|
1 | 1 | #!/bin/sh |
2 | 2 | set -e |
3 | 3 |
|
4 | | -# Ensure required directories exist (in case volumes are mounted empty) |
5 | | -mkdir -p /opt/cryptic/data/ca |
6 | | -mkdir -p /opt/cryptic/logs |
7 | | -mkdir -p /opt/cryptic/certs |
8 | | - |
9 | | -# Fix ownership of mounted volumes (they may be created as root) |
10 | | -chown -R cryptic:cryptic /opt/cryptic/data |
11 | | -chown -R cryptic:cryptic /opt/cryptic/logs |
12 | | - |
13 | | -# Note: Certificate files at /opt/cryptic/certs/ are bind-mounted as read-only |
14 | | -# Ensure they have correct permissions on the HOST before mounting: |
15 | | -# chmod 644 priv/ssl/*.{crt,key} |
| 4 | +# Set default CRYPTIC_SERVER_DIR to /opt/cryptic/server_data if not already set |
| 5 | +# This will contain all server data: priv/, logs/, and data/ |
| 6 | +# Note: /opt/cryptic contains the Erlang release (bin/, lib/, etc.) |
| 7 | +if [ -z "${CRYPTIC_SERVER_DIR}" ]; then |
| 8 | + CRYPTIC_SERVER_DIR="/opt/cryptic/server_data" |
| 9 | + export CRYPTIC_SERVER_DIR |
| 10 | +fi |
16 | 11 |
|
17 | | -# Ensure priv/ssl directory exists for CA cert/key mounts |
18 | | -# The release path includes version, but we'll create under all lib versions |
19 | | -for libdir in /opt/cryptic/lib/cryptic-*/; do |
20 | | - if [ -d "$libdir" ]; then |
21 | | - mkdir -p "${libdir}priv/ssl" |
22 | | - # Only chown the directory, not the read-only mounted files inside |
23 | | - chown cryptic:cryptic "${libdir}priv/ssl" 2>/dev/null || true |
24 | | - chown cryptic:cryptic "${libdir}priv" 2>/dev/null || true |
25 | | - fi |
26 | | -done |
| 12 | +# Ensure all required directories exist under CRYPTIC_SERVER_DIR |
| 13 | +mkdir -p "${CRYPTIC_SERVER_DIR}/data/ca" |
| 14 | +mkdir -p "${CRYPTIC_SERVER_DIR}/logs" |
| 15 | +mkdir -p "${CRYPTIC_SERVER_DIR}/priv/ssl" |
| 16 | +mkdir -p "${CRYPTIC_SERVER_DIR}/priv/ca/bootstrap" |
27 | 17 |
|
28 | | -# Also create priv/ssl in the working directory since config uses relative paths |
29 | | -mkdir -p /opt/cryptic/priv/ssl |
| 18 | +echo "INFO: CRYPTIC_SERVER_DIR is set to ${CRYPTIC_SERVER_DIR}" |
| 19 | +echo "INFO: Expected structure:" |
| 20 | +echo " ${CRYPTIC_SERVER_DIR}/priv/ssl/ca.crt - CA certificate" |
| 21 | +echo " ${CRYPTIC_SERVER_DIR}/priv/ssl/ca.key - CA private key" |
| 22 | +echo " ${CRYPTIC_SERVER_DIR}/priv/ssl/server.crt - Server certificate" |
| 23 | +echo " ${CRYPTIC_SERVER_DIR}/priv/ssl/server.key - Server private key" |
| 24 | +echo " ${CRYPTIC_SERVER_DIR}/priv/ca/bootstrap/*.gpg - Bootstrap GPG keys" |
| 25 | +echo " ${CRYPTIC_SERVER_DIR}/data/ - Database files" |
| 26 | +echo " ${CRYPTIC_SERVER_DIR}/logs/ - Log files" |
30 | 27 |
|
31 | | -# Copy CA cert/key files from mounted certs directory to priv/ssl |
32 | | -# The application config uses relative path "priv/ssl/ca.crt" |
33 | | -if [ -f "/opt/cryptic/certs/ca.crt" ] && [ -f "/opt/cryptic/certs/ca.key" ]; then |
34 | | - echo "DEBUG: Copying CA files from /opt/cryptic/certs/ to priv/ssl/" |
35 | | - cp /opt/cryptic/certs/ca.crt /opt/cryptic/priv/ssl/ |
36 | | - cp /opt/cryptic/certs/ca.key /opt/cryptic/priv/ssl/ |
37 | | - chown cryptic:cryptic /opt/cryptic/priv/ssl/* |
| 28 | +# Check if CA certificates exist, generate if missing |
| 29 | +if [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.crt" ] || [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.key" ]; then |
| 30 | + echo "INFO: CA certificates not found, generating..." |
| 31 | + DIR="${CRYPTIC_SERVER_DIR}/priv/ssl" /usr/local/bin/generate-mtls-certs.sh |
38 | 32 | else |
39 | | - echo "WARNING: CA certificate files not found in /opt/cryptic/certs/" |
40 | | - echo " Expected: /opt/cryptic/certs/ca.crt and /opt/cryptic/certs/ca.key" |
41 | | - echo " Run certificate generation first or mount the files." |
| 33 | + echo "INFO: CA certificates found" |
42 | 34 | fi |
43 | 35 |
|
44 | | -# Debug: Show directory permissions |
45 | | -echo "DEBUG: /opt/cryptic/data permissions:" |
46 | | -ls -ld /opt/cryptic/data |
47 | | -echo "DEBUG: /opt/cryptic/data/ca permissions:" |
48 | | -ls -ld /opt/cryptic/data/ca |
49 | | -echo "DEBUG: /opt/cryptic/data/ca contents:" |
50 | | -ls -la /opt/cryptic/data/ca/ || echo "Directory empty or not readable" |
51 | | -echo "DEBUG: Environment CRYPTIC_CA_DB_FILE=${CRYPTIC_CA_DB_FILE}" |
52 | | -echo "DEBUG: Environment CRYPTIC_DEBUG=${CRYPTIC_DEBUG}" |
53 | | -echo "DEBUG: Test file creation:" |
54 | | -su-exec cryptic touch /opt/cryptic/data/ca/test.txt && echo "SUCCESS" || echo "FAILED" |
| 36 | +# Fix ownership of mounted volumes (they may be created as root) |
| 37 | +chown -R cryptic:cryptic "${CRYPTIC_SERVER_DIR}/data" 2>/dev/null || true |
| 38 | +chown -R cryptic:cryptic "${CRYPTIC_SERVER_DIR}/logs" 2>/dev/null || true |
| 39 | + |
| 40 | +# Debug: Show directory structure and permissions |
| 41 | +if [ "${CRYPTIC_DEBUG}" = "true" ]; then |
| 42 | + echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data permissions:" |
| 43 | + ls -ld "${CRYPTIC_SERVER_DIR}/data" |
| 44 | + echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data/ca permissions:" |
| 45 | + ls -ld "${CRYPTIC_SERVER_DIR}/data/ca" |
| 46 | + echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data/ca contents:" |
| 47 | + ls -la "${CRYPTIC_SERVER_DIR}/data/ca/" || echo "Directory empty or not readable" |
| 48 | + |
| 49 | + echo "DEBUG: ${CRYPTIC_SERVER_DIR}/priv contents:" |
| 50 | + ls -laR "${CRYPTIC_SERVER_DIR}/priv" 2>/dev/null || echo "Directory not readable" |
| 51 | + |
| 52 | + echo "DEBUG: Environment variables:" |
| 53 | + echo " CRYPTIC_SERVER_DIR=${CRYPTIC_SERVER_DIR}" |
| 54 | + echo " CRYPTIC_CA_DB_FILE=${CRYPTIC_CA_DB_FILE}" |
| 55 | + echo " CRYPTIC_DEBUG=${CRYPTIC_DEBUG}" |
| 56 | +fi |
55 | 57 |
|
56 | 58 | # Switch to cryptic user and execute the main command |
57 | 59 | # Explicitly preserve environment variables that the application needs |
58 | 60 | exec su-exec cryptic env \ |
59 | 61 | CRYPTIC_SERVER_HOST="${CRYPTIC_SERVER_HOST}" \ |
60 | 62 | CRYPTIC_SERVER_PORT="${CRYPTIC_SERVER_PORT}" \ |
61 | | - CRYPTIC_SERVER_CERT="${CRYPTIC_SERVER_CERT}" \ |
62 | | - CRYPTIC_SERVER_KEY="${CRYPTIC_SERVER_KEY}" \ |
63 | | - CRYPTIC_CA_CERT="${CRYPTIC_CA_CERT}" \ |
| 63 | + CRYPTIC_SERVER_DIR="${CRYPTIC_SERVER_DIR}" \ |
64 | 64 | CRYPTIC_CA_DB_FILE="${CRYPTIC_CA_DB_FILE}" \ |
65 | 65 | CRYPTIC_EVENT_HANDLERS="${CRYPTIC_EVENT_HANDLERS}" \ |
66 | 66 | CRYPTIC_DEBUG="${CRYPTIC_DEBUG}" \ |
|
0 commit comments