matrix/deploy/lxc110-draupnir.sh

#!/bin/bash
# Auto-deploy script for LXC 110 (draupnir)
# Handles: draupnir/production.yaml — restarts draupnir after deploy
# NOTE: access token in production.yaml is redacted in git.
#       The real token lives only at /opt/draupnir/config/production.yaml on this LXC.
#       This script merges the git version (structure/settings) with the live token.
# Triggered by: Gitea webhook on push to main
set -euo pipefail

REPO_DIR="/opt/matrix-config"
LIVE_CONFIG="/opt/draupnir/config/production.yaml"
LOG="/var/log/matrix-deploy.log"
CLONE_URL="https://code.lotusguild.org/LotusGuild/matrix.git"

exec >> "$LOG" 2>&1
echo "=== $(date) === LXC110 deploy triggered ==="

# Clone or pull
if [ ! -d "$REPO_DIR/.git" ]; then
    git clone "$CLONE_URL" "$REPO_DIR"
    CHANGED="draupnir/production.yaml"
else
    cd "$REPO_DIR"
    git fetch --all
    PREV=$(git rev-parse HEAD)
    git reset --hard origin/main
    NEW=$(git rev-parse HEAD)
    CHANGED=$(git diff --name-only "$PREV" "$NEW")
    echo "Changed files: $CHANGED"
fi

if echo "$CHANGED" | grep -q '^draupnir/production.yaml'; then
    echo "Deploying draupnir config..."

    # Extract live access token (never stored in git)
    LIVE_TOKEN=$(grep '^accessToken:' "$LIVE_CONFIG" | awk '{print $2}' | tr -d '"')
    if [ -z "$LIVE_TOKEN" ]; then
        echo "ERROR: Could not extract live accessToken from $LIVE_CONFIG — aborting." >&2
        exit 1
    fi

    # Copy repo version and restore the live token
    cp "$REPO_DIR/draupnir/production.yaml" "$LIVE_CONFIG"
    sed -i "s|accessToken: \"REDACTED\"|accessToken: \"$LIVE_TOKEN\"|" "$LIVE_CONFIG"

    echo "Restarting draupnir..."
    systemctl restart draupnir
    sleep 3
    systemctl is-active draupnir && echo "✓ draupnir restarted successfully" || echo "✗ draupnir failed to start"
fi

echo "=== $(date) === LXC110 deploy complete ==="