KI-AGENT: Selfhosting für Secrets, Compose und Migrationen vorbereiten

2026-05-18 18:06:03 +02:00
parent 571c24f250
commit 8824b1c9c8
6 changed files with 322 additions and 15 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -24,5 +24,5 @@ RUN npm run build
 # Port freigeben
 EXPOSE 3100

-# Start der App
-CMD ["node", "dist/src/index.js"]
+# Migrationen ausführen und App starten
+CMD ["sh", "./docker-entrypoint.sh"]
--- a/backend/docker-entrypoint.sh
+++ b/backend/docker-entrypoint.sh
@@ -0,0 +1,7 @@
+set -e
+
+if [ "${FEDEO_RUN_MIGRATIONS:-true}" = "true" ]; then
+  npm run migrate
+fi
+
+exec node dist/src/index.js
--- a/backend/src/utils/secrets.ts
+++ b/backend/src/utils/secrets.ts
@@ -44,7 +44,75 @@ export let secrets = {
    MATRIX_SERVICE_USER_LOCALPART?: string
 }

+const secretKeys = [
+    "COOKIE_SECRET",
+    "JWT_SECRET",
+    "PORT",
+    "HOST",
+    "DATABASE_URL",
+    "S3_BUCKET",
+    "ENCRYPTION_KEY",
+    "MAILER_SMTP_HOST",
+    "MAILER_SMTP_PORT",
+    "MAILER_SMTP_SSL",
+    "MAILER_SMTP_USER",
+    "MAILER_SMTP_PASS",
+    "MAILER_FROM",
+    "S3_ENDPOINT",
+    "S3_REGION",
+    "S3_ACCESS_KEY",
+    "S3_SECRET_KEY",
+    "M2M_API_KEY",
+    "API_BASE_URL",
+    "GOCARDLESS_BASE_URL",
+    "GOCARDLESS_SECRET_ID",
+    "GOCARDLESS_SECRET_KEY",
+    "DOKUBOX_IMAP_HOST",
+    "DOKUBOX_IMAP_PORT",
+    "DOKUBOX_IMAP_SECURE",
+    "DOKUBOX_IMAP_USER",
+    "DOKUBOX_IMAP_PASSWORD",
+    "OPENAI_API_KEY",
+    "STIRLING_API_KEY",
+    "MATRIX_HOMESERVER_URL",
+    "MATRIX_SERVER_NAME",
+    "MATRIX_REGISTRATION_SHARED_SECRET",
+    "MATRIX_SERVICE_USER_LOCALPART",
+] as const
+
+const numberKeys = new Set(["PORT", "MAILER_SMTP_PORT", "DOKUBOX_IMAP_PORT"])
+const booleanKeys = new Set(["DOKUBOX_IMAP_SECURE"])
+
+function normalizeEnvValue(key: string, value: string) {
+    if (numberKeys.has(key)) return Number(value)
+    if (booleanKeys.has(key)) return value === "true"
+    return value
+}
+
+function loadSecretsFromEnv() {
+    let loaded = 0
+
+    secretKeys.forEach((key) => {
+        const value = process.env[key]
+        if (value === undefined || value === "") return
+
+        ;(secrets as Record<string, any>)[key] = normalizeEnvValue(key, value)
+        loaded++
+    })
+
+    if (!secrets.HOST) secrets.HOST = "0.0.0.0"
+    if (!secrets.PORT) secrets.PORT = 3100
+
+    return loaded
+}
+
 export async function loadSecrets () {
+    const envSecretCount = loadSecretsFromEnv()
+
+    if (!process.env.INFISICAL_CLIENT_ID || !process.env.INFISICAL_CLIENT_SECRET) {
+        console.log(`✅ Secrets aus Umgebungsvariablen geladen (${envSecretCount} Stück)`)
+        return
+    }

    await client.auth().universalAuth.login({
        clientId: process.env.INFISICAL_CLIENT_ID,
@@ -57,8 +125,9 @@ export async function loadSecrets () {
    });

    allSecrets.secrets.forEach(secret => {
-        secrets[secret.secretKey] = secret.secretValue
+        ;(secrets as Record<string, any>)[secret.secretKey] = normalizeEnvValue(secret.secretKey, secret.secretValue)
    })
-    console.log("✅ Secrets aus Infisical geladen");
+    loadSecretsFromEnv()
+    console.log("✅ Secrets aus Infisical und Umgebungsvariablen geladen");
    console.log(Object.keys(secrets).length + " Stück")
 }