「🏗️」 wip: started secrets management

2025-03-05 14:17:13 +01:00
parent 1538afbc7b
commit 0a3dff2e67
9 changed files with 99 additions and 44 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 .env

 .direnv
+secrets/
--- a/srcs/cmd/getFileEnv/getFileEnv.go
+++ b/srcs/cmd/getFileEnv/getFileEnv.go
@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"git.keyzox.me/42_adjoly/inception/internal/env"
+)
+
+func main() {
+	args := os.Args
+
+	if len(args) < 2 {
+		os.Exit(0)
+	}
+
+	env := env.FileEnv(args[1], "")
+	if env == "" {
+		os.Exit(1)
+	}
+	fmt.Print(env)
+}
--- a/srcs/configs/nginx/templates/testing.conf.template
+++ b/srcs/configs/nginx/templates/testing.conf.template
@ -1,26 +0,0 @@
-server {
-    listen				8443 ssl;
-
-    server_name			_;
-	
-    root				/var/www/wordpress;
-    index				index.php;
-
-    ssl_certificate     $NGINX_SSL_CERT_FILE;
-    ssl_certificate_key $NGINX_SSL_KEY_FILE;
-    ssl_protocols       TLSv1.2 TLSv1.3;
-    ssl_session_timeout 10m;
-
-    keepalive_timeout	60;
-
-    location / {
-		try_files $${q}uri $${q}uri/ =404;
-	}
-
-    location ~ \.php$ {
-		fastcgi_pass			$NGINX_PHP_HOST:9000;
-		fastcgi_index			index.php;
-		fastcgi_split_path_info	^(.+\.php)(/.+)$;
-		include					fastcgi.conf;
-    }
-}
--- a/srcs/configs/wordpress/entry/configure-wp.sh
+++ b/srcs/configs/wordpress/entry/configure-wp.sh
@ -1,6 +1,15 @@
 #!/bin/sh

 WP_DIR="/var/www/wordpress"
+#WP_VERSION="6.7.2"
+
+#if [ -f "$WP_DIR/index.php" ]; then
+#	echo "Already downloaded wordpress, skipping..."
+#else
+#	echo "Downloading Wordpress ${WP_VERSION}"
+#	wp --allow-root core download --version=${WP_VERSION} --path=${WP_DIR}
+#fi
+

 if [ -f "${WP_DIR}/wp-config.php" ]; then
 	echo "Wordpress already configured, skipping installation"
--- a/srcs/docker-compose.yml
+++ b/srcs/docker-compose.yml
@ -2,9 +2,41 @@ name: inception

 volumes:
  wp-db:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/wp-db
+      o: bind
  wp-site:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/wp-site
+      o: bind
  nginx-certs:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/certs
+      o: bind
  backup:
+    driver: local
+    driver_opts:
+      type: none
+      device: /home/adjoly/data/backup
+      o: bind
+
+secrets:
+  ftp-pass:
+    file: ../secrets/ftp/ftp_pass.txt
+  root-db-pass:
+    file: ../secrets/db/root_db_pass.txt
+  user-db-pass:
+    file: ../secrets/db/user_db_pass.txt
+  borg-passphrase:
+    file: ../secrets/borg/borg_passphrase.txt
+  wp-admin-pass:
+    file: ../secrets/wp/wp_admin_pass.txt

 networks:
  inception:
@ -19,7 +51,6 @@ services:
    networks:
      - inception
    environment:
-      - TZ=Europe/Paris
      - NGINX_PHP_HOST=inception-wordp-php
      - NGINX_SSL_KEY_FILE=/etc/nginx/ssl/adjoly-wp.key
      - NGINX_SSL_CERT_FILE=/etc/nginx/ssl/adjoly-wp.crt
@ -34,7 +65,7 @@ services:
      - ./configs/nginx/entry:/docker-entrypoint.d
      - nginx-certs:/etc/nginx/ssl
    ports:
-      - "8443:8443"
+      - "443:443"
    restart: unless-stopped

  wordpress-php:
@ -50,12 +81,12 @@ services:
    environment:
      - WP_DB_NAME=knl
      - WP_DB_USER=kanel
-      - WP_DB_PASS=alpine
+      - WP_DB_PASS_FILE=/run/secrets/user-db-pass
      - WP_DB_HOST=db
      - WP_ADMIN_EMAIL=contact@kanel.ovh
      - WP_ADMIN_USER=kanel
-      - WP_ADMIN_PASS=alpine
-      - WP_URL=localhost:8443
+      - WP_ADMIN_PASS_FILE=/run/secrets/wp-admin-pass
+      - WP_URL=adjoly.42.fr
      - WP_TITLE=Kanel Supremacy
      - WP_SEARCH_ENGINE_VISIBILITY=false
      - PHP_MEMORY_LIMIT="512M"
@ -63,10 +94,12 @@ services:
      - PHP_PORT=9000
      - REDIS_HOSTNAME=redis
      - REDIS_PORT=6379
-      - TZ=Europe/Paris
    volumes:
      - wp-site:/var/www/wordpress
      - ./configs/wordpress/entry:/docker-entrypoint.d
+    secrets:
+      - user-db-pass
+      - wp-admin-pass
    restart: unless-stopped

  db:
@ -77,11 +110,10 @@ services:
    networks:
      - inception
    environment:
-      - MYSQL_ROOT_PASSWORD="alpine"
-      - MYSQL_PASSWORD="alpine"
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/root-db-pass
+      - MYSQL_PASSWORD_FILE=/run/secrets/user-db-pass
      - MYSQL_USER="kanel"
      - MYSQL_DATABASE="knl"
-      - TZ=Europe/Paris
    volumes:
      - wp-db:/var/lib/mysql
    restart: unless-stopped
@ -94,7 +126,6 @@ services:
    depends_on:
      - nginx
    environment:
-      - TZ=Europe/Paris
      - NGINX_SSL_KEY_FILE=/etc/nginx/ssl/kanel-wp.key
      - NGINX_SSL_CERT_FILE=/etc/nginx/ssl/kanel-wp.crt
    restart: unless-stopped
@ -107,10 +138,8 @@ services:
    networks:
      - inception
    environment:
-      - TZ=Europe/Paris # handled by tzdata
      - CRON_INTERVAL=0 2 * * * # handled by entrypoint
-      - BORG_PASSPHRASE=Hanky-Kangaroo-Thinning5-Statute-Mascot-Islamist
-      - BORG_COMPRESS=
+      - BORG_PASSPHRASE_FILE=/run/secrets/borg-passphrase
      - BORG_PRUNE_KEEP_DAILY=3
      - BORG_PRUNE_KEEP_WEEKLY=2
      - BORG_PRUNE_KEEP_MONTHLY=1
@ -124,6 +153,8 @@ services:
      - wp-db:/source/db
      - wp-site:/source/wordpress
      - backup:/backup
+    secrets:
+      - borg-passphrase
    restart: unless-stopped

  adminer:
@ -158,10 +189,12 @@ services:
      - inception
    environment:
      - VSFTPD_USER=kanel
-      - VSFTPD_PASS=alpine
+      - VSFTPD_PASS_FILE=/run/secrets/ftp-pass
    volumes:
      - wp-site:/var/ftp
    ports:
      - 21:21
      - 30000-30100:30000-30100
+    secrets:
+      - ftp-pass
    restart: unless-stopped
--- a/srcs/docker/bonus/adminer/Dockerfile
+++ b/srcs/docker/bonus/adminer/Dockerfile
@ -9,7 +9,7 @@ VOLUME			/var/www/adminer
 COPY			docker/bonus/adminer/adminer-4.17.1-mysql.php /var/www/adminer/index.php

 RUN				apk update \
-				&& apk add php84 php84-mysqli php84-session curl \
+				&& apk add php84 php84-mysqli php84-session curl tzdata \
 				&& addgroup -S adminer \
 				&& adduser -S -G adminer adminer \
 				&& chown -R adminer:adminer /var/www/adminer \
--- a/srcs/docker/bonus/vsftpd/Dockerfile
+++ b/srcs/docker/bonus/vsftpd/Dockerfile
@ -1,8 +1,24 @@
+FROM			scratch AS builder
+ADD				docker/alpine/alpine-minirootfs-3.21.2-x86_64.tar.gz /
+
+RUN				apk add --no-cache go
+
+WORKDIR			/build
+
+COPY			go.sum /build/go.sum
+COPY			go.mod /build/go.mod
+COPY			cmd /build/cmd
+COPY			internal /build/internal
+
+RUN				cd /build \
+				&& go build git.keyzox.me/42_adjoly/inception/cmd/getEnvFile
+
 FROM			scratch
 ADD				docker/alpine/alpine-minirootfs-3.21.2-x86_64.tar.gz /

-RUN				apk add vsftpd
+RUN				apk add vsftpd tzdata

+COPY			--from=builder /build/getEnvFile /bin/getEnvFile
 COPY			docker/bonus/vsftpd/entry.sh /docker-entrypoint
 COPY			docker/bonus/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf
 RUN				chmod +x /docker-entrypoint
--- a/srcs/docker/bonus/vsftpd/entry.sh
+++ b/srcs/docker/bonus/vsftpd/entry.sh
@ -12,7 +12,7 @@ else
 	echo "[*] Creating vsftpd user"

 	adduser -D $VSFTPD_USER
-    echo "$VSFTPD_USER:$VSFTPD_PASS" | /usr/sbin/chpasswd > /dev/null
+	echo "$VSFTPD_USER:$(getEnvFile VSFTPD_PASSWORD)" | /usr/sbin/chpasswd > /dev/null

 	echo "[*] Giving vsftpd user ownership of WordPress data directory"
    chown -R "$VSFTPD_USER:$VSFTPD_USER" /var/ftp
--- a/srcs/docker/mariadb/Dockerfile
+++ b/srcs/docker/mariadb/Dockerfile
@ -44,4 +44,4 @@ WORKDIR			/var/lib/mysql

 EXPOSE			3306
 CMD				[ "mariadbd", "--user=mysql" ]
-HEALTHCHECK		--interval=30s --timeout=10s --retries=3 --start-period=3s --start-interval=2s CMD /docker-healthcheck
+HEALTHCHECK		--interval=30s --timeout=10s --retries=3 --start-period=5s --start-interval=2s CMD /docker-healthcheck