Fix: Let's Encrypt status detection and auto-generate .env

- AdminController: Detect existing SSL certificates from /etc/letsencrypt and update database status automatically (fixes status showing "none" when cert was obtained via cloud-init) - docker-compose.prod.yml: Mount /etc/letsencrypt to backend container - cloud-init: Auto-generate .env with secure random secrets on first boot (DB_PASSWORD, JWT_SECRET, REDIS_PASSWORD, OME_API_TOKEN, NAKAMA keys) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-06 04:49:00 -05:00 · 2026-01-06 04:49:00 -05:00 · 0fc49d0032
commit 0fc49d0032
parent 118629549e
3 changed files with 149 additions and 10 deletions
--- a/terraform/modules/app_server/cloud-init.yaml.tpl
+++ b/terraform/modules/app_server/cloud-init.yaml.tpl
@ -225,6 +225,71 @@ runcmd:
  - mkdir -p /opt/realms
  - mkdir -p /opt/realms/uploads

+  # Generate .env with secure random secrets (only if it doesn't exist)
+  - |
+    ENV_FILE="/opt/realms/.env"
+    if [ ! -f "$ENV_FILE" ]; then
+      echo "Generating .env with secure random secrets..."
+      cat > "$ENV_FILE" << 'ENVEOF'
+# =============================================================================
+# Realms Production Environment - Auto-generated on first deploy
+# =============================================================================
+
+# Database
+DB_PASSWORD=$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)
+
+# JWT Secret for authentication
+JWT_SECRET=$(openssl rand -base64 48 | tr -d '/+=' | head -c 48)
+
+# Redis
+REDIS_PASSWORD=$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)
+
+# OvenMediaEngine API Token
+OME_API_TOKEN=$(openssl rand -hex 32)
+
+# Nakama Game Server
+NAKAMA_SERVER_KEY=$(openssl rand -hex 16)
+NAKAMA_CONSOLE_PASSWORD=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
+ENVEOF
+
+      # Generate actual random values by evaluating the file
+      # Read template and generate real values
+      DB_PASS=$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)
+      JWT_SEC=$(openssl rand -base64 48 | tr -d '/+=' | head -c 48)
+      REDIS_PASS=$(openssl rand -base64 32 | tr -d '/+=' | head -c 32)
+      OME_TOKEN=$(openssl rand -hex 32)
+      NAKAMA_KEY=$(openssl rand -hex 16)
+      NAKAMA_PASS=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
+
+      cat > "$ENV_FILE" << ENVEOF
+# =============================================================================
+# Realms Production Environment - Auto-generated on first deploy
+# Generated: $(date -Iseconds)
+# =============================================================================
+
+# Database
+DB_PASSWORD=$DB_PASS
+
+# JWT Secret for authentication
+JWT_SECRET=$JWT_SEC
+
+# Redis
+REDIS_PASSWORD=$REDIS_PASS
+
+# OvenMediaEngine API Token
+OME_API_TOKEN=$OME_TOKEN
+
+# Nakama Game Server
+NAKAMA_SERVER_KEY=$NAKAMA_KEY
+NAKAMA_CONSOLE_PASSWORD=$NAKAMA_PASS
+ENVEOF
+
+      chmod 600 "$ENV_FILE"
+      echo ".env generated with secure random secrets"
+    else
+      echo ".env already exists, skipping generation"
+    fi
+
  # Enable unattended upgrades
  - systemctl enable unattended-upgrades
  - systemctl start unattended-upgrades
@ -237,12 +302,35 @@ runcmd:

  # Obtain initial SSL certificate (standalone mode - no webserver running yet)
  # This runs before Docker services start, so port 80 is free
+  # Retry with delays to wait for DigitalOcean firewall propagation
  - |
-    certbot certonly --standalone \
-      --non-interactive \
-      --agree-tos \
-      --email ${letsencrypt_email} \
-      -d ${domain} \
-      || echo "Certbot failed - certificate may need to be obtained manually after DNS propagates"
+    MAX_ATTEMPTS=5
+    ATTEMPT=1
+    DELAY=30

-final_message: "Realms app server ready after $UPTIME seconds. SSL cert obtained for ${domain}. Deploy via Forgejo CI/CD."
+    while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
+      echo "Certbot attempt $ATTEMPT of $MAX_ATTEMPTS..."
+
+      if certbot certonly --standalone \
+        --non-interactive \
+        --agree-tos \
+        --email ${letsencrypt_email} \
+        -d ${domain}; then
+        echo "SSL certificate obtained successfully!"
+        break
+      else
+        echo "Certbot failed on attempt $ATTEMPT"
+        if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
+          echo "Waiting $${DELAY}s for firewall propagation before retry..."
+          sleep $DELAY
+          DELAY=$((DELAY * 2))  # Exponential backoff
+        fi
+      fi
+      ATTEMPT=$((ATTEMPT + 1))
+    done
+
+    if [ $ATTEMPT -gt $MAX_ATTEMPTS ]; then
+      echo "Certbot failed after $MAX_ATTEMPTS attempts - obtain certificate manually"
+    fi
+
+final_message: "Realms app server ready after $UPTIME seconds. Deploy via Forgejo CI/CD."