated on $(date) # IMPORTANT: Keep these secrets secure and never commit to version control # Domain Configuration DOMAIN=${DOMAIN:-local.lan} EMAIL=${EMAIL:-admin@local.lan} ACME_EMAIL=${ACME_EMAIL:-${EMAIL:-admin@local.lan}} TRAEFIK_CERT_RESOLVER=${TRAEFIK_CERT_RESOLVER:-} # Database Passwords POSTGRES_PASSWORD=$POSTGRES_PASSWORD NEO4J_PASSWORD=$NEO4J_PASSWORD AUTHENTIK_DB_PASSWORD=$AUTHENTIK_DB_PASSWORD # Object Storage MINIO_ROOT_USER=${MINIO_ROOT_USER:-minio} MINIO_ROOT_PASSWORD=$MINIO_ROOT_PASSWORD MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:-$MINIO_ROOT_USER} MINIO_SECRET_KEY=${MINIO_SECRET_KEY:-$MINIO_ROOT_PASSWORD} # Vector Database QDRANT__SERVICE__GRPC_PORT=${QDRANT__SERVICE__GRPC_PORT:-6334} # Secrets Management VAULT_DEV_ROOT_TOKEN_ID=$VAULT_DEV_ROOT_TOKEN_ID # Identity & SSO AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY AUTHENTIK_OUTPOST_TOKEN=$AUTHENTIK_OUTPOST_TOKEN AUTHENTIK_BOOTSTRAP_EMAIL=${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN:-local.lan}} AUTHENTIK_BOOTSTRAP_PASSWORD=${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123} AUTHENTIK_BOOTSTRAP_TOKEN=${AUTHENTIK_BOOTSTRAP_TOKEN:-ak-bootstrap-token} AUTHENTIK_API_CLIENT_SECRET=$AUTHENTIK_API_CLIENT_SECRET AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$AUTHENTIK_UI_REVIEW_CLIENT_SECRET AUTHENTIK_GRAFANA_CLIENT_SECRET=$AUTHENTIK_GRAFANA_CLIENT_SECRET AUTHENTIK_MINIO_CLIENT_SECRET=$AUTHENTIK_MINIO_CLIENT_SECRET AUTHENTIK_VAULT_CLIENT_SECRET=$AUTHENTIK_VAULT_CLIENT_SECRET # OAuth Client Secrets GRAFANA_OAUTH_CLIENT_ID=${GRAFANA_OAUTH_CLIENT_ID:-grafana} GRAFANA_OAUTH_CLIENT_SECRET=$GRAFANA_OAUTH_CLIENT_SECRET # Monitoring GRAFANA_PASSWORD=$GRAFANA_PASSWORD # Feature Flags UNLEASH_ADMIN_TOKEN=$UNLEASH_ADMIN_TOKEN # Application Configuration NEXTAUTH_SECRET=$NEXTAUTH_SECRET JWT_SECRET=$JWT_SECRET ENCRYPTION_KEY=$ENCRYPTION_KEY # Event Bus / NATS EVENT_BUS_TYPE=${EVENT_BUS_TYPE:-nats} NATS_SERVERS=${NATS_SERVERS:-nats://apa-nats:4222} NATS_STREAM_NAME=${NATS_STREAM_NAME:-TAX_AGENT_EVENTS} NATS_CONSUMER_GROUP=${NATS_CONSUMER_GROUP:-tax-agent} NATS_LOG_LEVEL=${NATS_LOG_LEVEL:-info} # Redis Configuration REDIS_PASSWORD=$REDIS_PASSWORD # RAG & ML Models RAG_EMBEDDING_MODEL=${RAG_EMBEDDING_MODEL:-bge-small-en-v1.5} RAG_RERANKER_MODEL=${RAG_RERANKER_MODEL:-cross-encoder/ms-marco-MiniLM-L-6-v2} RAG_ALPHA_BETA_GAMMA=${RAG_ALPHA_BETA_GAMMA:-0.5,0.3,0.2} # HMRC Integration HMRC_MTD_ITSA_MODE=${HMRC_MTD_ITSA_MODE:-sandbox} # Rate Limits RATE_LIMITS_HMRC_API_RPS=${RATE_LIMITS_HMRC_API_RPS:-3} RATE_LIMITS_HMRC_API_BURST=${RATE_LIMITS_HMRC_API_BURST:-6} RATE_LIMITS_LLM_API_RPS=${RATE_LIMITS_LLM_API_RPS:-10} RATE_LIMITS_LLM_API_BURST=${RATE_LIMITS_LLM_API_BURST:-20} # Confidence Thresholds CONFIDENCE_AUTO_SUBMIT=${CONFIDENCE_AUTO_SUBMIT:-0.95} CONFIDENCE_HUMAN_REVIEW=${CONFIDENCE_HUMAN_REVIEW:-0.85} CONFIDENCE_REJECT=${CONFIDENCE_REJECT:-0.50} # Logging LOG_LEVEL=${LOG_LEVEL:-INFO} LOG_FORMAT=${LOG_FORMAT:-json} # Development Settings DEBUG=${DEBUG:-false} DEVELOPMENT_MODE=${DEVELOPMENT_MODE:-true} # Security ENCRYPTION_KEY_ID=${ENCRYPTION_KEY_ID:-default} AUDIT_LOG_RETENTION_DAYS=${AUDIT_LOG_RETENTION_DAYS:-90} PII_LOG_RETENTION_DAYS=${PII_LOG_RETENTION_DAYS:-30} # Backup & DR BACKUP_ENABLED=${BACKUP_ENABLED:-true} BACKUP_SCHEDULE="${BACKUP_SCHEDULE:-0 2 * * *}" BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-30} # Performance Tuning MAX_WORKERS=${MAX_WORKERS:-4} BATCH_SIZE=${BATCH_SIZE:-100} CACHE_TTL_SECONDS=${CACHE_TTL_SECONDS:-3600} CONNECTION_POOL_SIZE=${CONNECTION_POOL_SIZE:-20} # Registry / build REGISTRY=${REGISTRY:-localhost:5000} REGISTRY_USER=${REGISTRY_USER:-admin} REGISTRY_PASSWORD=${REGISTRY_PASSWORD:-admin123} IMAGE_TAG=${IMAGE_TAG:-latest} OWNER=${OWNER:-local} # Feature Flags FEATURE_RAG_ENABLED=${FEATURE_RAG_ENABLED:-true} FEATURE_FIRM_CONNECTORS_ENABLED=${FEATURE_FIRM_CONNECTORS_ENABLED:-false} FEATURE_HMRC_SUBMISSION_ENABLED=${FEATURE_HMRC_SUBMISSION_ENABLED:-false} FEATURE_ADVANCED_CALCULATIONS_ENABLED=${FEATURE_ADVANCED_CALCULATIONS_ENABLED:-true} # API Keys (placeholders for local testing) OPENAI_API_KEY=${OPENAI_API_KEY:-sk-local-placeholder} ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-sk-ant-local-placeholder} EOF mv "$tmp" "$file" chmod 600 "$file" echo -e "${GREEN}✅ Wrote secrets to $file${NC}" } echo -e "${BLUE}🔐 Generating secure secrets for AI Tax Agent...${NC}" echo # Generate secrets (random where appropriate) AUTHENTIK_SECRET_KEY=$(generate_secret 50) AUTHENTIK_OUTPOST_TOKEN=$(generate_secret 64) AUTHENTIK_API_CLIENT_SECRET=$(generate_secret 32) AUTHENTIK_UI_REVIEW_CLIENT_SECRET=$(generate_secret 32) AUTHENTIK_GRAFANA_CLIENT_SECRET=$(generate_secret 32) AUTHENTIK_MINIO_CLIENT_SECRET=$(generate_secret 32) AUTHENTIK_VAULT_CLIENT_SECRET=$(generate_secret 32) GRAFANA_OAUTH_CLIENT_SECRET=$(generate_secret 32) NEXTAUTH_SECRET=$(generate_secret 48) JWT_SECRET=$(generate_secret 48) ENCRYPTION_KEY=$(generate_secret 32) VAULT_DEV_ROOT_TOKEN_ID=$(generate_uuid) POSTGRES_PASSWORD=$(generate_secret 16) NEO4J_PASSWORD=$(generate_secret 16) AUTHENTIK_DB_PASSWORD=$(generate_secret 16) MINIO_ROOT_PASSWORD=$(generate_secret 16) MINIO_ACCESS_KEY=$(generate_secret 16) MINIO_SECRET_KEY=$(generate_secret 24) GRAFANA_PASSWORD=$(generate_secret 16) UNLEASH_ADMIN_TOKEN="admin:$(generate_secret 24)" REDIS_PASSWORD=$(generate_secret 16) # Defaults for commonly overridden values DOMAIN=${DOMAIN:-local.lan} EMAIL=${EMAIL:-admin@${DOMAIN}} ACME_EMAIL=${ACME_EMAIL:-$EMAIL} # Write env file write_env "infra/environments/local/.env" echo echo -e "${YELLOW}📝 Important credentials:${NC}" echo -e " ${BLUE}Grafana Admin:${NC} admin / $GRAFANA_PASSWORD" echo -e " ${BLUE}MinIO Admin:${NC} ${MINIO_ROOT_USER:-minio} / $MINIO_ROOT_PASSWORD" echo -e " ${BLUE}Vault Root Token:${NC} $VAULT_DEV_ROOT_TOKEN_ID" echo -e " ${BLUE}Authentik Bootstrap:${NC} ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@${DOMAIN}} / ${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin123}" echo echo -e "${RED}⚠️ SECURITY WARNING:${NC}" echo -e " • Keep the generated env files secure and out of version control" echo -e " • Rotate secrets regularly for non-local environments"