Files
alembic/entrypoint.sh
andrew b135f11557 Security hardening and first-run/portability improvements
Security (P0):
- Remove committed session-secret default; auto-generate and persist a
  random secret to the config volume when SESSION_SECRET is unset
  (prevents forgeable session cookies / auth bypass).
- Validate playlist names to a safe charset and render sldl configs via
  literal Python substitution instead of sed (closes a command-injection
  and path-traversal path through playlist names).
- shlex-quote credential values written to shell-sourced env files, and
  strip newlines from values patched into .conf files.
- Render playlist .conf files 0600; warn at startup if the master key is
  co-located with the config volume; document keeping it separate.

Portability:
- Configurable timezone via TZ (default UTC) instead of hardcoded Edmonton.
- Remove personal defaults (navidrome user "andrew", ephemeral.club URLs).
- Ship generic example seeds; move the cross-album dedup keep-list and the
  legacy playlist import to editable config files; drop the personal
  _upgrade.csv.
- Generic VPN reference in docker-compose.snippet.yml.

First-run experience:
- Redirect to /setup instead of 500 when OIDC is unconfigured; surface a
  missing master key inline; entrypoint exits with an actionable message
  when the config folder is not writable.
- Add unauthenticated /health (JSON) and /setup (checklist) diagnostics.

Docs:
- Write docs/ARCHITECTURE.md and docs/MIGRATION.md (previously referenced
  but missing); expand README with ownership, backups, advanced settings,
  and migration guidance.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-09 14:25:55 -06:00

41 lines
1.9 KiB
Bash

#!/bin/bash
# entrypoint.sh — seed first-run instance state into the config volume, then
# start the app. The image itself is code-only and stateless/rebuildable;
# everything mutable lives under $ALEMBIC_CONFIG_DIR (see docs/ARCHITECTURE.md).
set -euo pipefail
ALEMBIC_CONFIG_DIR="${ALEMBIC_CONFIG_DIR:-/config}"
PIPELINE_DIR="${PIPELINE_DIR:-/app/pipeline}"
# The container runs as uid 1000. If the mounted config folder is owned by
# root on the host (the usual result of `mkdir` as your normal user), the
# first write fails and the container would otherwise exit with a bare
# "Permission denied". Catch that here and say exactly how to fix it.
if ! mkdir -p \
"$ALEMBIC_CONFIG_DIR/beets/data" \
"$ALEMBIC_CONFIG_DIR/pipeline" \
"$ALEMBIC_CONFIG_DIR/logs" 2>/dev/null; then
echo "[entrypoint] ERROR: cannot write to $ALEMBIC_CONFIG_DIR" >&2
echo "[entrypoint] The container runs as uid 1000 but that folder is not writable by it." >&2
echo "[entrypoint] On the host, run: chown -R 1000:1000 <the folder mounted at /config>" >&2
exit 1
fi
seed_if_absent() {
local src="$1" dst="$2"
if [[ ! -f "$dst" ]]; then
cp "$src" "$dst"
echo "[entrypoint] seeded $dst from $(basename "$src")"
fi
}
seed_if_absent "$PIPELINE_DIR/beets/config.yaml.example" "$ALEMBIC_CONFIG_DIR/beets/config.yaml"
seed_if_absent "$PIPELINE_DIR/configs/artist-canonical.list.example" "$ALEMBIC_CONFIG_DIR/pipeline/artist-canonical.list"
seed_if_absent "$PIPELINE_DIR/configs/djmix-albums.txt.example" "$ALEMBIC_CONFIG_DIR/pipeline/djmix-albums.txt"
seed_if_absent "$PIPELINE_DIR/configs/genres-whitelist.txt.example" "$ALEMBIC_CONFIG_DIR/pipeline/genres-whitelist.txt"
seed_if_absent "$PIPELINE_DIR/configs/cross-album-keep.list.example" "$ALEMBIC_CONFIG_DIR/pipeline/cross-album-keep.list"
export BEETSDIR="$ALEMBIC_CONFIG_DIR/beets"
exec uvicorn app.main:app --host 0.0.0.0 --port "${ALEMBIC_PORT:-8420}"