Browse Source

fix: no hardcoded secrets

pull/27/head
cellarspoon 8 months ago
parent
commit
68d73bd4e7
No known key found for this signature in database
GPG Key ID: 3789458B3D0C410
  1. 4
      .env.sample
  2. 3
      compose.keycloak.yml
  3. 3
      compose.turn.yml
  4. 12
      compose.yml
  5. 4
      entrypoint.sh.tmpl
  6. 6
      homeserver.yaml.tmpl

4
.env.sample

@ -7,6 +7,10 @@ SECRET_DB_PASSWORD_VERSION=v1
SYNAPSE_ADMIN_EMAIL=admin@example.com
SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
SECRET_MACAROON_SECRET_KEY_VERSION=v1
SECRET_FORM_SECRET_VERSION=v1
#DISABLE_FEDERATION=1
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"

3
compose.keycloak.yml

@ -5,7 +5,10 @@ services:
app:
secrets:
- db_password
- form_secret
- keycloak_client_secret
- macaroon_secret_key
- registration_shared_secret
environment:
- KEYCLOAK_ENABLED
- KEYCLOAK_NAME

3
compose.turn.yml

@ -5,6 +5,9 @@ services:
app:
secrets:
- db_password
- form_secret
- macaroon_secret_key
- registration_shared_secret
- turn_shared_secret
environment:
- TURN_ALLOW_GUESTS

12
compose.yml

@ -31,6 +31,9 @@ services:
- "data:/data"
secrets:
- db_password
- registration_shared_secret
- macaroon_secret_key
- form_secret
environment:
- DISABLE_FEDERATION
- DOMAIN
@ -100,3 +103,12 @@ secrets:
db_password:
external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
registration_shared_secret:
external: true
name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
macaroon_secret_key:
external: true
name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
form_secret:
external: true
name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}

4
entrypoint.sh.tmpl

@ -4,4 +4,8 @@
# default user permissions for the synapse user
chown 991:991 /data
if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
/start.py generate
fi
/start.py

6
homeserver.yaml.tmpl

@ -1210,7 +1210,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
registration_shared_secret: "G:4AX-+1LBJehgt6=gi^+^T73~zhmJfW4iNP2f#3wZY8icB.;w"
registration_shared_secret: "{{ secret "registration_shared_secret" }}"
# Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash.
@ -1444,13 +1444,13 @@ room_prejoin_state:
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
#
macaroon_secret_key: "KyMrrJ:uvm4_89*CEYh;o*.WeWZJ^p0p*:w*G7^*,EC.EEin8@"
macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
# a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent
# forms to work.
#
form_secret: "I@#lMS0V3@HRB~b0nvA&Di29uK^l5K@Sm=Ima+:.CKlldwP6&s"
form_secret: "{{ secret "form_secret" }}"
## Signing Keys ##

Loading…
Cancel
Save