feat: add secure env generation script and make target (#33)

2026-04-25 17:15:02 +02:00 · 2026-03-02 22:26:49 -03:00
parent add44821e8
commit 4de819e288
2 changed files with 60 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,6 +1,9 @@
 .PHONY: dev stop api etl frontend lint type-check test test-api test-etl test-frontend test-integration-api test-integration-etl test-integration check seed clean download-cnpj download-tse download-transparencia download-sanctions download-all etl-cnpj etl-cnpj-stream etl-tse etl-transparencia etl-sanctions etl-all link-persons bootstrap-demo bootstrap-full bootstrap-all bootstrap-all-noninteractive bootstrap-all-report check-public-claims check-source-urls check-pipeline-contracts check-pipeline-inputs generate-pipeline-status generate-source-summary generate-reference-metrics

 # ── Development ─────────────────────────────────────────
+setup-env:
+	bash scripts/init_env.sh
+
 dev:
 	docker compose up -d

--- a/scripts/init_env.sh
+++ b/scripts/init_env.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Directories relative to the script location
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# Go up one level from scripts/ to get the root
+ROOT_DIR="$(dirname "$SCRIPT_DIR")"
+ENV_EXAMPLE="$ROOT_DIR/.env.example"
+ENV_FILE="$ROOT_DIR/.env"
+
+# Check for required dependencies
+if ! command -v openssl &> /dev/null; then
+    echo "Error: 'openssl' is required but not installed."
+    exit 1
+fi
+
+if [ -f "$ENV_FILE" ]; then
+    echo "⚠️  $ENV_FILE already exists."
+    # Use /dev/tty to ensure input comes from user even inside make
+    read -p "Do you want to overwrite it? (y/N) " -n 1 -r < /dev/tty
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo "Aborted."
+        exit 1
+    fi
+fi
+
+echo "Generating secure secrets..."
+# Generate secure hex secrets
+# JWT: 32 bytes (64 hex chars) - Meets the >= 32 chars requirement
+JWT_SECRET=$(openssl rand -hex 32)
+# Neo4j: 32 bytes (64 hex chars) - Strong database password
+NEO4J_PASS=$(openssl rand -hex 32)
+
+echo "Creating .env from .env.example..."
+
+# Use sed to replace placeholders
+# We use | as a delimiter to avoid conflicts
+# We need to escape the values just in case, though hex shouldn't have special chars
+# Since we are generating hex, basic sed substitution is safe
+
+# Create temp file first to avoid partial writes
+TEMP_ENV=$(mktemp)
+
+# Read .env.example and perform replacements
+sed -e "s|JWT_SECRET_KEY=change-me-generate-with-openssl-rand-hex-32|JWT_SECRET_KEY=${JWT_SECRET}|g" \
+    -e "s|NEO4J_PASSWORD=changeme|NEO4J_PASSWORD=${NEO4J_PASS}|g" \
+    "$ENV_EXAMPLE" > "$TEMP_ENV"
+
+mv "$TEMP_ENV" "$ENV_FILE"
+
+# Restrict permissions (read/write for owner only)
+chmod 600 "$ENV_FILE"
+
+echo "✅ .env created successfully with secure secrets."
+echo "   JWT_SECRET_KEY:  [GENERATED] (64 chars)"
+echo "   NEO4J_PASSWORD:  [GENERATED] (64 chars)"