generate and manage CRYPTO_KEY outside of abra
This commit is contained in:
@ -7,7 +7,7 @@ LETS_ENCRYPT_ENV=production
|
|||||||
#==============================================================================
|
#==============================================================================
|
||||||
SECRET_SECRET_KEY_VERSION=v1
|
SECRET_SECRET_KEY_VERSION=v1
|
||||||
SECRET_DB_PASSWORD_VERSION=v1
|
SECRET_DB_PASSWORD_VERSION=v1
|
||||||
SECRET_CRYPTO_KEY_VERSION=v1
|
CRYPTO_KEY_VERSION=v1 # This secret is managed in the entrypoint, not as a docker secret
|
||||||
|
|
||||||
#==============================================================================
|
#==============================================================================
|
||||||
# ADMINISTRATION
|
# ADMINISTRATION
|
||||||
|
|||||||
9
abra.sh
9
abra.sh
@ -41,12 +41,3 @@ setup_db() {
|
|||||||
|
|
||||||
echo "Database setup complete. <3"
|
echo "Database setup complete. <3"
|
||||||
}
|
}
|
||||||
|
|
||||||
gen_key() {
|
|
||||||
file_env "DB_PASSWORD"
|
|
||||||
file_env "CRYPTO_KEY"
|
|
||||||
file_env "SECRET_KEY"
|
|
||||||
file_env "LDAP_BIND_PASSWORD"
|
|
||||||
|
|
||||||
flask cryptokey create
|
|
||||||
}
|
|
||||||
@ -59,7 +59,6 @@ services:
|
|||||||
- ROOT_USER=${ADMIN_USER}
|
- ROOT_USER=${ADMIN_USER}
|
||||||
- TMP_DIR=/tmp
|
- TMP_DIR=/tmp
|
||||||
- SECRET_KEY_FILE=/run/secrets/secret_key
|
- SECRET_KEY_FILE=/run/secrets/secret_key
|
||||||
- CRYPTO_KEY_FILE=/run/secrets/crypto_key
|
|
||||||
- SESSION_TYPE=filesystem
|
- SESSION_TYPE=filesystem
|
||||||
- LOG_LEVEL=INFO
|
- LOG_LEVEL=INFO
|
||||||
- LOG_DIR=/app/logs
|
- LOG_DIR=/app/logs
|
||||||
@ -96,6 +95,7 @@ services:
|
|||||||
- uploads:/app/uploads
|
- uploads:/app/uploads
|
||||||
- log:/app/logs
|
- log:/app/logs
|
||||||
- static:/app/liberaforms/static
|
- static:/app/liberaforms/static
|
||||||
|
- cryptokey:/cryptokey
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
- secret_key
|
- secret_key
|
||||||
@ -137,15 +137,13 @@ secrets:
|
|||||||
secret_key:
|
secret_key:
|
||||||
external: true
|
external: true
|
||||||
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
||||||
crypto_key:
|
|
||||||
external: true
|
|
||||||
name: ${STACK_NAME}_crypto_key_${SECRET_CRYPTO_KEY_VERSION}
|
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
uploads:
|
uploads:
|
||||||
static:
|
static:
|
||||||
log:
|
log:
|
||||||
db:
|
db:
|
||||||
|
cryptokey:
|
||||||
|
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
|
|||||||
@ -25,8 +25,12 @@ file_env() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
file_env "DB_PASSWORD"
|
file_env "DB_PASSWORD"
|
||||||
file_env "CRYPTO_KEY"
|
|
||||||
file_env "SECRET_KEY"
|
file_env "SECRET_KEY"
|
||||||
file_env "LDAP_BIND_PASSWORD"
|
file_env "LDAP_BIND_PASSWORD"
|
||||||
|
|
||||||
|
if [ ! -f "/cryptokey/$CRYPTO_KEY_VERSION" ]; then
|
||||||
|
flask cryptokey create > /cryptokey/$CRYPTO_KEY_VERSION
|
||||||
|
fi
|
||||||
|
export CRYPTO_KEY=`cat /cryptokey/$CRYPTO_KEY_VERSION`
|
||||||
|
|
||||||
/usr/bin/supervisord -n
|
/usr/bin/supervisord -n
|
||||||
Reference in New Issue
Block a user