Separate podman init and apply script

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2025-02-23 16:08:23 -06:00 · 2025-02-23 16:08:23 -06:00 · 9c3a62f82a
commit 9c3a62f82a
parent f4039d3671
3 changed files with 35 additions and 30 deletions
--- a/.config/podman_apply_example.sh
+++ b/.config/podman_apply_example.sh
@ -0,0 +1,32 @@
+
+#!/bin/bash
+
+set -e
+
+vault lease revoke -sync -prefix misskey-db/creds/misskey-test0-runtime
+
+CREDS_JSON=$(vault read -format json misskey-db/creds/misskey-test0-runtime)
+
+if [ "$?" -ne 0 ]; then
+    echo "Failed to get credentials"
+    exit 1
+fi
+
+export POSTGRES_USER=$(echo "$CREDS_JSON" | jq -r '.data.username')
+export POSTGRES_PASSWORD=$(echo "$CREDS_JSON" | jq -r '.data.password')
+export POSTGRES_HOST=misskey-db
+export POSTGRES_PORT=5432
+export POSTGRES_DB=misskey
+export POSTGRES_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
+
+podman run --pod misskey-web -d \
+    --replace \
+    --network misskey \
+    --env "POSTGRES_*" \
+    --volume ../var/files:/misskey/files:U \
+    --volume .config/:/misskey/.config:ro \
+    --volume ../run/misskey-podman:/run/misskey:U \
+    --name misskey-web \
+    --restart always \
+    misskey-podman
+
--- a/.gitignore
+++ b/.gitignore
@ -36,6 +36,7 @@ coverage
 !/.config/docker_example.yml
 !/.config/docker_example.env
 !/.config/cypress-devcontainer.yml
+!/.config/podman_apply_example.sh
 docker-compose.yml
 ./compose.yml
 .devcontainer/compose.yml
--- a/yume-mods/podman_init.sh
+++ b/yume-mods/podman_init.sh
@ -71,7 +71,8 @@ vault write misskey-db/roles/misskey-test0-runtime \
    db_name=test0 \
    default_ttl=30d \
    max_ttl=365d \
-    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
+    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+    revocation_statements="REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\"; REASSIGN OWNED BY \"{{name}}\" TO misskey; DROP OWNED BY \"{{name}}\"; DROP ROLE \"{{name}}\";"

 mkdir -p ../var/redis

@ -116,32 +117,3 @@ podman run --pod misskey-web -d \
    --volume ../var/nyuukyou:/store \
    --restart always \
    misskey-podman
-
-vault lease revoke -prefix misskey-db/creds/misskey-test0-runtime
-
-CREDS_JSON=$(vault read -format json misskey-db/creds/misskey-test0-runtime)
-
-if [ "$?" -ne 0 ]; then
-    echo "Failed to get credentials"
-    exit 1
-fi
-
-POSTGRES_USER=$(echo "$CREDS_JSON" | jq -r '.data.username')
-POSTGRES_PASSWORD=$(echo "$CREDS_JSON" | jq -r '.data.password')
-POSTGRES_HOST=misskey-db
-POSTGRES_PORT=5432
-POSTGRES_DB=misskey
-POSTGRES_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
-
-podman run --pod misskey-web -d \
-    --replace \
-    --security-opt no-new-privileges \
-    --network misskey \
-    --env "POSTGRES_*" \
-    --volume ../var/files:/misskey/files:rw \
-    --volume .config/:/misskey/.config:ro \
-    --volume ../run/misskey-podman:/run/misskey:rw \
-    --name misskey-web \
-    --restart always \
-    misskey-podman
-