feat(secrets): use docker secrets and make them rotateable
This commit is contained in:
parent
3be4b1356a
commit
ed8b1371e4
16
.env.sample
16
.env.sample
|
@ -2,25 +2,17 @@ TYPE=authentik
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
DOMAIN={{ .Domain }}
|
DOMAIN={{ .Domain }}
|
||||||
POSTGRES_PASSWORD=secret
|
|
||||||
AUTHENTIK_POSTGRESQL__PASSWORD=secret
|
|
||||||
POSTGRES_USER=authentik
|
|
||||||
AUTHENTIK_POSTGRESQL__USER=authentik
|
AUTHENTIK_POSTGRESQL__USER=authentik
|
||||||
POSTGRES_DB=authentik
|
|
||||||
AUTHENTIK_POSTGRESQL__NAME=authentik
|
AUTHENTIK_POSTGRESQL__NAME=authentik
|
||||||
AUTHENTIK_POSTGRESQL__HOST=db
|
AUTHENTIK_POSTGRESQL__HOST=db
|
||||||
AUTHENTIK_REDIS__HOST=redis
|
AUTHENTIK_REDIS__HOST=redis
|
||||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||||
# WORKERS=1
|
# WORKERS=1
|
||||||
AUTHENTIK_SECRET_KEY=secret
|
|
||||||
AK_ADMIN_TOKEN=secret
|
|
||||||
AK_ADMIN_PASS=secret
|
|
||||||
|
|
||||||
# EMAIL
|
# EMAIL
|
||||||
AUTHENTIK_EMAIL__HOST=smtp
|
AUTHENTIK_EMAIL__HOST=smtp
|
||||||
AUTHENTIK_EMAIL__PORT=25
|
AUTHENTIK_EMAIL__PORT=25
|
||||||
# AUTHENTIK_EMAIL__USERNAME=""
|
# AUTHENTIK_EMAIL__USERNAME=""
|
||||||
# AUTHENTIK_EMAIL__PASSWORD=""
|
|
||||||
AUTHENTIK_EMAIL__USE_TLS=false
|
AUTHENTIK_EMAIL__USE_TLS=false
|
||||||
AUTHENTIK_EMAIL__USE_SSL=false
|
AUTHENTIK_EMAIL__USE_SSL=false
|
||||||
AUTHENTIK_EMAIL__TIMEOUT=10
|
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||||
|
@ -28,9 +20,11 @@ AUTHENTIK_EMAIL__FROM=noreply@example.com
|
||||||
AUTHENTIK_LOG_LEVEL=info
|
AUTHENTIK_LOG_LEVEL=info
|
||||||
|
|
||||||
# Secret Versions
|
# Secret Versions
|
||||||
# SECRET_SECRET_KEY_VERSION=v1
|
SECRET_SECRET_KEY_VERSION=v1
|
||||||
# SECRET_ADMIN_TOKEN_VERSION=v1
|
SECRET_DB_PASSWORD_VERSION=V1
|
||||||
# SECRET_ADMIN_PASS_VERSION=v1
|
SECRET_ADMIN_TOKEN_VERSION=v1
|
||||||
|
SECRET_ADMIN_PASS_VERSION=v1
|
||||||
|
SECRET_EMAIL_PASS_VERSION=v1
|
||||||
|
|
||||||
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
|
||||||
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
AUTHENTIK_COLOR_BACKGROUND_LIGHT=#1c1e21
|
||||||
|
|
13
README.md
13
README.md
|
@ -22,7 +22,20 @@
|
||||||
|
|
||||||
* `abra app new authentik --secrets`
|
* `abra app new authentik --secrets`
|
||||||
* `abra app config <app-name>`
|
* `abra app config <app-name>`
|
||||||
|
* `abra app secret insert <app_name> email_pass v1 <password>`
|
||||||
|
* `abra app secret generate -a authentik.dev.local-it.cloud`
|
||||||
* `abra app deploy <app-name>`
|
* `abra app deploy <app-name>`
|
||||||
|
* `abra app cmd <app_name> app set_admin_pass`
|
||||||
|
|
||||||
|
## Rotate Secrets
|
||||||
|
|
||||||
|
```
|
||||||
|
abra app secret generate -a <app_name>
|
||||||
|
abra app undeploy <app_name>
|
||||||
|
abra app deploy <app_name>
|
||||||
|
abra app cmd <app_name> db rotate_db_pass
|
||||||
|
abra app cmd <app_name> app set_admin_pass
|
||||||
|
```
|
||||||
|
|
||||||
## Customization
|
## Customization
|
||||||
|
|
||||||
|
|
32
abra.sh
32
abra.sh
|
@ -25,3 +25,35 @@ customize() {
|
||||||
abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
|
abra app cp $APP_NAME $1/icon.png app:/web/dist/assets/icons/
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_admin_pass() {
|
||||||
|
password=$(cat /run/secrets/admin_pass)
|
||||||
|
token=$(cat /run/secrets/admin_token)
|
||||||
|
/manage.py shell -c """
|
||||||
|
akadmin = User.objects.get(username='akadmin')
|
||||||
|
akadmin.set_password('$password')
|
||||||
|
akadmin.save()
|
||||||
|
print('Changed akadmin password')
|
||||||
|
|
||||||
|
from authentik.core.models import TokenIntents
|
||||||
|
key='$token'
|
||||||
|
if (token:= Token.objects.filter(identifier='authentik-bootstrap-token').first()):
|
||||||
|
token.key=key
|
||||||
|
token.save()
|
||||||
|
print('Changed authentik-bootstrap-token')
|
||||||
|
else:
|
||||||
|
Token.objects.create(
|
||||||
|
identifier='authentik-bootstrap-token',
|
||||||
|
user=akadmin,
|
||||||
|
intent=TokenIntents.INTENT_API,
|
||||||
|
expiring=False,
|
||||||
|
key=key,
|
||||||
|
)
|
||||||
|
print('Created authentik-bootstrap-token')
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
|
||||||
|
rotate_db_pass() {
|
||||||
|
db_password=$(cat /run/secrets/db_password)
|
||||||
|
psql -U authentik -c """ALTER USER authentik WITH PASSWORD '$db_password';"""
|
||||||
|
}
|
||||||
|
|
71
compose.yml
71
compose.yml
|
@ -1,19 +1,17 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
x-env: &env
|
x-env: &env
|
||||||
- AUTHENTIK_POSTGRESQL__PASSWORD
|
- AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
|
||||||
- AUTHENTIK_POSTGRESQL__USER
|
- AUTHENTIK_POSTGRESQL__USER
|
||||||
- AUTHENTIK_POSTGRESQL__NAME
|
- AUTHENTIK_POSTGRESQL__NAME
|
||||||
- AUTHENTIK_POSTGRESQL__HOST
|
- AUTHENTIK_POSTGRESQL__HOST
|
||||||
- AUTHENTIK_REDIS__HOST
|
- AUTHENTIK_REDIS__HOST
|
||||||
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||||
- AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
|
- AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
|
||||||
- AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
|
|
||||||
- AK_ADMIN_PASS= #file:///run/secrets/admin_pass
|
|
||||||
- AUTHENTIK_EMAIL__HOST
|
- AUTHENTIK_EMAIL__HOST
|
||||||
- AUTHENTIK_EMAIL__PORT
|
- AUTHENTIK_EMAIL__PORT
|
||||||
- AUTHENTIK_EMAIL__USERNAME
|
- AUTHENTIK_EMAIL__USERNAME
|
||||||
- AUTHENTIK_EMAIL__PASSWORD
|
- AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
|
||||||
- AUTHENTIK_EMAIL__USE_TLS
|
- AUTHENTIK_EMAIL__USE_TLS
|
||||||
- AUTHENTIK_EMAIL__USE_SSL
|
- AUTHENTIK_EMAIL__USE_SSL
|
||||||
- AUTHENTIK_EMAIL__TIMEOUT
|
- AUTHENTIK_EMAIL__TIMEOUT
|
||||||
|
@ -31,11 +29,12 @@ services:
|
||||||
app:
|
app:
|
||||||
image: ghcr.io/goauthentik/server:2022.10.1
|
image: ghcr.io/goauthentik/server:2022.10.1
|
||||||
command: server
|
command: server
|
||||||
# secrets:
|
secrets:
|
||||||
# - db_password
|
- db_password
|
||||||
# - admin_pass
|
- admin_pass
|
||||||
# - admin_token
|
- admin_token
|
||||||
# - secret_key
|
- secret_key
|
||||||
|
- email_pass
|
||||||
volumes:
|
volumes:
|
||||||
- media:/media
|
- media:/media
|
||||||
- custom-templates:/templates
|
- custom-templates:/templates
|
||||||
|
@ -75,11 +74,12 @@ services:
|
||||||
worker:
|
worker:
|
||||||
image: ghcr.io/goauthentik/server:2022.10.1
|
image: ghcr.io/goauthentik/server:2022.10.1
|
||||||
command: worker
|
command: worker
|
||||||
# secrets:
|
secrets:
|
||||||
# - db_password
|
- db_password
|
||||||
# - admin_pass
|
- admin_pass
|
||||||
# - admin_token
|
- admin_token
|
||||||
# - secret_key
|
- secret_key
|
||||||
|
- email_pass
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
- proxy
|
- proxy
|
||||||
|
@ -97,8 +97,8 @@ services:
|
||||||
|
|
||||||
db:
|
db:
|
||||||
image: postgres:12.12-alpine
|
image: postgres:12.12-alpine
|
||||||
# secrets:
|
secrets:
|
||||||
# - db_password
|
- db_password
|
||||||
volumes:
|
volumes:
|
||||||
- database:/var/lib/postgresql/data
|
- database:/var/lib/postgresql/data
|
||||||
networks:
|
networks:
|
||||||
|
@ -110,13 +110,13 @@ services:
|
||||||
retries: 10
|
retries: 10
|
||||||
start_period: 1m
|
start_period: 1m
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_PASSWORD
|
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
|
||||||
- POSTGRES_USER
|
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
|
||||||
- POSTGRES_DB
|
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
backupbot.backup: "true"
|
backupbot.backup: "true"
|
||||||
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
|
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$(cat /run/secrets/db_password) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
|
||||||
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
||||||
backupbot.backup.path: "/tmp/backup/"
|
backupbot.backup.path: "/tmp/backup/"
|
||||||
|
|
||||||
|
@ -131,19 +131,22 @@ services:
|
||||||
retries: 10
|
retries: 10
|
||||||
start_period: 1m
|
start_period: 1m
|
||||||
|
|
||||||
# secrets:
|
secrets:
|
||||||
# db_password:
|
db_password:
|
||||||
# external: true
|
external: true
|
||||||
# name: ${STACK_NAME}_db_password
|
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||||
# secret_key:
|
secret_key:
|
||||||
# external: true
|
external: true
|
||||||
# name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
||||||
# admin_token:
|
admin_token:
|
||||||
# external: true
|
external: true
|
||||||
# name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
|
name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
|
||||||
# admin_pass:
|
admin_pass:
|
||||||
# external: true
|
external: true
|
||||||
# name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
|
name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
|
||||||
|
email_pass:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
|
|
Loading…
Reference in New Issue