fickit: Handle secrets more seriously
This commit is contained in:
parent
c3e6cadb70
commit
dc5350c20f
3 changed files with 81 additions and 7 deletions
|
|
@ -143,6 +143,16 @@ onboot:
|
|||
- /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
|
||||
net: /run/netns/fic-admin
|
||||
|
||||
- name: create-secrets
|
||||
image: alpine:3.19
|
||||
command: ["/bin/init_secrets.sh"]
|
||||
binds:
|
||||
- /bin/init_secrets.sh:/bin/init_secrets.sh:ro
|
||||
- /var/lib/fic/secrets:/var/lib/fic/secrets
|
||||
runtime:
|
||||
mkdir:
|
||||
- /var/lib/fic/secrets
|
||||
|
||||
services:
|
||||
# - name: getty
|
||||
# image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
|
||||
|
|
@ -165,12 +175,13 @@ services:
|
|||
env:
|
||||
- MYSQL_DATABASE=fic
|
||||
- MYSQL_USER=fic
|
||||
- MYSQL_PASSWORD=fic
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
- MYSQL_RANDOM_ROOT_PASSWORD=yes
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /etc/mysql/conf.d:/etc/mysql/conf.d:ro
|
||||
- /var/lib/fic/mysql:/var/lib/mysql
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
net: /run/netns/db
|
||||
pid: new
|
||||
ipc: new
|
||||
|
|
@ -185,11 +196,12 @@ services:
|
|||
- MYSQL_HOST=db
|
||||
- MYSQL_DATABASE=fic
|
||||
- MYSQL_USER=fic
|
||||
- MYSQL_PASSWORD=fic
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /root/mysql_backup.sh:/root/mysql_backup.sh:ro
|
||||
- /var/lib/fic/backups/:/var/lib/fic/backups/
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
net: /run/netns/db
|
||||
runtime:
|
||||
mkdir:
|
||||
|
|
@ -200,11 +212,15 @@ services:
|
|||
env:
|
||||
- PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
||||
- MYSQL_HOST=db
|
||||
- FICCA_PASS=jee8AhloAith1aesCeQu5ahgIegaeM4K
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
- FICCA_PASS_FILE=/run/secrets/fic_ca_pass
|
||||
- FICOIDC_ISSUER=live.fic.srs.epita.fr
|
||||
- FICOIDC_SECRET=N4n7AXzK9kpXt3TmSn8wAgtxqxhGORgcubLaE2g
|
||||
- FICOIDC_SECRET_FILE=/run/secrets/fic_oidc_secret
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /var/lib/fic/secrets/fic_ca_pass:/run/secrets/fic_ca_pass:ro
|
||||
- /var/lib/fic/secrets/fic_oidc_secret:/run/secrets/fic_oidc_secret:ro
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
- /var/lib/fic/raw_files:/mnt/fic
|
||||
- /var/lib/fic/dashboard:/srv/DASHBOARD
|
||||
- /var/lib/fic/files:/srv/FILES
|
||||
|
|
@ -248,11 +264,12 @@ services:
|
|||
image: nemunaire/fic-checker:latest
|
||||
env:
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_PASSWORD=fic
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /var/lib/fic/generator:/srv/GENERATOR:ro
|
||||
- /var/lib/fic/teams:/srv/TEAMS:ro
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
|
||||
- /var/lib/fic/submissions:/srv/submissions
|
||||
net: /run/netns/fic-checker
|
||||
|
|
@ -288,11 +305,12 @@ services:
|
|||
command: ["/srv/generator", "-bind=/srv/GENERATOR/generator.socket"]
|
||||
env:
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_PASSWORD=fic
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /var/lib/fic/generator:/srv/GENERATOR
|
||||
- /var/lib/fic/teams:/srv/TEAMS
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
|
||||
net: /run/netns/fic-generator
|
||||
pid: new
|
||||
|
|
@ -308,10 +326,11 @@ services:
|
|||
command: ["/srv/qa", "--bind=:8083", "-baseurl=/qa"]
|
||||
env:
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_PASSWORD=fic
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
|
||||
binds:
|
||||
- /etc/hosts:/etc/hosts:ro
|
||||
- /var/lib/fic/teams:/srv/TEAMS:ro
|
||||
- /var/lib/fic/secrets/mysql_password:/run/secrets/mysql_password:ro
|
||||
- /var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro
|
||||
net: /run/netns/fic-qa
|
||||
pid: new
|
||||
|
|
@ -383,6 +402,18 @@ files:
|
|||
/bin/hostname deimos
|
||||
mode: "0555"
|
||||
|
||||
- path: bin/init_secrets.sh
|
||||
contents: |
|
||||
#!/bin/sh
|
||||
|
||||
SECRETS_DIR="/var/lib/fic/secrets"
|
||||
|
||||
[ -f "${SECRETS_DIR}/mysql_password" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/mysql_password"
|
||||
|
||||
[ -f "${SECRETS_DIR}/fic_ca_pass" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/fic_ca_pass"
|
||||
[ -f "${SECRETS_DIR}/fic_oidc_secret" ] || tr -d -c "a-zA-Z0-9" < /dev/urandom | fold -w31 | head -n 1 > "${SECRETS_DIR}/fic_oidc_secret"
|
||||
mode: "0755"
|
||||
|
||||
- path: etc/profile.d/color_prompt.sh
|
||||
contents: |
|
||||
PS1='\[\e[1;33m\]'$PS1'\[\e[0m\]'
|
||||
|
|
|
|||
Reference in a new issue