38 lines
1.7 KiB
Bash
38 lines
1.7 KiB
Bash
#!/usr/bin/env bash
|
|
# entrypoint.sh - resolve the socket-level egress/auth posture before supervisord.
|
|
#
|
|
# This is the authoritative socket-level guard (gunicorn binds the socket, not
|
|
# Python). It must agree with the in-process _resolve_auth() check in server.py.
|
|
set -euo pipefail
|
|
|
|
# --- Redis password: prefer a mounted secret, else an existing env var. ------
|
|
if [[ -z "${REDIS_PASSWORD:-}" && -f /run/secrets/redis_password ]]; then
|
|
REDIS_PASSWORD="$(cat /run/secrets/redis_password)"
|
|
fi
|
|
if [[ -z "${REDIS_PASSWORD:-}" ]]; then
|
|
# Generate an ephemeral in-container password so redis is never open even
|
|
# if the operator forgot to mount one. (Loopback + requirepass.)
|
|
REDIS_PASSWORD="$(python3 -c 'import secrets; print(secrets.token_hex(32))')"
|
|
echo "entrypoint: no REDIS_PASSWORD provided; generated an ephemeral one." >&2
|
|
fi
|
|
export REDIS_PASSWORD
|
|
|
|
# --- API token: prefer a mounted secret, else an existing env var. -----------
|
|
if [[ -z "${CRAWL4AI_API_TOKEN:-}" && -f /run/secrets/api_token ]]; then
|
|
export CRAWL4AI_API_TOKEN="$(cat /run/secrets/api_token)"
|
|
fi
|
|
|
|
# --- Bind resolution: loopback unless a credential is present. ---------------
|
|
PORT="${CRAWL4AI_PORT:-11235}"
|
|
if [[ -n "${CRAWL4AI_API_TOKEN:-}" || "${CRAWL4AI_JWT_ENABLED:-false}" == "true" ]]; then
|
|
# A credential is configured -> the operator may expose all interfaces.
|
|
GUNICORN_BIND="${GUNICORN_BIND:-[::]:${PORT}}"
|
|
else
|
|
# No credential -> refuse to expose; serve loopback only.
|
|
GUNICORN_BIND="127.0.0.1:${PORT}"
|
|
echo "entrypoint: no CRAWL4AI_API_TOKEN set; binding loopback only (${GUNICORN_BIND})." >&2
|
|
fi
|
|
export GUNICORN_BIND
|
|
|
|
exec supervisord -c supervisord.conf --pidfile /tmp/supervisord.pid
|