# frozen_string_literal: true
namespace :secrets do
desc 'Create secrets.yml in shared path' task :configure do set :secrets_file_path, "#{fetch(:shared_path)}/config/secrets.yml" invoke 'secrets:set_permissions_pre_update' invoke 'secrets:set_secrets_file' invoke 'secrets:replace_token' invoke 'secrets:set_permissions_post_update' end desc 'Update Application secret in file secrets.yml' task :update_app_secret do set :secrets_file_path, "#{fetch(:shared_path)}/config/secrets.yml" invoke 'secrets:set_permissions_pre_update' invoke 'secrets:replace_token' invoke 'secrets:set_permissions_post_update' end # desc 'Set (create or replace) secrets.yml in the shared path' task :set_secrets_file do on roles(:app), in: :sequence do debug '#' * 50 debug 'Create and configure secrets.yml file' secrets_file_path = fetch(:secrets_file_path).to_s set :secrets_original_file_path, File.expand_path('../recipes/config/secrets_example.yml', __dir__) unless remote_file_exists?(secrets_file_path) upload! StringIO.new(File.read(fetch(:secrets_original_file_path).to_s)), fetch(:secrets_file_path).to_s end execute "sed -i 's|<<APP_NAME>>|#{fetch(:app_name)}|g' #{fetch(:secrets_file_path)}" execute "sed -i 's|<<APP_DOMAIN>>|#{fetch(:app_domain)}|g' #{fetch(:secrets_file_path)}" execute "sed -i 's|<<APP_NAME_URI>>|#{fetch(:app_name_uri)}|g' #{fetch(:secrets_file_path)}" execute "sed -i 's|<<APP_FULL_URL>>|#{fetch(:app_full_url)}|g' #{fetch(:secrets_file_path)}" debug '#' * 50 end end # desc 'Replace the secure secret key in your secrets.yml' task :replace_token do on roles(:app), in: :sequence do debug '#' * 50 pattern = 'secret_key_base:.*' new_secret = "secret_key_base: '#{fetch(:secrets_key_base)}'" secrets_file_path = fetch(:secrets_file_path).to_s if remote_file_exists?(secrets_file_path) num_occurrences = get_num_occurrences_in_file(secrets_file_path, pattern) if num_occurrences.zero? error "no secret token found in #{secrets_file_path}" exit 1 end else error "file #{secrets_file_path} not found" exit 1 end command = "sed -i -e \"s/#{pattern}/#{new_secret}/g\" #{secrets_file_path}" debug command execute command debug 'Secret token successfully replaced' debug '#' * 50 end end # desc 'Correct secrets.yml file permissions before change the file' task :set_permissions_pre_update do on roles(:app) do sudo_cmd = "echo #{fetch(:password)} | sudo -S" debug '#' * 50 chmod_command = "chmod -f 777 #{fetch(:secrets_file_path)} || true" debug chmod_command execute "#{sudo_cmd} #{chmod_command}" debug '#' * 50 end end # desc 'Correct secrets.yml file permissions after change the file' task :set_permissions_post_update do on roles(:app) do sudo_cmd = "echo #{fetch(:password)} | sudo -S" debug '#' * 50 # Update database.yml user and group owners chown_command = "chown nobody.#{fetch(:app_group_owner)} #{fetch(:secrets_file_path)}" debug chown_command execute "#{sudo_cmd} #{chown_command}" chmod_command = "chmod 440 #{fetch(:secrets_file_path)}" debug chmod_command execute "#{sudo_cmd} #{chmod_command}" debug '#' * 50 end end
end