fix: no hardcoded secrets
This commit is contained in:
parent
6727434db5
commit
68d73bd4e7
|
@ -7,6 +7,10 @@ SECRET_DB_PASSWORD_VERSION=v1
|
|||
|
||||
SYNAPSE_ADMIN_EMAIL=admin@example.com
|
||||
|
||||
SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
|
||||
SECRET_MACAROON_SECRET_KEY_VERSION=v1
|
||||
SECRET_FORM_SECRET_VERSION=v1
|
||||
|
||||
#DISABLE_FEDERATION=1
|
||||
|
||||
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
|
||||
|
|
|
@ -5,7 +5,10 @@ services:
|
|||
app:
|
||||
secrets:
|
||||
- db_password
|
||||
- form_secret
|
||||
- keycloak_client_secret
|
||||
- macaroon_secret_key
|
||||
- registration_shared_secret
|
||||
environment:
|
||||
- KEYCLOAK_ENABLED
|
||||
- KEYCLOAK_NAME
|
||||
|
|
|
@ -5,6 +5,9 @@ services:
|
|||
app:
|
||||
secrets:
|
||||
- db_password
|
||||
- form_secret
|
||||
- macaroon_secret_key
|
||||
- registration_shared_secret
|
||||
- turn_shared_secret
|
||||
environment:
|
||||
- TURN_ALLOW_GUESTS
|
||||
|
|
12
compose.yml
12
compose.yml
|
@ -31,6 +31,9 @@ services:
|
|||
- "data:/data"
|
||||
secrets:
|
||||
- db_password
|
||||
- registration_shared_secret
|
||||
- macaroon_secret_key
|
||||
- form_secret
|
||||
environment:
|
||||
- DISABLE_FEDERATION
|
||||
- DOMAIN
|
||||
|
@ -100,3 +103,12 @@ secrets:
|
|||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||
registration_shared_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
|
||||
macaroon_secret_key:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
|
||||
form_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}
|
||||
|
|
|
@ -4,4 +4,8 @@
|
|||
# default user permissions for the synapse user
|
||||
chown 991:991 /data
|
||||
|
||||
if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
|
||||
/start.py generate
|
||||
fi
|
||||
|
||||
/start.py
|
||||
|
|
|
@ -1210,7 +1210,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
|
|||
# If set, allows registration of standard or admin accounts by anyone who
|
||||
# has the shared secret, even if registration is otherwise disabled.
|
||||
#
|
||||
registration_shared_secret: "G:4AX-+1LBJehgt6=gi^+^T73~zhmJfW4iNP2f#3wZY8icB.;w"
|
||||
registration_shared_secret: "{{ secret "registration_shared_secret" }}"
|
||||
|
||||
# Set the number of bcrypt rounds used to generate password hash.
|
||||
# Larger numbers increase the work factor needed to generate the hash.
|
||||
|
@ -1444,13 +1444,13 @@ room_prejoin_state:
|
|||
# the registration_shared_secret is used, if one is given; otherwise,
|
||||
# a secret key is derived from the signing key.
|
||||
#
|
||||
macaroon_secret_key: "KyMrrJ:uvm4_89*CEYh;o*.WeWZJ^p0p*:w*G7^*,EC.EEin8@"
|
||||
macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
|
||||
|
||||
# a secret which is used to calculate HMACs for form values, to stop
|
||||
# falsification of values. Must be specified for the User Consent
|
||||
# forms to work.
|
||||
#
|
||||
form_secret: "I@#lMS0V3@HRB~b0nvA&Di29uK^l5K@Sm=Ima+:.CKlldwP6&s"
|
||||
form_secret: "{{ secret "form_secret" }}"
|
||||
|
||||
## Signing Keys ##
|
||||
|
||||
|
|
Loading…
Reference in New Issue