coop-cloud/authentik
coop-cloud
/
authentik
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

feat(secrets): use docker secrets and make them rotateable

This commit is contained in:
Moritz 2022-11-17 19:34:20 +01:00
parent 3be4b1356a
commit ed8b1371e4
4 changed files with 87 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.env.sample
View File

@ -2,25 +2,17 @@ TYPE=authentik
LETS_ENCRYPT_ENV=production
DOMAIN={{ .Domain }}
POSTGRES_PASSWORD=secret
AUTHENTIK_POSTGRESQL__PASSWORD=secret
POSTGRES_USER=authentik
AUTHENTIK_POSTGRESQL__USER=authentik
POSTGRES_DB=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__HOST=db
AUTHENTIK_REDIS__HOST=redis
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# WORKERS=1
AUTHENTIK_SECRET_KEY=secret
AK_ADMIN_TOKEN=secret
AK_ADMIN_PASS=secret
# EMAIL
AUTHENTIK_EMAIL__HOST=smtp
AUTHENTIK_EMAIL__PORT=25
# AUTHENTIK_EMAIL__USERNAME=""
# AUTHENTIK_EMAIL__PASSWORD=""
AUTHENTIK_EMAIL__USE_TLS=false
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
@ -28,9 +20,11 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
AUTHENTIK_LOG_LEVEL=info
# Secret Versions
# SECRET_SECRET_KEY_VERSION=v1
# SECRET_ADMIN_TOKEN_VERSION=v1
# SECRET_ADMIN_PASS_VERSION=v1
SECRET_SECRET_KEY_VERSION=v1
SECRET_DB_PASSWORD_VERSION=V1
SECRET_ADMIN_TOKEN_VERSION=v1
SECRET_ADMIN_PASS_VERSION=v1
SECRET_EMAIL_PASS_VERSION=v1
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21

13
README.md
View File

@ -22,7 +22,20 @@
* `abra app new authentik --secrets`
* `abra app config <app-name>`
* `abra app secret insert <app_name> email_pass v1 <password>`
* `abra app secret generate -a authentik.dev.local-it.cloud`
* `abra app deploy <app-name>`
* `abra app cmd <app_name> app set_admin_pass`
## Rotate Secrets
```
abra app secret generate -a <app_name>
abra app undeploy <app_name>
abra app deploy <app_name>
abra app cmd <app_name> db rotate_db_pass
abra app cmd <app_name> app set_admin_pass
```
## Customization

32
abra.sh
View File

@ -25,3 +25,35 @@ customize() {
abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
fi
}
set_admin_pass() {
password=$(cat /run/secrets/admin_pass)
token=$(cat /run/secrets/admin_token)
/manage.py shell -c """
akadmin = User.objects.get(username='akadmin')
akadmin.set_password('$password')
akadmin.save()
print('Changed akadmin password')
from authentik.core.models import TokenIntents
key='$token'
if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
token.key=key
token.save()
print('Changed authentik-bootstrap-token')
else:
Token.objects.create(
identifier='authentik-bootstrap-token',
user=akadmin,
intent=TokenIntents.INTENT_API,
expiring=False,
key=key,
)
print('Created authentik-bootstrap-token')
"""
}
rotate_db_pass() {
db_password=$(cat /run/secrets/db_password)
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
}

71
compose.yml
View File

@ -1,19 +1,17 @@
---
x-env: &env
- AUTHENTIK_POSTGRESQL__PASSWORD
- AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
- AUTHENTIK_POSTGRESQL__USER
- AUTHENTIK_POSTGRESQL__NAME
- AUTHENTIK_POSTGRESQL__HOST
- AUTHENTIK_REDIS__HOST
- AUTHENTIK_ERROR_REPORTING__ENABLED
- AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
- AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
- AK_ADMIN_PASS= #file:///run/secrets/admin_pass
- AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
- AUTHENTIK_EMAIL__HOST
- AUTHENTIK_EMAIL__PORT
- AUTHENTIK_EMAIL__USERNAME
- AUTHENTIK_EMAIL__PASSWORD
- AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
- AUTHENTIK_EMAIL__USE_TLS
- AUTHENTIK_EMAIL__USE_SSL
- AUTHENTIK_EMAIL__TIMEOUT
@ -31,11 +29,12 @@ services:
app:
image: ghcr.io/goauthentik/server:2022.10.1
command: server
# secrets:
# - db_password
# - admin_pass
# - admin_token
# - secret_key
secrets:
- db_password
- admin_pass
- admin_token
- secret_key
- email_pass
volumes:
- media:/media
- custom-templates:/templates
@ -75,11 +74,12 @@ services:
worker:
image: ghcr.io/goauthentik/server:2022.10.1
command: worker
# secrets:
# - db_password
# - admin_pass
# - admin_token
# - secret_key
secrets:
- db_password
- admin_pass
- admin_token
- secret_key
- email_pass
networks:
- internal
- proxy
@ -97,8 +97,8 @@ services:
db:
image: postgres:12.12-alpine
# secrets:
# - db_password
secrets:
- db_password
volumes:
- database:/var/lib/postgresql/data
networks:
@ -110,13 +110,13 @@ services:
retries: 10
start_period: 1m
environment:
- POSTGRES_PASSWORD
- POSTGRES_USER
- POSTGRES_DB
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
deploy:
labels:
backupbot.backup: "true"
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
backupbot.backup.post-hook: "rm -rf /tmp/backup"
backupbot.backup.path: "/tmp/backup/"
@ -131,19 +131,22 @@ services:
retries: 10
start_period: 1m
# secrets:
# db_password:
# external: true
# name: ${STACK_NAME}_db_password
# secret_key:
# external: true
# name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
# admin_token:
# external: true
# name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
# admin_pass:
# external: true
# name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
secret_key:
external: true
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
admin_token:
external: true
name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
admin_pass:
external: true
name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
email_pass:
external: true
name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
networks:
proxy: