From caa8b83cf0f70cc50227466aa965c6738c268b19 Mon Sep 17 00:00:00 2001
From: mwiegand <martin.wiegand@seibert.group>
Date: Fri, 8 May 2026 20:39:02 +0200
Subject: [PATCH] chore(deploy): rewrite web.env every deploy with
 machine-id-derived SECRET_KEY
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drops the 'only on first creation' guard so newly added env vars reach
existing boxes (today's SESSION_COOKIE_SECURE=false rake). SECRET_KEY
is now sha256(/etc/machine-id) — stable per host, no session
invalidation across redeploys, no state persisted in /etc that the
deploy has to tiptoe around. Single-operator test deployment; the
secret being machine-id-derivable is acceptable per deploy/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 deploy/deploy-test-server.sh | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/deploy/deploy-test-server.sh b/deploy/deploy-test-server.sh
index 8cebe84..50b8edc 100755
--- a/deploy/deploy-test-server.sh
+++ b/deploy/deploy-test-server.sh
@@ -154,17 +154,18 @@ $sudo_cmd install -m 0644 -o root -g root \
     /opt/left4me/deploy/files/etc/left4me/sandbox-resolv.conf \
     /etc/left4me/sandbox-resolv.conf
 
-if [ ! -f /etc/left4me/web.env ]; then
-    secret_key=$(python3 -c 'import secrets; print(secrets.token_hex(32))')
-    tmp_web_env="$remote_tmp/web.env"
-    {
-        printf 'DATABASE_URL=sqlite:////var/lib/left4me/left4me.db\n'
-        printf 'SECRET_KEY=%s\n' "$secret_key"
-        printf 'JOB_WORKER_THREADS=4\n'
-        printf 'SESSION_COOKIE_SECURE=false\n'
-    } > "$tmp_web_env"
-    $sudo_cmd install -m 0640 -o root -g left4me "$tmp_web_env" /etc/left4me/web.env
-fi
+# Stomp the file every deploy so newly added vars reach existing boxes.
+# SECRET_KEY is derived from /etc/machine-id so it stays stable across
+# redeploys (no session invalidation) without persisting state in /etc.
+secret_key=$(sha256sum < /etc/machine-id | awk '{print $1}')
+tmp_web_env="$remote_tmp/web.env"
+{
+    printf 'DATABASE_URL=sqlite:////var/lib/left4me/left4me.db\n'
+    printf 'SECRET_KEY=%s\n' "$secret_key"
+    printf 'JOB_WORKER_THREADS=4\n'
+    printf 'SESSION_COOKIE_SECURE=false\n'
+} > "$tmp_web_env"
+$sudo_cmd install -m 0640 -o root -g left4me "$tmp_web_env" /etc/left4me/web.env
 
 if [ ! -x /opt/left4me/.venv/bin/python ]; then
     run_as_left4me python3 -m venv /opt/left4me/.venv