#!/usr/bin/env bash # repair-realm-live.sh - attended repair for privacyIDEA realm bootstrap state. # # This wrapper prompts for live passwords, writes them only to a private # temporary directory, runs the idempotent realm bootstrap, and removes the # temporary files on exit. set -euo pipefail SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd) SSO_MFA_K8S_DIR=$(cd -- "$SCRIPT_DIR/.." && pwd) PI_URL="${PI_URL:-https://pink.coulomb.social}" if [[ ! -t 0 ]]; then echo "ERROR: repair-realm-live.sh needs an interactive terminal for password prompts." >&2 exit 1 fi export PATH="/home/worsch/.local/bin:$PATH" umask 077 tmp="$(mktemp -d)" cleanup() { rm -rf "$tmp" unset PI_ADMIN_PASSWORD LLDAP_LDAP_USER_PASS } trap cleanup EXIT mkdir -p "$tmp/privacyidea" "$tmp/lldap" printf "privacyIDEA pi-admin password: " >&2 read -rs PI_ADMIN_PASSWORD printf "\n" >&2 printf "LLDAP bind/admin password: " >&2 read -rs LLDAP_LDAP_USER_PASS printf "\n" >&2 printf "PI_ADMIN_PASSWORD=%q\n" "$PI_ADMIN_PASSWORD" > "$tmp/privacyidea/secrets.env" printf "LLDAP_LDAP_USER_PASS=%q\n" "$LLDAP_LDAP_USER_PASS" > "$tmp/lldap/secrets.env" bash "$SCRIPT_DIR/bootstrap-realm.sh" "$tmp" "$PI_URL" if ! bash "$SSO_MFA_K8S_DIR/verify-t06.sh" "$tmp"; then cat >&2 <<'WARN' [WARN] verify-t06 still reports failures. If realm, resolver, policies, and self-service pass but KeyCape token checks fail, run the KeyCape privacyIDEA MFA token repair action after platform-root enrollment. WARN fi cat <<'OK' [OK] privacyIDEA coulomb realm repair command finished. Enroll or re-enroll platform-root TOTP in privacyIDEA next. OK