「🏗️」 wip: started secrets management

.gitignore

@@ -2,3 +2,4 @@
 .env
 
 .direnv
+secrets/

srcs/cmd/getFileEnv/getFileEnv.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"git.keyzox.me/42_adjoly/inception/internal/env"
+)
+
+func main() {
+	args := os.Args
+
+	if len(args) < 2 {
+		os.Exit(0)
+	}
+
+	env := env.FileEnv(args[1], "")
+	if env == "" {
+		os.Exit(1)
+	}
+	fmt.Print(env)
+}

srcs/configs/nginx/templates/testing.conf.template

@@ -1,26 +0,0 @@
-server {
-    listen				8443 ssl;
-
-    server_name			_;
-	
-    root				/var/www/wordpress;
-    index				index.php;
-
-    ssl_certificate     $NGINX_SSL_CERT_FILE;
-    ssl_certificate_key $NGINX_SSL_KEY_FILE;
-    ssl_protocols       TLSv1.2 TLSv1.3;
-    ssl_session_timeout 10m;
-
-    keepalive_timeout	60;
-
-    location / {
-		try_files $${q}uri $${q}uri/ =404;
-	}
-
-    location ~ \.php$ {
-		fastcgi_pass			$NGINX_PHP_HOST:9000;
-		fastcgi_index			index.php;
-		fastcgi_split_path_info	^(.+\.php)(/.+)$;
-		include					fastcgi.conf;
-    }
-}

srcs/configs/wordpress/entry/configure-wp.sh

@@ -1,6 +1,15 @@
 #!/bin/sh
 
 WP_DIR="/var/www/wordpress"
+#WP_VERSION="6.7.2"
+
+#if [ -f "$WP_DIR/index.php" ]; then
+#	echo "Already downloaded wordpress, skipping..."
+#else
+#	echo "Downloading Wordpress ${WP_VERSION}"
+#	wp --allow-root core download --version=${WP_VERSION} --path=${WP_DIR}
+#fi
+
 
 if [ -f "${WP_DIR}/wp-config.php" ]; then
 	echo "Wordpress already configured, skipping installation"

srcs/docker-compose.yml

@@ -2,9 +2,41 @@ name: inception
 
 volumes:
   wp-db:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/wp-db
+      o: bind
   wp-site:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/wp-site
+      o: bind
   nginx-certs:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/certs
+      o: bind
   backup:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/backup
+      o: bind
+
+secrets:
+  ftp-pass:
+    file: ../secrets/ftp/ftp_pass.txt
+  root-db-pass:
+    file: ../secrets/db/root_db_pass.txt
+  user-db-pass:
+    file: ../secrets/db/user_db_pass.txt
+  borg-passphrase:
+    file: ../secrets/borg/borg_passphrase.txt
+  wp-admin-pass:
+    file: ../secrets/wp/wp_admin_pass.txt
 
 networks:
   inception:
@@ -19,7 +51,6 @@ services:
     networks:
       - inception
     environment:
-      - TZ=Europe/Paris
       - NGINX_PHP_HOST=inception-wordp-php
       - NGINX_SSL_KEY_FILE=/etc/nginx/ssl/adjoly-wp.key
       - NGINX_SSL_CERT_FILE=/etc/nginx/ssl/adjoly-wp.crt
@@ -34,7 +65,7 @@ services:
       - ./configs/nginx/entry:/docker-entrypoint.d
       - nginx-certs:/etc/nginx/ssl
     ports:
-      - "8443:8443"
+      - "443:443"
     restart: unless-stopped
 
   wordpress-php:
@@ -50,12 +81,12 @@ services:
     environment:
       - WP_DB_NAME=knl
       - WP_DB_USER=kanel
-      - WP_DB_PASS=alpine
+      - WP_DB_PASS_FILE=/run/secrets/user-db-pass
       - WP_DB_HOST=db
       - WP_ADMIN_EMAIL=contact@kanel.ovh
       - WP_ADMIN_USER=kanel
-      - WP_ADMIN_PASS=alpine
+      - WP_ADMIN_PASS_FILE=/run/secrets/wp-admin-pass
-      - WP_URL=localhost:8443
+      - WP_URL=adjoly.42.fr
       - WP_TITLE=Kanel Supremacy
       - WP_SEARCH_ENGINE_VISIBILITY=false
       - PHP_MEMORY_LIMIT="512M"
@@ -63,10 +94,12 @@ services:
       - PHP_PORT=9000
       - REDIS_HOSTNAME=redis
       - REDIS_PORT=6379
-      - TZ=Europe/Paris
     volumes:
       - wp-site:/var/www/wordpress
       - ./configs/wordpress/entry:/docker-entrypoint.d
+    secrets:
+      - user-db-pass
+      - wp-admin-pass
     restart: unless-stopped
 
   db:
@@ -77,11 +110,10 @@ services:
     networks:
       - inception
     environment:
-      - MYSQL_ROOT_PASSWORD="alpine"
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/root-db-pass
-      - MYSQL_PASSWORD="alpine"
+      - MYSQL_PASSWORD_FILE=/run/secrets/user-db-pass
       - MYSQL_USER="kanel"
       - MYSQL_DATABASE="knl"
-      - TZ=Europe/Paris
     volumes:
       - wp-db:/var/lib/mysql
     restart: unless-stopped
@@ -94,7 +126,6 @@ services:
     depends_on:
       - nginx
     environment:
-      - TZ=Europe/Paris
       - NGINX_SSL_KEY_FILE=/etc/nginx/ssl/kanel-wp.key
       - NGINX_SSL_CERT_FILE=/etc/nginx/ssl/kanel-wp.crt
     restart: unless-stopped
@@ -107,10 +138,8 @@ services:
     networks:
       - inception
     environment:
-      - TZ=Europe/Paris # handled by tzdata
       - CRON_INTERVAL=0 2 * * * # handled by entrypoint
-      - BORG_PASSPHRASE=Hanky-Kangaroo-Thinning5-Statute-Mascot-Islamist
+      - BORG_PASSPHRASE_FILE=/run/secrets/borg-passphrase
-      - BORG_COMPRESS=
       - BORG_PRUNE_KEEP_DAILY=3
       - BORG_PRUNE_KEEP_WEEKLY=2
       - BORG_PRUNE_KEEP_MONTHLY=1
@@ -124,6 +153,8 @@ services:
       - wp-db:/source/db
       - wp-site:/source/wordpress
       - backup:/backup
+    secrets:
+      - borg-passphrase
     restart: unless-stopped
 
   adminer:
@@ -158,10 +189,12 @@ services:
       - inception
     environment:
       - VSFTPD_USER=kanel
-      - VSFTPD_PASS=alpine
+      - VSFTPD_PASS_FILE=/run/secrets/ftp-pass
     volumes:
       - wp-site:/var/ftp
     ports:
       - 21:21
       - 30000-30100:30000-30100
+    secrets:
+      - ftp-pass
     restart: unless-stopped

srcs/docker/bonus/adminer/Dockerfile

@@ -9,7 +9,7 @@ VOLUME			/var/www/adminer
 COPY			docker/bonus/adminer/adminer-4.17.1-mysql.php /var/www/adminer/index.php
 
 RUN				apk update \
-				&& apk add php84 php84-mysqli php84-session curl \
+				&& apk add php84 php84-mysqli php84-session curl tzdata \
 				&& addgroup -S adminer \
 				&& adduser -S -G adminer adminer \
 				&& chown -R adminer:adminer /var/www/adminer \

srcs/docker/bonus/vsftpd/Dockerfile

@@ -1,8 +1,24 @@
+FROM			scratch AS builder
+ADD				docker/alpine/alpine-minirootfs-3.21.2-x86_64.tar.gz /
+
+RUN				apk add --no-cache go
+
+WORKDIR			/build
+
+COPY			go.sum /build/go.sum
+COPY			go.mod /build/go.mod
+COPY			cmd /build/cmd
+COPY			internal /build/internal
+
+RUN				cd /build \
+				&& go build git.keyzox.me/42_adjoly/inception/cmd/getEnvFile
+
 FROM			scratch
 ADD				docker/alpine/alpine-minirootfs-3.21.2-x86_64.tar.gz /
 
-RUN				apk add vsftpd
+RUN				apk add vsftpd tzdata
 
+COPY			--from=builder /build/getEnvFile /bin/getEnvFile
 COPY			docker/bonus/vsftpd/entry.sh /docker-entrypoint
 COPY			docker/bonus/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf
 RUN				chmod +x /docker-entrypoint

srcs/docker/bonus/vsftpd/entry.sh

@@ -12,7 +12,7 @@ else
 	echo "[*] Creating vsftpd user"
 
 	adduser -D $VSFTPD_USER
-    echo "$VSFTPD_USER:$VSFTPD_PASS" | /usr/sbin/chpasswd > /dev/null
+	echo "$VSFTPD_USER:$(getEnvFile VSFTPD_PASSWORD)" | /usr/sbin/chpasswd > /dev/null
 
 	echo "[*] Giving vsftpd user ownership of WordPress data directory"
     chown -R "$VSFTPD_USER:$VSFTPD_USER" /var/ftp

srcs/docker/mariadb/Dockerfile

@@ -44,4 +44,4 @@ WORKDIR			/var/lib/mysql
 
 EXPOSE			3306
 CMD				[ "mariadbd", "--user=mysql" ]
-HEALTHCHECK		--interval=30s --timeout=10s --retries=3 --start-period=3s --start-interval=2s CMD /docker-healthcheck
+HEALTHCHECK		--interval=30s --timeout=10s --retries=3 --start-period=5s --start-interval=2s CMD /docker-healthcheck