Merge pull request 'feat: maintainers' (#13) from new-maintainers into main

Reviewed-on: #13

.drone.yml

@@ -0,0 +1,44 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: rauthy
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: rauthy.swarm-test.autonomic.zone
+      STACK_NAME: rauthy
+      LETS_ENCRYPT_ENV: staging
+      CONFIG_TOML_VERSION: v2
+      SECRET_ENC_KEYS_A_VERSION: a1
+      SECRET_ENC_KEYS_B_VERSION: b1
+      SECRET_HQL_RAFT_VERSION: v1
+      SECRET_HQL_API_VERSION: v1
+
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -9,8 +9,9 @@ ADMIN_FORCE_MFA=true
 
 LOG_LEVEL=info
 
-SECRET_ENC_KEYS_VERSION=v1
-ENC_KEY_ACTIVE=""
+SECRET_ENC_KEYS_A_VERSION=a1  # generate=false
+SECRET_ENC_KEYS_B_VERSION=b1  # generate=false
+ENC_KEY_ACTIVE="a1"
 
 SECRET_HQL_RAFT_VERSION=v1
 SECRET_HQL_API_VERSION=v1

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+---
+name: "Rauthy pull request template"
+about: "Rauthy pull request template"
+---
+
+<!-- 
+Thank you for doing recipe maintenance work!
+Please mark all checklist items which are relevant for your changes.
+Please remove the checklist items which are not relevant for your changes.
+Feel free to remove this comment.
+-->
+
+* [ ] I have deployed and tested my changes
+* [ ] I have [updated relevant versions in `abra.sh`](https://docs.coopcloud.tech/maintainers/upgrade/#updating-versions-in-the-abrash)
+* [ ] I have made my environment variable changes [backwards compatible](https://docs.coopcloud.tech/maintainers/upgrade/#backwards-compatible-environment-variable-changes)
+* [ ] I have added a [release note entry](https://docs.coopcloud.tech/maintainers/upgrade/#creating-new-release-notes)

MAINTENANCE.md

@@ -0,0 +1,32 @@
+# Rauthy Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
+
+## Pull Requests
+
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer. Even though it is okay to merge a pull request with one approval, it
+is always better if all maintainers looked at the pull request and approved it.
+
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer:
+1. Watch the repository to always get updates
+2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+3. Once the pull request gets merged you will be added to the [rauthy maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/rauthy-maintainers).

README.md

@@ -4,6 +4,7 @@
 
 <!-- metadata -->
 
+* **Maintainer**: [@3wc](https://git.coopcloud.tech/3wordchant), [@decentral1se](https://git.coopcloud.tech/decentral1se)
 * **Category**: Apps
 * **Status**: 0
 * **Image**: [`rauthy`](https://ghcr.io/sebadob/rauthy), 4, upstream
@@ -17,20 +18,16 @@
 
 ## Quick start
 
-* `abra app new rauthy`
+1. `abra app new rauthy`
+2. `abra app cmd --local <app> generate_enc_keys`
+3. `abra app secret generate <app> --all`
+4. `abra app deploy <app>`
+5. `abra app logs <app>`
+    - You'll see the automatically generated admin password in the initial logs.
+      Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env
+      var controls the value of the admin login username.
 
-### Generate encryption keys
-
-* `echo "$(openssl rand -hex 4)/$(openssl rand -base64 32)"`
-* `abra app secret insert <app> enc_keys v1 <enc-key>`
-* `abra app config <app>`
-  * **N.B** you need to match the `ENC_KEY_ACTIVE` env var with the start of
-    the generated `enc_keys` value (everything before the `/`. See [the
-    docs](https://sebadob.github.io/rauthy/config/encryption.html) for more)
-
-### Generate secrets
-
-* `abra app secret generate <app> -a`
+For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
 
 ### Host mode networking
 
@@ -41,12 +38,13 @@ mistakenly rate limited  based on internal ipv4 addresses (e.g. `10.0.0.6`).
 COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
 ```
 
-### Deploy
+### Encryption key rotation
 
-* `abra app deploy <app>`
-* `abra app logs <app>`
-  * You'll see the automatically generated admin password in the initial logs.
-    Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env
-    var controls the value of the admin login username.
+This recipe supports encryption key rotation as described in [the docs](https://sebadob.github.io/rauthy/config/encryption.html). To rotate keys the first time:
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+1. Increment the version of `SECRET_ENC_KEYS_B_VERSION=b1` to `b2`
+2. `abra app secret insert <app> enc_keys_b b2 "$(openssl rand -base64 32)"`
+2. Change `ENC_KEY_ACTIVE="a1"` to `b2` (this tells rauthy to encrypt new secrets with the new key while still having access to `a1`)
+3. `abra app deploy <app>`
+
+To rotate keys any future time, follow the same pattern of incrementing the non-active secret version and changing the active secret to that newly generated secret.

abra.sh

@@ -1 +1,13 @@
-export CONFIG_TOML_VERSION=v2
+set -e
+
+export CONFIG_TOML_VERSION=v3
+
+generate_enc_keys() {
+  KEY_A="$(openssl rand -base64 32)"
+  KEY_B="$(openssl rand -base64 32)"
+  abra app secret insert "$APP_NAME" enc_keys_a a1 "$KEY_A" --chaos
+  abra app secret insert "$APP_NAME" enc_keys_b b1 "$KEY_B" --chaos
+  echo "WARNING: secrets are NOT shown again, please save them NOW"
+  echo "    enc_keys_a    $KEY_A"
+  echo "    enc_keys_b    $KEY_B"
+}

compose.smtp.yml

@@ -1,6 +1,3 @@
----
-version: "3.13"
-
 services:
   app:
     environment:
@@ -8,6 +5,7 @@ services:
       - SMTP_ENABLED
       - SMTP_FROM
       - SMTP_URL
+      - SMTP_PORT
       - SMTP_USERNAME
     secrets:
       - smtp_password

compose.yml

@@ -1,9 +1,6 @@
----
-version: "3.13"
-
 services:
   app:
-    image: ghcr.io/sebadob/rauthy:0.32.2
+    image: ghcr.io/sebadob/rauthy:0.33.1
     environment:
       - ADMIN_EMAIL
       - ADMIN_FORCE_MFA
@@ -14,7 +11,8 @@ services:
       - source: config_toml
         target: /app/config.toml
     secrets:
-      - enc_keys
+      - enc_keys_a
+      - enc_keys_b
       - hql_api
       - hql_raft
     volumes:
@@ -30,7 +28,10 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.4.0+0.32.2"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "coop-cloud.${STACK_NAME}.version=1.1.0+0.33.1"
 
 networks:
   proxy:
@@ -43,8 +44,11 @@ configs:
     template_driver: golang
 
 secrets:
-  enc_keys:
-    name: ${STACK_NAME}_enc_keys_${SECRET_ENC_KEYS_VERSION}
+  enc_keys_a:
+    name: ${STACK_NAME}_enc_keys_a_${SECRET_ENC_KEYS_A_VERSION}
+    external: true
+  enc_keys_b:
+    name: ${STACK_NAME}_enc_keys_b_${SECRET_ENC_KEYS_B_VERSION}
     external: true
   hql_raft:
     name: ${STACK_NAME}_hql_raft_${SECRET_HQL_RAFT_VERSION}

config.toml.tmpl

@@ -24,7 +24,8 @@ level = '{{ env "LOG_LEVEL" }}'
 
 [encryption]
 keys = [
-  '{{ secret "enc_keys" }}'
+  '{{ env "SECRET_ENC_KEYS_A_VERSION" }}/{{ secret "enc_keys_a" }}',
+  '{{ env "SECRET_ENC_KEYS_B_VERSION" }}/{{ secret "enc_keys_b" }}'
 ]
 key_active = '{{ env "ENC_KEY_ACTIVE" }}'
 

release/1.0.0+0.32.3

@@ -0,0 +1,22 @@
+WARNING! ⚠️
+This release supports encryption key rotation, which unfortunately requires some migration steps:
+
+1. Obtain your old encryption key (enc_keys) if you backed it up. If not, you can extract your current encryption key from the config file. This is pretty advanced and can only be done from the server itself:
+
+   docker secret list  # to obtain the secret's full name
+   docker service create --name temp-reader --secret <secret-name> --mode replicated-job alpine:latest sh -c "cat /run/secrets/<secret-name>" && docker service logs --raw temp-reader && echo && docker service rm temp-reader
+
+NOTE: the enc_keys secret has the format `<key_id>/<key_value>`; we'll refer to those two parts as $KEY_ID and $KEY_VALUE from here on.
+
+2. Add these lines to your config, overwriting the existing SECRET_ENC_KEYS_VERSION and ENC_KEY_ACTIVE values:
+
+    SECRET_ENC_KEYS_A_VERSION=$KEY_ID # generated=false
+    SECRET_ENC_KEYS_B_VERSION=b1 # generated=false
+    ENC_KEY_ACTIVE="$KEY_ID"
+
+3. Set key_a and generate key_b:
+
+    abra app secret insert $STACK_NAME enc_keys_a $KEY_ID "<your-existing-secret>" -C
+    abra app secret insert $STACK_NAME enc_keys_b b1 "$(openssl rand -base64 32)" -C
+
+Then you can deploy :)

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}