From 9771fc620ed41362867ea7047dc267359c3b4d3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= <mail@thomas-graefenstein.de>
Date: Sun, 22 Mar 2026 12:15:11 +0100
Subject: [PATCH] fix source command

---
 review.md         |  2 +-
 scripts/deploy.sh | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/review.md b/review.md
index 735b1d3..7085d99 100644
--- a/review.md
+++ b/review.md
@@ -7,7 +7,7 @@
 | 3  | Critical | `scripts/restore.sh`            | Same broken `SCRIPT_DIR` path issue                                                                                                                                                                                                | DONE   |
 | 4  | High     | `scripts/backup.sh:20`          | `pg_dumpall -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                        | DONE   |
 | 5  | High     | `scripts/restore.sh:68`         | `psql -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                              | DONE   |
-| 6  | High     | `scripts/deploy.sh:13`          | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation                                                                                                            | TODO   |
+| 6  | High     | `scripts/deploy.sh:13`          | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation                                                                                                            | DONE   |
 | 7  | Medium   | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access                                                                                                      | TODO   |
 | 8  | Medium   | `caddy/Caddyfile`               | No rate limiting configured at the reverse proxy layer                                                                                                                                                                             | TODO   |
 | 9  | Low      | `gitea/docker-compose.yml`      | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does                                                                                                                                               | TODO   |
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 10b5797..3a95526 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -4,14 +4,23 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 
 # ------------------------------------------------------------------
-# Load config
+# Load config (safe parser — only loads KEY=VALUE lines)
 # ------------------------------------------------------------------
 if [ ! -f "$REPO_ROOT/.env" ]; then
   echo "ERROR: $REPO_ROOT/.env not found. Copy .env.example and fill in values."
   exit 1
 fi
-source "$REPO_ROOT/.env"
-DATA_ROOT="${DATA_ROOT:-/opt/docker-data}"
+set -a
+eval "$(grep -v '^#' "$REPO_ROOT/.env" | grep -v '^$' | grep '^[A-Za-z_][A-Za-z_0-9]*=' )"
+set +a
+
+# Validate required variables
+for var in DOMAIN DATA_ROOT; do
+  if [ -z "${!var:-}" ]; then
+    echo "ERROR: $var is not set in .env"
+    exit 1
+  fi
+done
 
 echo "==> VPS info:"
 cat /etc/os-release