#!/usr/bin/env bash # Create the "AI Prod" 1Password vault and all required items with placeholder values. # Run this once on a fresh setup, then edit each item in 1Password with real values. # # Usage: # bin/op-setup # Create vault and all items # bin/op-setup --dry-run # Print what would be created without doing it set -e VAULT="AI Prod" DRY_RUN=false # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' if [[ "${1:-}" == "--dry-run" ]]; then DRY_RUN=true echo -e "${YELLOW}Dry run mode — no changes will be made${NC}" fi # --------------------------------------------------------------------------- # Helpers # --------------------------------------------------------------------------- run() { if $DRY_RUN; then echo -e " ${BLUE}[dry-run]${NC} $*" else "$@" fi } item_exists() { local title="$1" op item get "$title" --vault "$VAULT" &>/dev/null } create_item() { local title="$1" shift if item_exists "$title"; then echo -e " ${YELLOW}↩${NC} $title — already exists, skipping" else echo -e " ${GREEN}+${NC} Creating: $title" run op item create \ --vault "$VAULT" \ --category "Login" \ --title "$title" \ "$@" fi } # --------------------------------------------------------------------------- # Step 1: Ensure vault exists # --------------------------------------------------------------------------- echo "" echo -e "${BLUE}=== 1Password Vault ===${NC}" echo "" if op vault get "$VAULT" &>/dev/null; then echo -e "${GREEN}✓${NC} Vault '$VAULT' already exists" else echo -e "${GREEN}+${NC} Creating vault: $VAULT" run op vault create "$VAULT" fi # --------------------------------------------------------------------------- # Step 2: Create items # --------------------------------------------------------------------------- echo "" echo -e "${BLUE}=== Creating Items in '$VAULT' ===${NC}" echo "" # --- PostgreSQL --- # Used by: gateway (DB connection), minio-init job (postgres metadata) create_item "PostgreSQL" \ "password[password]=REPLACE_WITH_STRONG_PASSWORD" # --- MinIO --- # Used by: minio StatefulSet, flink-secrets, gateway-secrets (iceberg S3), sandbox-secrets # access_key = MinIO root user (equivalent to AWS_ACCESS_KEY_ID) # secret_key = MinIO root password (equivalent to AWS_SECRET_ACCESS_KEY) create_item "MinIO" \ "access_key[text]=minio-admin" \ "secret_key[password]=REPLACE_WITH_STRONG_SECRET_KEY" # --- Gateway --- # Used by: gateway-secrets (LLM keys + jwt_secret + search keys) # jwt_secret: used to sign user sessions — generate with: openssl rand -base64 48 # deepinfra_api_key: Deep Infra Console → API Keys (https://deepinfra.com) # anthropic_api_key: Anthropic Console → API Keys (https://console.anthropic.com) — kept for potential future use # tavily_api_key: Tavily Console → API Keys (https://app.tavily.com) create_item "Gateway" \ "deepinfra_api_key[password]=REPLACE_ME" \ "jwt_secret[password]=REPLACE_WITH_RANDOM_64_CHAR_SECRET" \ "anthropic_api_key[password]=sk-ant-REPLACE_ME" \ "tavily_api_key[password]=tvly-REPLACE_ME" # --- Telegram --- # Used by: gateway-secrets (optional Telegram bot integration) # bot_token: BotFather → /newbot (https://t.me/BotFather) # Leave as placeholder if Telegram integration is not needed. create_item "Telegram" \ "bot_token[password]=REPLACE_ME_OR_LEAVE_EMPTY" # --- Ingestor --- # Used by: ingestor-secrets (exchange API keys for CCXT market data) # Keys with empty/placeholder values will cause the ingestor to skip that exchange. # Binance: https://www.binance.com/en/my/settings/api-management # Coinbase: https://portal.cdp.coinbase.com/ # Kraken: https://www.kraken.com/u/security/api create_item "Ingestor" \ "binance_api_key[text]=REPLACE_ME" \ "binance_api_secret[password]=REPLACE_ME" \ "coinbase_api_key[text]=REPLACE_ME" \ "coinbase_api_secret[password]=REPLACE_ME" \ "kraken_api_key[text]=REPLACE_ME" \ "kraken_api_secret[password]=REPLACE_ME" # --------------------------------------------------------------------------- # Done # --------------------------------------------------------------------------- echo "" if $DRY_RUN; then echo -e "${YELLOW}Dry run complete — no items were created.${NC}" else echo -e "${GREEN}✓ Setup complete.${NC}" echo "" echo -e "Next steps:" echo -e " 1. Open 1Password and update each item in the '${VAULT}' vault with real values:" echo -e " • PostgreSQL → set a strong random password" echo -e " • MinIO → set a strong secret_key (access_key can stay as-is)" echo -e " • Gateway → add real API keys and a random jwt_secret" echo -e " • Ingestor → add real exchange API keys" echo -e " • Telegram → add bot token (or leave placeholder if unused)" echo "" echo -e " 2. Verify op:// references resolve correctly:" echo -e " op inject -i deploy/k8s/prod/secrets/gateway-secrets.tpl.yaml | head -20" echo "" echo -e " 3. Continue with cluster setup:" echo -e " bin/secret-update prod" fi echo ""