fix: no hardcoded secrets
This commit is contained in:
parent
6727434db5
commit
68d73bd4e7
|
@ -7,6 +7,10 @@ SECRET_DB_PASSWORD_VERSION=v1
|
||||||
|
|
||||||
SYNAPSE_ADMIN_EMAIL=admin@example.com
|
SYNAPSE_ADMIN_EMAIL=admin@example.com
|
||||||
|
|
||||||
|
SECRET_REGISTRATION_SHARED_SECRET_VERSION=v1
|
||||||
|
SECRET_MACAROON_SECRET_KEY_VERSION=v1
|
||||||
|
SECRET_FORM_SECRET_VERSION=v1
|
||||||
|
|
||||||
#DISABLE_FEDERATION=1
|
#DISABLE_FEDERATION=1
|
||||||
|
|
||||||
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
|
#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
|
||||||
|
|
|
@ -5,7 +5,10 @@ services:
|
||||||
app:
|
app:
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
|
- form_secret
|
||||||
- keycloak_client_secret
|
- keycloak_client_secret
|
||||||
|
- macaroon_secret_key
|
||||||
|
- registration_shared_secret
|
||||||
environment:
|
environment:
|
||||||
- KEYCLOAK_ENABLED
|
- KEYCLOAK_ENABLED
|
||||||
- KEYCLOAK_NAME
|
- KEYCLOAK_NAME
|
||||||
|
|
|
@ -5,6 +5,9 @@ services:
|
||||||
app:
|
app:
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
|
- form_secret
|
||||||
|
- macaroon_secret_key
|
||||||
|
- registration_shared_secret
|
||||||
- turn_shared_secret
|
- turn_shared_secret
|
||||||
environment:
|
environment:
|
||||||
- TURN_ALLOW_GUESTS
|
- TURN_ALLOW_GUESTS
|
||||||
|
|
12
compose.yml
12
compose.yml
|
@ -31,6 +31,9 @@ services:
|
||||||
- "data:/data"
|
- "data:/data"
|
||||||
secrets:
|
secrets:
|
||||||
- db_password
|
- db_password
|
||||||
|
- registration_shared_secret
|
||||||
|
- macaroon_secret_key
|
||||||
|
- form_secret
|
||||||
environment:
|
environment:
|
||||||
- DISABLE_FEDERATION
|
- DISABLE_FEDERATION
|
||||||
- DOMAIN
|
- DOMAIN
|
||||||
|
@ -100,3 +103,12 @@ secrets:
|
||||||
db_password:
|
db_password:
|
||||||
external: true
|
external: true
|
||||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||||
|
registration_shared_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_db_password_${SECRET_REGISTRATION_SHARED_SECRET_VERSION}
|
||||||
|
macaroon_secret_key:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_db_password_${SECRET_MACAROON_SECRET_KEY_VERSION}
|
||||||
|
form_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_db_password_${SECRET_FORM_SECRET_VERSION}
|
||||||
|
|
|
@ -4,4 +4,8 @@
|
||||||
# default user permissions for the synapse user
|
# default user permissions for the synapse user
|
||||||
chown 991:991 /data
|
chown 991:991 /data
|
||||||
|
|
||||||
|
if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
|
||||||
|
/start.py generate
|
||||||
|
fi
|
||||||
|
|
||||||
/start.py
|
/start.py
|
||||||
|
|
|
@ -1210,7 +1210,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
|
||||||
# If set, allows registration of standard or admin accounts by anyone who
|
# If set, allows registration of standard or admin accounts by anyone who
|
||||||
# has the shared secret, even if registration is otherwise disabled.
|
# has the shared secret, even if registration is otherwise disabled.
|
||||||
#
|
#
|
||||||
registration_shared_secret: "G:4AX-+1LBJehgt6=gi^+^T73~zhmJfW4iNP2f#3wZY8icB.;w"
|
registration_shared_secret: "{{ secret "registration_shared_secret" }}"
|
||||||
|
|
||||||
# Set the number of bcrypt rounds used to generate password hash.
|
# Set the number of bcrypt rounds used to generate password hash.
|
||||||
# Larger numbers increase the work factor needed to generate the hash.
|
# Larger numbers increase the work factor needed to generate the hash.
|
||||||
|
@ -1444,13 +1444,13 @@ room_prejoin_state:
|
||||||
# the registration_shared_secret is used, if one is given; otherwise,
|
# the registration_shared_secret is used, if one is given; otherwise,
|
||||||
# a secret key is derived from the signing key.
|
# a secret key is derived from the signing key.
|
||||||
#
|
#
|
||||||
macaroon_secret_key: "KyMrrJ:uvm4_89*CEYh;o*.WeWZJ^p0p*:w*G7^*,EC.EEin8@"
|
macaroon_secret_key: "{{ secret "macaroon_secret_key" }}"
|
||||||
|
|
||||||
# a secret which is used to calculate HMACs for form values, to stop
|
# a secret which is used to calculate HMACs for form values, to stop
|
||||||
# falsification of values. Must be specified for the User Consent
|
# falsification of values. Must be specified for the User Consent
|
||||||
# forms to work.
|
# forms to work.
|
||||||
#
|
#
|
||||||
form_secret: "I@#lMS0V3@HRB~b0nvA&Di29uK^l5K@Sm=Ima+:.CKlldwP6&s"
|
form_secret: "{{ secret "form_secret" }}"
|
||||||
|
|
||||||
## Signing Keys ##
|
## Signing Keys ##
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue