aaronrene/knowtation — blame/sha256:6/push-secrets.sh

1 files

1 commits

0 hotspots

0 🧊 dead

0 💥 blast risk

sha256:9 feat(calendar): hosted bridge/gateway route parity and timeline noteRec… · aaronrene · Jun 19, 2026

1	#!/usr/bin/env bash
2	######################################################################
3	# push-secrets.sh
4	#
5	# Interactive prompt for each Paperclip secret. Pushes to AWS SSM
6	# Parameter Store at /knowtation/paperclip/<NAME>. The Paperclip
7	# systemd service auto-rereads from SSM every 60 seconds.
8	#
9	# Run AS the paperclip user (or root) on the AWS box:
10	# sudo -u paperclip /opt/paperclip/scripts/push-secrets.sh
11	#
12	# What this asks for:
13	# - DEEPINFRA_API_KEY (required)
14	# - GEMINI_API_KEY (required for Gemini CLI adapter)
15	# - HEYGEN_API_KEY (required for video render)
16	# - HEYGEN_AVATAR_ID (required: your Custom Digital Twin)
17	# - HEYGEN_VOICE_ID (required: ElevenLabs-paired voice in HeyGen)
18	# - ELEVENLABS_API_KEY (required for audio + voice clone)
19	# - ELEVENLABS_VOICE_ID (required: your Pro Voice Clone)
20	# - DESCRIPT_API_KEY (required for auto-edit)
21	# - DESCRIPT_BORNFREE_PROJECT_ID (required)
22	# - DESCRIPT_STOREFREE_PROJECT_ID (required)
23	# - DESCRIPT_KNOWTATION_PROJECT_ID (required)
24	# - KNOWTATION_HUB_URL (required: your hosted Hub URL)
25	# - KNOWTATION_HUB_JWT (required: short-lived; rotate every 24h)
26	# - KNOWTATION_VAULT_ID (default 'default')
27	#
28	# Idempotent: re-running this script overwrites previous values.
29	# Skipping (empty input) leaves previous value untouched.
30	######################################################################
31
32	set -euo pipefail
33
34	NAMESPACE="/knowtation/paperclip"
35	REGION=$(curl -fsSL -H "X-aws-ec2-metadata-token: $(curl -fsSL -X PUT 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 60')" 'http://169.254.169.254/latest/meta-data/placement/region' 2>/dev/null \|\| echo 'us-west-2')
36
37	echo "===================================================================="
38	echo " Paperclip secrets push to AWS SSM ($NAMESPACE) in region $REGION"
39	echo "===================================================================="
40	echo ""
41	echo " - Each prompt accepts your secret OR a blank line (skip = keep current)."
42	echo " - Values stored as SecureString (encrypted at rest with the default KMS key)."
43	echo " - Paperclip re-reads SSM every 60 seconds. No restart needed."
44	echo ""
45
46	REQUIRED=(
47	"DEEPINFRA_API_KEY\|DeepInfra API key (https://deepinfra.com/dash/api_keys)"
48	"GEMINI_API_KEY\|Google AI Studio API key for Gemini CLI adapter (https://aistudio.google.com/app/apikey)"
49	"HEYGEN_API_KEY\|HeyGen API key (Settings → API)"
50	"HEYGEN_AVATAR_ID\|HeyGen Avatar ID (your Custom Digital Twin)"
51	"HEYGEN_VOICE_ID\|HeyGen Voice ID (your ElevenLabs-paired voice)"
52	"ELEVENLABS_API_KEY\|ElevenLabs API key (Profile → API Keys)"
53	"ELEVENLABS_VOICE_ID\|ElevenLabs Voice ID (your Pro Voice Clone)"
54	"DESCRIPT_API_KEY\|Descript API key (Account → API & Integrations)"
55	"DESCRIPT_BORNFREE_PROJECT_ID\|Descript bornfree-factory Project ID"
56	"DESCRIPT_STOREFREE_PROJECT_ID\|Descript storefree-factory Project ID"
57	"DESCRIPT_KNOWTATION_PROJECT_ID\|Descript knowtation-factory Project ID"
58	"KNOWTATION_HUB_URL\|Knowtation Hub URL (https://hub.knowtation.dev or custom)"
59	"KNOWTATION_HUB_JWT\|Knowtation Hub JWT (Settings → Integrations → Hub API; rotates every 24h)"
60	"KNOWTATION_VAULT_ID\|Vault ID (default: 'default')"
61	)
62
63	for entry in "${REQUIRED[@]}"; do
64	NAME="${entry%%\|*}"
65	PROMPT="${entry#*\|}"
66
67	read -rsp " $NAME ($PROMPT): " VALUE
68	echo ""
69
70	if [[ -z "$VALUE" ]]; then
71	echo " skipped (kept current SSM value if any)"
72	continue
73	fi
74
75	TYPE="SecureString"
76	# KNOWTATION_VAULT_ID and KNOWTATION_HUB_URL are not secret; mark as String for visibility.
77	if [[ "$NAME" == "KNOWTATION_VAULT_ID" \|\| "$NAME" == "KNOWTATION_HUB_URL" ]]; then
78	TYPE="String"
79	fi
80
81	aws ssm put-parameter \
82	--region "$REGION" \
83	--name "$NAMESPACE/$NAME" \
84	--value "$VALUE" \
85	--type "$TYPE" \
86	--overwrite \
87	--output text > /dev/null
88
89	echo " pushed to $NAMESPACE/$NAME"
90	done
91
92	echo ""
93	echo "===================================================================="
94	echo " All secrets pushed. Triggering immediate sync to /etc/paperclip/env"
95	echo "===================================================================="
96
97	if systemctl is-active --quiet paperclip-secrets-sync.service 2>/dev/null; then
98	sudo systemctl start paperclip-secrets-sync.service
99	fi
100
101	echo " Done. Verify with:"
102	echo " sudo cat /etc/paperclip/env \| grep -v '_KEY\\\|_JWT' \| head"
103	echo " sudo systemctl status paperclip.service"

push-secrets.sh file-level

`push-secrets.sh` file-level