From 8bab7bf77addcc90c34c6b6e111e7cbc4da3f7aa Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 4 May 2022 21:38:56 +0000 Subject: [PATCH] move env.secrets into data/ subdir --- grafana/docker-compose.yaml | 2 +- grafana/setup | 6 ++++-- hedgedoc/docker-compose.yaml | 2 +- hedgedoc/setup | 7 +++++-- keycloak/client-create | 2 +- keycloak/client-delete | 2 +- keycloak/docker-compose.yaml | 2 +- keycloak/setup | 7 +++++-- mastodon/docker-compose.yaml | 6 +++--- mastodon/setup | 11 +++++++---- nextcloud/docker-compose.yaml | 2 +- nextcloud/setup | 6 ++++-- 12 files changed, 34 insertions(+), 21 deletions(-) diff --git a/grafana/docker-compose.yaml b/grafana/docker-compose.yaml index 9ef7d8b..aef68ec 100644 --- a/grafana/docker-compose.yaml +++ b/grafana/docker-compose.yaml @@ -23,4 +23,4 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/grafana/env.secrets diff --git a/grafana/setup b/grafana/setup index 70789cb..b806956 100755 --- a/grafana/setup +++ b/grafana/setup @@ -7,8 +7,9 @@ source ../env.production || die "no top level env?" source env.production || die "no local env?" BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect" +SECRETS="../data/grafana/env.secrets" -if [ -r "env.secrets" ]; then +if [ -r "$SECRETS" ]; then docker-compose up -d || die "grafana: unable to start container" exit 0 fi @@ -19,7 +20,8 @@ GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)" GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)" echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD" -cat < env.secrets +mkdir -p "$(dirname "$SECRETS")" +cat < "$SECRETS" # Do not check in! GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/ diff --git a/hedgedoc/docker-compose.yaml b/hedgedoc/docker-compose.yaml index 11601e6..c95012f 100644 --- a/hedgedoc/docker-compose.yaml +++ b/hedgedoc/docker-compose.yaml @@ -15,7 +15,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/hedgedoc/env.secrets environment: - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_PROTOCOL_USESSL=true diff --git a/hedgedoc/setup b/hedgedoc/setup index 23ec97d..b7e4d86 100755 --- a/hedgedoc/setup +++ b/hedgedoc/setup @@ -6,7 +6,9 @@ cd "$DIRNAME" source ../env.production || die "no top levle env?" source env.production || die "no local env?" -if [ -r "./env.secrets" ]; then +SECRETS="../data/hedgedoc/env.secrets" + +if [ -r "$SECRETS" ]; then docker-compose up -d || die "hedgedoc: unable to start" exit 0 fi @@ -17,7 +19,8 @@ docker-compose down 2>/dev/null CLIENT_SECRET="$(openssl rand -hex 20)" SESSION_SECRET="$(openssl rand -hex 20)" -cat < env.secrets +mkdir -p "$(dirname "$SECRETS")" +cat < "$SECRETS" # DO NOT CHECK IN CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET CMD_SESSION_SECRET=$SESSION_SECRET diff --git a/keycloak/client-create b/keycloak/client-create index 271d0f8..eee36e7 100755 --- a/keycloak/client-create +++ b/keycloak/client-create @@ -6,7 +6,7 @@ cd "$DIRNAME" source ../env.production || die "no top levle env?" source env.production || die "no local env?" -source env.secrets || die "no local secrets?" +source "../data/keycloak/env.secrets" || die "no local secrets?" sudo docker-compose exec -T keycloak \ /opt/keycloak/bin/kcadm.sh \ diff --git a/keycloak/client-delete b/keycloak/client-delete index 1b2604f..0af8a3f 100755 --- a/keycloak/client-delete +++ b/keycloak/client-delete @@ -6,7 +6,7 @@ cd "$DIRNAME" source ../env.production || die "no top levle env?" source env.production || die "no local env?" -source env.secrets || die "no local secrets?" +source "../data/keycloak/env.secrets" || die "no local secrets?" # try to get the clients by name CLIENT_NAME="$1" diff --git a/keycloak/docker-compose.yaml b/keycloak/docker-compose.yaml index 04d98db..21c229c 100644 --- a/keycloak/docker-compose.yaml +++ b/keycloak/docker-compose.yaml @@ -22,7 +22,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/keycloak/env.secrets environment: DB_VENDOR: MYSQL DB_ADDR: mysql diff --git a/keycloak/setup b/keycloak/setup index 97f9f0d..9aecfcc 100755 --- a/keycloak/setup +++ b/keycloak/setup @@ -7,7 +7,9 @@ cd "$DIRNAME" source ../env.production source ./env.production -if [ -r "./env.secrets" ]; then +SECRETS="../data/keycloak/env.secrets" + +if [ -r "$SECRETS" ]; then docker-compose up -d || die "keycloak: unable to start container" exit 0 fi @@ -17,7 +19,8 @@ docker-compose down 2>/dev/null KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)" echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD" -cat < env.secrets +mkdir -p "$(dirname "$SECRETS")" +cat < "$SECRETS" # DO NOT CHECK IN KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD EOF diff --git a/mastodon/docker-compose.yaml b/mastodon/docker-compose.yaml index 9e100de..36b165e 100644 --- a/mastodon/docker-compose.yaml +++ b/mastodon/docker-compose.yaml @@ -52,7 +52,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/mastodon/env.secrets command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001" networks: - external_network @@ -75,7 +75,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/mastodon/env.secrets command: node ./streaming networks: - external_network @@ -95,7 +95,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/mastodon/env.secrets command: bundle exec sidekiq depends_on: - database diff --git a/mastodon/setup b/mastodon/setup index 2f10840..e0f05b8 100755 --- a/mastodon/setup +++ b/mastodon/setup @@ -10,7 +10,9 @@ source ./env.production mkdir -p ../data/mastodon/system chmod 777 ../data/mastodon/system -if [ -r "./env.secrets" ]; then +SECRETS="../data/mastodon/env.secrets" + +if [ -r "$SECRETS" ]; then docker-compose up -d || die "unable to restart mastodon" exit 0 fi @@ -22,7 +24,8 @@ OIDC_CLIENT_SECRET="$(openssl rand -hex 32)" # create the secrets file, # along with some parameters that should be in the environment -cat < env.secrets +mkdir -p "$(dirname "$SECRETS")" +cat < "$SECRETS" # DO NOT CHECK IN LOCAL_DOMAIN=$MASTODON_HOSTNAME OIDC_DISPLAY_NAME=$REALM @@ -36,7 +39,7 @@ EOF info "mastodon: creating push keys" docker-compose run --rm mastodon \ rails mastodon:webpush:generate_vapid_key \ - >> env.secrets \ + >> "$SECRETS" \ || die "unable to generate vapid key" info "mastodon: setting up database" @@ -44,7 +47,7 @@ docker-compose run --rm mastodon \ rails db:setup \ || die "unable to login" -source ./env.secrets +source "$SECRETS" info "mastodon: creating keycloak interface" ../keycloak/client-delete mastodon diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml index a7bc097..c22f3a1 100644 --- a/nextcloud/docker-compose.yaml +++ b/nextcloud/docker-compose.yaml @@ -19,7 +19,7 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/nextcloud/env.secrets environment: POSTGRES_HOST: database POSTGRES_DB: nextcloud diff --git a/nextcloud/setup b/nextcloud/setup index a533364..fda0251 100755 --- a/nextcloud/setup +++ b/nextcloud/setup @@ -6,7 +6,8 @@ cd "$DIRNAME" source ../env.production || die "no top level env?" source env.production || die "no local env?" -if [ -r "./env.secrets" ]; then +SECRETS="../data/nextcloud/env.secrets" +if [ -r "$SECRETS" ]; then docker-compose up -d || die "nextcloud: unable to start" exit 0 fi @@ -17,7 +18,8 @@ NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)" NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)" echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD" -cat < env.secrets +mkdir -p "$(dirname "$SECRETS")" +cat < "$SECRETS" # Do not check in! NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME