-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsetup.sh
More file actions
executable file
·186 lines (157 loc) · 6.32 KB
/
Copy pathsetup.sh
File metadata and controls
executable file
·186 lines (157 loc) · 6.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/usr/bin/env bash
#
# Generates NATS operator + account keys and writes nats.conf, backend.creds,
# and .env for the shared local-dev NATS instance.
#
# Uses the nats-box Docker image so it works on any OS (Mac, Ubuntu, etc.)
# without requiring local nsc/nk installation.
#
# Run once before `make deps-up`.
#
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
ENV_FILE="$SCRIPT_DIR/.env"
NATS_CONF="$SCRIPT_DIR/nats.conf"
BACKEND_CREDS="$SCRIPT_DIR/backend.creds"
FRONTEND_ENV_FILE="$REPO_ROOT/chat-frontend/.env.local"
NATS_BOX_IMAGE="natsio/nats-box:latest"
echo "=== docker-local — Shared NATS Setup ==="
echo ""
if ! command -v docker &>/dev/null; then
echo "ERROR: docker not found. Install Docker first."
exit 1
fi
echo "Generating NATS operator + account keys via nats-box..."
echo ""
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
docker run --rm \
-v "$TMPDIR:/output" \
"$NATS_BOX_IMAGE" \
sh -c '
set -e
nsc add operator --name localdev --sys 2>&1 | sed "s/^/ /"
nsc env -o localdev >/dev/null 2>&1
nsc add account --name chatapp 2>&1 | sed "s/^/ /"
nsc edit account chatapp --js-mem-storage 512M --js-disk-storage 5G --js-streams 10 2>&1 | sed "s/^/ /"
# Scoped signing key that auth-service uses to sign user JWTs. The role
# template mirrors the grants auth-service used to inline per JWT, keyed
# off the account:<account> tag every user JWT now carries.
nsc edit signing-key --account chatapp --sk generate --role scoped_user \
--allow-sub "chat.user.{{tag(account)}}.>" \
--allow-sub "chat.room.>" \
--allow-sub "_INBOX.>" \
--allow-sub "chat.user.presence.state.*" \
--allow-pub "chat.user.{{tag(account)}}.>" \
--allow-pub "_INBOX.>" \
--allow-pub "chat.user.presence.*.query.batch" \
--allow-pub-response \
> /output/sk_edit.log 2>&1
AUTH_SK_PUB=$(grep -Eo "A[A-Z0-9]{55}" /output/sk_edit.log | head -1)
if [ -z "$AUTH_SK_PUB" ]; then
echo "ERROR: failed to extract auth-service signing key pubkey"
cat /output/sk_edit.log
exit 1
fi
nsc describe operator --raw > /output/operator.jwt
nsc describe account chatapp --raw > /output/account.jwt
nsc describe account SYS --raw > /output/sys.jwt
nsc describe account chatapp 2>/dev/null | grep "Account ID" | awk -F"|" "{gsub(/[ \t]/, \"\", \$3); print \$3}" > /output/account_pub.txt
nsc describe account SYS 2>/dev/null | grep "Account ID" | awk -F"|" "{gsub(/[ \t]/, \"\", \$3); print \$3}" > /output/sys_pub.txt
AUTH_SK_SEED_FILE=$(find /root/.local/share/nats/nsc/keys -name "${AUTH_SK_PUB}.nk" 2>/dev/null | head -1)
if [ -z "$AUTH_SK_SEED_FILE" ]; then
AUTH_SK_SEED_FILE=$(find /nsc -name "${AUTH_SK_PUB}.nk" 2>/dev/null | head -1)
fi
if [ -z "$AUTH_SK_SEED_FILE" ]; then
echo "ERROR: Could not find seed for signing key ${AUTH_SK_PUB}"
exit 1
fi
cat "$AUTH_SK_SEED_FILE" > /output/auth_sk_seed.txt
nsc add user --account chatapp --name backend
nsc edit user --account chatapp --name backend --allow-sub ">" --allow-pub ">"
nsc generate creds --account chatapp --name backend > /output/backend.creds
'
cp "$TMPDIR/backend.creds" "$BACKEND_CREDS"
# 0644, not 0600: service containers run as non-root (uid 10001) and
# bind-mount this file read-only at /etc/nats/backend.creds, so the
# in-container user must be able to read it. Acceptable only because
# this is a throwaway local-dev credential generated by this script.
chmod 644 "$BACKEND_CREDS"
OPERATOR_JWT=$(cat "$TMPDIR/operator.jwt")
ACCOUNT_JWT=$(cat "$TMPDIR/account.jwt")
SYS_JWT=$(cat "$TMPDIR/sys.jwt")
ACCOUNT_PUB_KEY=$(cat "$TMPDIR/account_pub.txt")
SYS_PUB_KEY=$(cat "$TMPDIR/sys_pub.txt")
AUTH_SK_SEED=$(cat "$TMPDIR/auth_sk_seed.txt")
echo ""
echo " Operator JWT: ${OPERATOR_JWT:0:50}..."
echo " Account Public Key: $ACCOUNT_PUB_KEY"
echo " Auth SK Seed: <hidden — written to $ENV_FILE>"
echo " SYS Public Key: $SYS_PUB_KEY"
echo " Backend creds: $BACKEND_CREDS"
echo ""
cat > "$ENV_FILE" <<EOF
# Generated by docker-local/setup.sh — do not commit this file.
# Regenerate with: ./docker-local/setup.sh
# Auth-service signs user JWTs with the chatapp account's scoped signing key.
# The scope template supplies per-user permissions; auth-service stamps the
# account tag on each JWT so {{tag(account)}} resolves to the right subjects.
# All other microservices authenticate with backend.creds via NATS_CREDS_FILE.
AUTH_SCOPED_SIGNING_KEY=${AUTH_SK_SEED}
# Shared NATS endpoint inside the chat-local docker network.
NATS_URL=nats://nats:4222
NATS_CREDS_FILE=/etc/nats/backend.creds
# Bypass OIDC in auth-service; flip to false to test the OIDC flow.
DEV_MODE=true
EOF
chmod 600 "$ENV_FILE"
# chat-frontend/.env.local feeds `npm run dev` (Vite). Created on first run,
# left editable afterwards (e.g. point at staging) — new vars are appended.
if [ ! -f "$FRONTEND_ENV_FILE" ]; then
cat > "$FRONTEND_ENV_FILE" <<EOF
VITE_PORTAL_URL=http://localhost:8081
EOF
elif ! grep -q '^VITE_PORTAL_URL=' "$FRONTEND_ENV_FILE"; then
printf '\nVITE_PORTAL_URL=http://localhost:8081\n' >> "$FRONTEND_ENV_FILE"
fi
cat > "$NATS_CONF" <<EOF
# Generated by docker-local/setup.sh — do not commit this file.
# Regenerate with: ./docker-local/setup.sh
port: 4222
http_port: 8222
operator: ${OPERATOR_JWT}
resolver: MEMORY
resolver_preload {
${ACCOUNT_PUB_KEY}: ${ACCOUNT_JWT}
${SYS_PUB_KEY}: ${SYS_JWT}
}
jetstream {
store_dir: /data/jetstream
max_mem: 1G
max_file: 10G
}
websocket {
port: 9222
no_tls: true
}
EOF
echo "Wrote $NATS_CONF"
echo "Wrote $BACKEND_CREDS"
echo "Wrote $ENV_FILE"
echo "Wrote $FRONTEND_ENV_FILE (preserved if it already existed)"
echo ""
echo "=== Ready! ==="
echo ""
echo " # Start all third-party deps (NATS, Mongo, Cassandra, ES, Keycloak)"
echo " make deps-up"
echo ""
echo " # Start every microservice (foreground, streams logs)"
echo " make up"
echo ""
echo " ──────────────────────────────────────"
echo " NATS: nats://localhost:4222"
echo " NATS Monitoring: http://localhost:8222"
echo " NATS WebSocket: ws://localhost:9222"
echo " ──────────────────────────────────────"
echo ""