first pass

2026-06-06 02:20:42 +00:00 · 2026-04-05 23:30:22 -04:00
commit 46f1bded39
9 changed files with 596 additions and 0 deletions
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# =============================================================
+#  check-image-updates.sh
+#  Checks all running containers for newer images and caches
+#  results to /tmp/.docker-updates for the MOTD to display.
+#
+#  Usage:
+#    bash scripts/check-image-updates.sh
+#
+#  Add to cron for automatic checks (e.g. daily at 3am):
+#    0 3 * * * bash /opt/stacks/matrix/scripts/check-image-updates.sh
+# =============================================================
+
+set -euo pipefail
+
+CACHE="/tmp/.docker-updates"
+TMP=$(mktemp)
+
+echo "# generated $(date -u +"%Y-%m-%dT%H:%M:%SZ")" > "$TMP"
+
+while IFS='|' read -r name image; do
+  OUTPUT=$(docker pull "$image" 2>&1 || true)
+  if echo "$OUTPUT" | grep -q "Downloaded newer image"; then
+    echo "$name  →  $image" >> "$TMP"
+  fi
+done < <(docker ps --format '{{.Names}}|{{.Image}}' | sort)
+
+mv "$TMP" "$CACHE"
+
+UPDATES=$(grep -v '^#' "$CACHE" | grep -c . || true)
+if [ "$UPDATES" -gt 0 ]; then
+  echo "✅  $UPDATES image(s) updated — cache written to $CACHE"
+else
+  echo "✅  All images current — cache written to $CACHE"
+fi
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# =============================================================
+#  rotate-secrets.sh
+#  Regenerates TURN and LiveKit secrets in .env and restarts
+#  only the affected containers.
+#
+#  Usage:
+#    bash scripts/rotate-secrets.sh             # rotate all
+#    bash scripts/rotate-secrets.sh --turn      # rotate TURN secret only
+#    bash scripts/rotate-secrets.sh --livekit   # rotate LiveKit keys only
+#
+#  ⚠️  Active calls and sessions WILL be dropped on rotation.
+#  Run during a maintenance window or when the server is idle.
+# =============================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ENV_FILE="$SCRIPT_DIR/../.env"
+
+if [ ! -f "$ENV_FILE" ]; then
+    echo "❌  .env not found at $ENV_FILE"
+    exit 1
+fi
+
+rotate_turn() {
+    echo "🔄  Rotating TURN secret..."
+    NEW_SECRET=$(openssl rand -hex 32)
+    sed -i "s|^STATIC_AUTH_SECRET=.*|STATIC_AUTH_SECRET=$NEW_SECRET|" "$ENV_FILE"
+    echo "✅  STATIC_AUTH_SECRET updated"
+
+    echo "🔁  Restarting coturn and tuwunel..."
+    docker compose --env-file "$ENV_FILE" -f "$SCRIPT_DIR/../docker-compose.yml" \
+        up -d --force-recreate coturn tuwunel
+    echo "✅  coturn and tuwunel restarted"
+}
+
+rotate_livekit() {
+    echo "🔄  Rotating LiveKit API credentials..."
+    NEW_KEY=$(openssl rand -hex 16)
+    NEW_SECRET=$(openssl rand -hex 32)
+    sed -i "s|^API_KEY=.*|API_KEY=$NEW_KEY|" "$ENV_FILE"
+    sed -i "s|^API_SECRET=.*|API_SECRET=$NEW_SECRET|" "$ENV_FILE"
+    echo "✅  API_KEY and API_SECRET updated"
+
+    echo "🔁  Restarting livekit and lk-jwt-service..."
+    docker compose --env-file "$ENV_FILE" -f "$SCRIPT_DIR/../docker-compose.yml" \
+        up -d --force-recreate livekit lk-jwt-service
+    echo "✅  livekit and lk-jwt-service restarted"
+}
+
+log_rotation() {
+    echo "📝  Logging rotation event..."
+    echo "[$(date -u +"%Y-%m-%dT%H:%M:%SZ")] $1" >> "$SCRIPT_DIR/../scripts/rotation.log"
+}
+
+case "${1:-all}" in
+    --turn)
+        rotate_turn
+        log_rotation "TURN secret rotated"
+        ;;
+    --livekit)
+        rotate_livekit
+        log_rotation "LiveKit credentials rotated"
+        ;;
+    all|--all)
+        rotate_turn
+        rotate_livekit
+        log_rotation "All secrets rotated"
+        ;;
+    *)
+        echo "Usage: $0 [--turn | --livekit | --all]"
+        exit 1
+        ;;
+esac
+
+echo ""
+echo "🎉  Rotation complete. Previous secrets are gone — update any external clients if needed."