diff --git a/.env.sample b/.env.sample index 600bc2d..50ae836 100644 --- a/.env.sample +++ b/.env.sample @@ -2,25 +2,17 @@ TYPE=authentik LETS_ENCRYPT_ENV=production DOMAIN={{ .Domain }} -POSTGRES_PASSWORD=secret -AUTHENTIK_POSTGRESQL__PASSWORD=secret -POSTGRES_USER=authentik AUTHENTIK_POSTGRESQL__USER=authentik -POSTGRES_DB=authentik AUTHENTIK_POSTGRESQL__NAME=authentik AUTHENTIK_POSTGRESQL__HOST=db AUTHENTIK_REDIS__HOST=redis AUTHENTIK_ERROR_REPORTING__ENABLED=true # WORKERS=1 -AUTHENTIK_SECRET_KEY=secret -AK_ADMIN_TOKEN=secret -AK_ADMIN_PASS=secret # EMAIL AUTHENTIK_EMAIL__HOST=smtp AUTHENTIK_EMAIL__PORT=25 # AUTHENTIK_EMAIL__USERNAME="" -# AUTHENTIK_EMAIL__PASSWORD="" AUTHENTIK_EMAIL__USE_TLS=false AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 @@ -28,9 +20,11 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com AUTHENTIK_LOG_LEVEL=info # Secret Versions -# SECRET_SECRET_KEY_VERSION=v1 -# SECRET_ADMIN_TOKEN_VERSION=v1 -# SECRET_ADMIN_PASS_VERSION=v1 +SECRET_SECRET_KEY_VERSION=v1 +SECRET_DB_PASSWORD_VERSION=V1 +SECRET_ADMIN_TOKEN_VERSION=v1 +SECRET_ADMIN_PASS_VERSION=v1 +SECRET_EMAIL_PASS_VERSION=v1 # X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21 diff --git a/README.md b/README.md index 5858259..c45af80 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,20 @@ * `abra app new authentik --secrets` * `abra app config ` +* `abra app secret insert email_pass v1 ` +* `abra app secret generate -a authentik.dev.local-it.cloud` * `abra app deploy ` +* `abra app cmd app set_admin_pass` + +## Rotate Secrets + +``` +abra app secret generate -a +abra app undeploy +abra app deploy +abra app cmd db rotate_db_pass +abra app cmd app set_admin_pass +``` ## Customization diff --git a/abra.sh b/abra.sh index b68a9f6..3b3c9f7 100644 --- a/abra.sh +++ b/abra.sh @@ -25,3 +25,35 @@ customize() { abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/ fi } + +set_admin_pass() { +password=$(cat /run/secrets/admin_pass) +token=$(cat /run/secrets/admin_token) +/manage.py shell -c """ +akadmin = User.objects.get(username='akadmin') +akadmin.set_password('$password') +akadmin.save() +print('Changed akadmin password') + +from authentik.core.models import TokenIntents +key='$token' +if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()): + token.key=key + token.save() + print('Changed authentik-bootstrap-token') +else: + Token.objects.create( + identifier='authentik-bootstrap-token', + user=akadmin, + intent=TokenIntents.INTENT_API, + expiring=False, + key=key, + ) + print('Created authentik-bootstrap-token') +""" +} + +rotate_db_pass() { + db_password=$(cat /run/secrets/db_password) + psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';""" +} diff --git a/compose.yml b/compose.yml index d7526ad..f5fc950 100644 --- a/compose.yml +++ b/compose.yml @@ -1,19 +1,17 @@ --- x-env: &env - - AUTHENTIK_POSTGRESQL__PASSWORD + - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password - AUTHENTIK_POSTGRESQL__USER - AUTHENTIK_POSTGRESQL__NAME - AUTHENTIK_POSTGRESQL__HOST - AUTHENTIK_REDIS__HOST - AUTHENTIK_ERROR_REPORTING__ENABLED - - AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key - - AK_ADMIN_TOKEN= #file:///run/secrets/admin_token - - AK_ADMIN_PASS= #file:///run/secrets/admin_pass + - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key - AUTHENTIK_EMAIL__HOST - AUTHENTIK_EMAIL__PORT - AUTHENTIK_EMAIL__USERNAME - - AUTHENTIK_EMAIL__PASSWORD + - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass - AUTHENTIK_EMAIL__USE_TLS - AUTHENTIK_EMAIL__USE_SSL - AUTHENTIK_EMAIL__TIMEOUT @@ -31,11 +29,12 @@ services: app: image: ghcr.io/goauthentik/server:2022.10.1 command: server - # secrets: - # - db_password - # - admin_pass - # - admin_token - # - secret_key + secrets: + - db_password + - admin_pass + - admin_token + - secret_key + - email_pass volumes: - media:/media - custom-templates:/templates @@ -75,11 +74,12 @@ services: worker: image: ghcr.io/goauthentik/server:2022.10.1 command: worker - # secrets: - # - db_password - # - admin_pass - # - admin_token - # - secret_key + secrets: + - db_password + - admin_pass + - admin_token + - secret_key + - email_pass networks: - internal - proxy @@ -97,8 +97,8 @@ services: db: image: postgres:12.12-alpine - # secrets: - # - db_password + secrets: + - db_password volumes: - database:/var/lib/postgresql/data networks: @@ -110,13 +110,13 @@ services: retries: 10 start_period: 1m environment: - - POSTGRES_PASSWORD - - POSTGRES_USER - - POSTGRES_DB + - POSTGRES_PASSWORD_FILE=/run/secrets/db_password + - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER} + - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME} deploy: labels: backupbot.backup: "true" - backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql" + backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql" backupbot.backup.post-hook: "rm -rf /tmp/backup" backupbot.backup.path: "/tmp/backup/" @@ -131,19 +131,22 @@ services: retries: 10 start_period: 1m -# secrets: - # db_password: - # external: true - # name: ${STACK_NAME}_db_password - # secret_key: - # external: true - # name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} - # admin_token: - # external: true - # name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION} - # admin_pass: - # external: true - # name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION} +secrets: + db_password: + external: true + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + secret_key: + external: true + name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} + admin_token: + external: true + name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION} + admin_pass: + external: true + name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION} + email_pass: + external: true + name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION} networks: proxy: