From 4d2d5d313202bdbda5bbb1f51b9906783a680733 Mon Sep 17 00:00:00 2001 From: Jeff Emmett Date: Wed, 25 Feb 2026 00:12:38 -0800 Subject: [PATCH] feat: fetch SMTP password from claude-ops infisical at startup Entrypoint now fetches RSWAG_SMTP_PASSWORD from claude-ops /mail folder if SMTP_PASSWORD is not already set. This allows the rSwag container to get its SMTP credentials without needing direct write access to the .env file. Co-Authored-By: Claude Opus 4.6 --- backend/entrypoint.sh | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/backend/entrypoint.sh b/backend/entrypoint.sh index 92119d0..660526b 100755 --- a/backend/entrypoint.sh +++ b/backend/entrypoint.sh @@ -62,4 +62,29 @@ else echo "[infisical] Starting with existing env vars" fi +# Fetch SMTP password from claude-ops /mail if not already set +if [ -z "$SMTP_PASSWORD" ]; then + SMTP_PWD=$(python3 -c " +import urllib.request, json, os, sys +base = os.environ.get('INFISICAL_URL', 'http://infisical:8080') +try: + data = json.dumps({'clientId': os.environ['INFISICAL_CLIENT_ID'], 'clientSecret': os.environ['INFISICAL_CLIENT_SECRET']}).encode() + req = urllib.request.Request(f'{base}/api/v1/auth/universal-auth/login', data=data, headers={'Content-Type': 'application/json'}) + token = json.loads(urllib.request.urlopen(req).read()).get('accessToken','') + req = urllib.request.Request(f'{base}/api/v3/secrets/raw?workspaceSlug=claude-ops&environment=prod&secretPath=/mail') + req.add_header('Authorization', f'Bearer {token}') + secrets = json.loads(urllib.request.urlopen(req).read()) + for s in secrets.get('secrets',[]): + if s['secretKey'] == 'RSWAG_SMTP_PASSWORD': + print(s['secretValue']) + break +except Exception as e: + print(f'[smtp] Could not fetch password: {e}', file=sys.stderr) +" 2>&1) || true + if [ -n "$SMTP_PWD" ] && echo "$SMTP_PWD" | grep -qv '^\['; then + export SMTP_PASSWORD="$SMTP_PWD" + echo "[infisical] Fetched SMTP password from claude-ops/mail" + fi +fi + exec "$@"