#!/usr/bin/env bash # ============================================================================= # setup_vault.sh # ----------------------------------------------------------------------------- # One-time vault environment setup for macOS. # vault.py is NOT copied or moved - it stays in VAULT_DIR. # # What it does: # 0. Silently removes any existing vault env vars (ID, ID_ENC, VPATH, VAULT_DIR) # 1. Detects VAULT_DIR from script location (parent of scripts/ folder) # 2. Sets VAULT_DIR as persistent shell env var # 3. Sets VPATH as persistent shell env var # 4. Generates VAULT_KEY (Fernet key) - you add this to each project .env # 5. Encrypts the master password -> ID_ENC shell env var # # Shell env vars set (in ~/.zshrc or ~/.bash_profile): # VAULT_DIR = folder containing vault.py # VPATH = full path to vault.enc # ID_ENC = Fernet-encrypted master password # # Each project .env file must contain: # VAULT_KEY = # VPATH = # VAULT_DIR = # # Usage: # chmod +x setup_vault.sh # first time only # ./setup_vault.sh # # Requirements: # - Python 3 with cryptography package # - macOS 10.14+, no sudo required # ============================================================================= set -euo pipefail echo "" echo "============================================" echo " Vault - Environment Setup (macOS)" echo "============================================" echo "" # -- Detect shell config file ------------------------------------------------- SHELL_NAME="$(basename "${SHELL:-/bin/zsh}")" CONFIG_FILE="$HOME/.zshrc" [ "$SHELL_NAME" = "bash" ] && CONFIG_FILE="$HOME/.bash_profile" echo "Shell config : $CONFIG_FILE" touch "$CONFIG_FILE" # -- Step 0: Clean up all existing vault env vars (silent, no error if missing) echo "[ 0/4 ] Cleaning up existing vault environment variables ..." VARS_TO_CLEAN=("ID" "ID_ENC" "VPATH" "VAULT_DIR") for var in "${VARS_TO_CLEAN[@]}"; do if grep -q "^export ${var}=" "$CONFIG_FILE" 2>/dev/null; then if [ "$(uname)" = "Darwin" ]; then sed -i '' "/^export ${var}=/d" "$CONFIG_FILE" else sed -i "/^export ${var}=/d" "$CONFIG_FILE" fi echo " Removed: $var" fi unset "$var" 2>/dev/null || true done echo " Cleanup done." echo "" # -- Locate vault.py ---------------------------------------------------------- SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" VAULT_DIR="$(dirname "$SCRIPT_DIR")" VAULT_PY="$VAULT_DIR/vault.py" if [ ! -f "$VAULT_PY" ]; then echo "ERROR: vault.py not found at $VAULT_PY" echo " This script must be in a 'scripts' subfolder of the vault directory." exit 1 fi echo "vault.py : $VAULT_PY" echo "" # -- Step 1: Set VAULT_DIR ---------------------------------------------------- echo "[ 1/4 ] Setting VAULT_DIR ..." printf 'export VAULT_DIR="%s"\n' "$VAULT_DIR" >> "$CONFIG_FILE" export VAULT_DIR="$VAULT_DIR" echo " VAULT_DIR = $VAULT_DIR" # -- Step 2: Set VPATH -------------------------------------------------------- echo "[ 2/4 ] Setting VPATH ..." printf " Enter full path to vault.enc (e.g. /Users/you/code/vault/vault.enc): " read -r VAULT_ENC printf 'export VPATH="%s"\n' "$VAULT_ENC" >> "$CONFIG_FILE" export VPATH="$VAULT_ENC" echo " VPATH = $VAULT_ENC" # -- Step 3: Generate VAULT_KEY ----------------------------------------------- echo "[ 3/4 ] Generating VAULT_KEY ..." VAULT_KEY="$(python3 "$VAULT_PY" generate-key 2>/dev/null | grep 'VAULT_KEY=' | sed 's/.*VAULT_KEY=//' | tr -d ' ')" if [ -z "$VAULT_KEY" ]; then echo "ERROR: Failed to generate VAULT_KEY." echo " Ensure cryptography is installed: pip3 install cryptography" exit 1 fi echo "" echo " ****************************************************" echo " ADD THESE LINES TO EACH PROJECT .env FILE:" echo " ****************************************************" echo " VAULT_KEY=$VAULT_KEY" echo " VPATH=$VAULT_ENC" echo " VAULT_DIR=$VAULT_DIR" echo " ****************************************************" echo "" printf " Press Enter when you have copied the above into your .env file(s): " read -r _ # -- Step 4: Encrypt master password -> ID_ENC -------------------------------- echo "[ 4/4 ] Encrypting master password -> ID_ENC ..." printf " Vault master password (min 12 chars): " read -rs PLAIN_PASSWORD echo "" if [ -z "$PLAIN_PASSWORD" ] || [ "${#PLAIN_PASSWORD}" -lt 12 ]; then echo "ERROR: Password must be at least 12 characters." exit 1 fi # Encrypt via temp script (keeps plain password out of process list) TMP_SCRIPT="$(mktemp /tmp/vault_enc_XXXXXX.py)" cat > "$TMP_SCRIPT" << 'PYEOF' import sys from cryptography.fernet import Fernet key = sys.argv[1].encode() pw = sys.argv[2].encode() print(Fernet(key).encrypt(pw).decode()) PYEOF ID_ENC="$(python3 "$TMP_SCRIPT" "$VAULT_KEY" "$PLAIN_PASSWORD")" rm -f "$TMP_SCRIPT" PLAIN_PASSWORD="" unset PLAIN_PASSWORD if [ -z "$ID_ENC" ]; then echo "ERROR: Encryption failed." exit 1 fi printf 'export ID_ENC="%s"\n' "$ID_ENC" >> "$CONFIG_FILE" export ID_ENC="$ID_ENC" echo " ID_ENC set successfully." # Restrict config file permissions chmod 600 "$CONFIG_FILE" # -- Summary ------------------------------------------------------------------ echo "" echo "============================================" echo " Setup complete." echo "============================================" echo "" echo " Shell env vars set in $CONFIG_FILE:" echo " VAULT_DIR = $VAULT_DIR" echo " VPATH = $VAULT_ENC" echo " ID_ENC = (set, not shown)" echo "" echo " Each project .env must contain:" echo " VAULT_KEY = $VAULT_KEY" echo " VPATH = $VAULT_ENC" echo " VAULT_DIR = $VAULT_DIR" echo "" echo "Run: source $CONFIG_FILE (or open a new terminal)" echo "" echo "To verify:" echo " echo \$VAULT_DIR" echo " echo \$VPATH" echo " echo \$ID_ENC" echo "" echo "To remove all vault env vars:" echo " for v in ID ID_ENC VPATH VAULT_DIR; do" if [ "$SHELL_NAME" = "zsh" ]; then echo " sed -i '' \"/^export \${v}=/d\" ~/.zshrc && unset \$v" else echo " sed -i '' \"/^export \${v}=/d\" ~/.bash_profile && unset \$v" fi echo " done"