#2 Replace Docker secrets with encrypted secrets.env file

Add encrypt and decrypt scripts
Add pubkeys file with desktop and fighter pubkeys

.age-decrypt.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Takes one file path as input
+# Outputs to a new file with `.enc` stripped from the end
+
+input_file=$1
+file_extension=${input_file##*.}
+file_name=${input_file%%.*}
+output_file="$file_name.enc.$file_extension"
+
+sops --decrypt --age ${SOPS_AGE_RECIPIENTS} $input_file 
+

.age-encrypt.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Takes one file path as input
+# Outputs to a new file named `$1.enc`
+
+input_file=$1
+file_extension=${input_file##*.}
+file_name=${input_file%%.*}
+output_file="$file_name.enc.$file_extension"
+
+sops --encrypt --age ${SOPS_AGE_RECIPIENTS} $input_file > $output_file

.age-pubkeys

@@ -0,0 +1,2 @@
+age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00
+age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855

.sops.md

@@ -0,0 +1,8 @@
+# Set up SOPS and age to encrypt and decrypt secrets in this repo
+
+1. Install [sops](https://github.com/getsops/sops/releases)
+2. Install [age](https://github.com/FiloSottile/age)
+3. Generate a keypair with age. `mkdir ~/.age; age-keygen -o ~/.age/key`
+4. Append the publickey to [.age-pubkeys](.age-pubkeys).
+5. Add the encrypt and decrypt scripts to shell profile. 
+

homelab/fighter/config/keycloak/docker-compose.yml

@@ -14,10 +14,6 @@ services:
     depends_on:
       - postgres
     command: start --hostname=keycloak.jafner.net
-    secrets:
-      - keycloak_KC_DB_PASSWORD
-      - keycloak_DB_PASS
-      - keycloak_KEYCLOAK_ADMIN_PASSWORD
     environment:
       KC_DB: postgres
       KC_DB_URL: jdbc:postgresql://postgres/keycloak
@@ -27,9 +23,9 @@ services:
       KC_HEALTH_ENABLED: true
       KC_METRICS_ENABLED: true
       KEYCLOAK_ADMIN: Jafner
-      KC_DB_PASSWORD: /run/secrets/keycloak_KC_DB_PASSWORD
-      DB_PASS: /run/secrets/keycloak_DB_PASS
-      KEYCLOAK_ADMIN_PASSWORD: /run/secrets/keycloak_KEYCLOAK_ADMIN_PASSWORD
+      KC_DB_PASSWORD: ${keycloak_KC_DB_PASSWORD}
+      DB_PASS: ${keycloak_DB_PASS}
+      KEYCLOAK_ADMIN_PASSWORD: ${keycloak_KEYCLOAK_ADMIN_PASSWORD}
     labels:
       traefik.http.routers.keycloak.rule: Host(`keycloak.jafner.net`)
       traefik.http.routers.keycloak.tls.certresolver: lets-encrypt
@@ -49,17 +45,13 @@ services:
     command: "./traefik-forward-auth"
     depends_on:
       - keycloak
-    secrets:
-      - forwardauth_CLIENT_SECRET
-      - forwardauth_SECRET
-      - forwardauth_ENCRYPTION_KEY
     environment:
       PROVIDER_URI: "https://keycloak.jafner.net/realms/Jafner.net"
       CLIENT_ID: "traefik-forward-auth"
       LOG_LEVEL: "debug"
-      CLIENT_SECRET: /run/secrets/forwardauth_CLIENT_SECRET
-      SECRET: /run/secrets/forwardauth_SECRET
-      ENCRYPTION_KEY: /run/secrets/forwardauth_ENCRYPTION_KEY
+      CLIENT_SECRET: ${forwardauth_CLIENT_SECRET}
+      SECRET: ${forwardauth_SECRET}
+      ENCRYPTION_KEY: ${forwardauth_ENCRYPTION_KEY}
     labels:
       - "traefik.enable=false"
       - "traefik.http.routers.forwardauth.rule=Path(`/_oauth`)"
@@ -76,17 +68,13 @@ services:
     command: "./traefik-forward-auth --whitelist=jafner425@gmail.com"
     depends_on:
       - keycloak
-    secrets:
-      - forwardauth_privileged_CLIENT_SECRET
-      - forwardauth_privileged_SECRET
-      - forwardauth_privileged_ENCRYPTION_KEY
     environment:
       PROVIDER_URI: "https://keycloak.jafner.net/realms/Jafner.net"
       CLIENT_ID: "traefik-forward-auth-privileged"
       LOG_LEVEL: "debug"
-      CLIENT_SECRET: /run/secrets/forwardauth_privileged_CLIENT_SECRET
-      SECRET: /run/secrets/forwardauth_privileged_SECRET
-      ENCRYPTION_KEY: /run/secrets/forwardauth_privileged_ENCRYPTION_KEY
+      CLIENT_SECRET: ${forwardauth_privileged_CLIENT_SECRET}
+      SECRET: ${forwardauth_privileged_SECRET}
+      ENCRYPTION_KEY: ${forwardauth_privileged_ENCRYPTION_KEY}
     labels:
       - "traefik.enable=false"
       - "traefik.http.routers.forwardauth-privileged.rule=Path(`/_oauth`)"
@@ -97,12 +85,10 @@ services:
     container_name: keycloak_postgres
     networks:
       - keycloak
-    secrets:
-      - postgres_POSTGRES_PASSWORD
     environment:
       POSTGRES_DB: keycloak
       POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_POSTGRES_PASSWORD
+      POSTGRES_PASSWORD_FILE: ${postgres_POSTGRES_PASSWORD}
     volumes:
       - postgres_data:/var/lib/postgresql/data
 
@@ -112,26 +98,4 @@ networks:
   keycloak:
 
 volumes:
-  postgres_data:
-
-secrets:
-  forwardauth_privileged_CLIENT_SECRET:
-    file: ./secrets/forwardauth-privileged_CLIENT_SECRET.txt
-  forwardauth_privileged_SECRET: 
-    file: ./secrets/forwardauth-privileged_SECRET.txt
-  forwardauth_privileged_ENCRYPTION_KEY: 
-    file: ./secrets/forwardauth-privileged_ENCRYPTION_KEY.txt
-  forwardauth_CLIENT_SECRET:
-    file: ./secrets/forwardauth_CLIENT_SECRET.txt
-  forwardauth_SECRET:
-    file: ./secrets/forwardauth_SECRET.txt
-  forwardauth_ENCRYPTION_KEY:
-    file: ./secrets/forwardauth_ENCRYPTION_KEY.txt
-  keycloak_KC_DB_PASSWORD: 
-    file: ./secrets/keycloak_KC_DB_PASSWORD.txt
-  keycloak_DB_PASS: 
-    file: ./secrets/keycloak_DB_PASS.txt
-  keycloak_KEYCLOAK_ADMIN_PASSWORD: 
-    file: ./secrets/keycloak_KEYCLOAK_ADMIN_PASSWORD.txt
-  postgres_POSTGRES_PASSWORD: 
-    file: ./secrets/postgres_POSTGRES_PASSWORD.txt
+  postgres_data:

homelab/fighter/config/keycloak/secrets.enc.env

@@ -0,0 +1,16 @@
+keycloak_KC_DB_PASSWORD=ENC[AES256_GCM,data:P70pkDsO5Ak17sfzn6wKkD/QYP/RrKm2aXaSWg0z0B9hBg==,iv:oU2Qjeo7x1Z27RknsshKnOJ6j8JlxlJHio9S/puKHxs=,tag:sxmnpGGf6ccY0xVDAjNyug==,type:str]
+keycloak_DB_PASS=ENC[AES256_GCM,data:ABuRFT0cGtnWc6p3klArNUSTktkDEuqQD3W9MCZ1AlLeBg==,iv:jh88fAy5xpVVGfchUarfHbGSLJpaQUqKPDUSWDFHIiY=,tag:UEdXH38xxwCaVTVBxFZKxA==,type:str]
+keycloak_KEYCLOAK_ADMIN_PASSWORD=ENC[AES256_GCM,data:XVRU9x2o4T5NjfgZpGXDZ17HAsQbxTCFn6o3KOU4rTu3D+pH5SUHaq3NAL5YCkeveyUI/Xw3sJm5TutLzn4C+O4+,iv:Bou4sbeXVax92cVz4NJymV01cH1DdaYiplfwGSIEHkg=,tag:Xsr/A2GWanJE78qsrVo8PQ==,type:str]
+forwardauth_CLIENT_SECRET=ENC[AES256_GCM,data:1Q9AX1DBzvWRMD+lILGkdUJZflnKIlVYmA9ue4pK1ve2XA==,iv:LVps+PzRNm0t7anDt84Gb1w2+Nvr9OrlbjttDucRSUg=,tag:I8btbBts5Ku4w7nDjggbxw==,type:str]
+forwardauth_SECRET=ENC[AES256_GCM,data:9qEX8lWRvFafNzpC+4S3snjadC9zxLbh+Xl6tY4HQ4KuI6kk629+1x2pFr9waCJO+gCzE0HJJsnidDIoGXVHWnXA,iv:cwDdn0n1loI8+HQjABEGRlgh4842LoH7pvG71Ghf7dc=,tag:bOmthdV33T0QY66d/UlGGQ==,type:str]
+forwardauth_ENCRYPTION_KEY=ENC[AES256_GCM,data:n01nxFqPK5+2qEVNyFo+zBSp6KV+Qeww/FazUUyN5+YXhw==,iv:GgIwzZOH20Me5f5xF9BfTUeTDmpDbH8SZbRjRSttHhQ=,tag:Gb8BcABBGjnJQpL1nr+k/A==,type:str]
+forwardauthprivileged_CLIENT_SECRET=ENC[AES256_GCM,data:dAMvL6VHi+FRZ/yLf0k+w3ctYxWAz6aTRP6CwIHGCWt9aQ==,iv:0S70DtS04ayXHEoTPzvmKyNMNFwZr0DnBVLe6gGr77g=,tag:Tvq2o9DhepmGjpLzYWnxSQ==,type:str]
+forwardauthprivileged_SECRET=ENC[AES256_GCM,data:YEBRYfEzH3Seqb+tS7AaRJtXyVOSIrHErBaL11JSRywtemVbZuBRnL2CEgxZAiP/3zI=,iv:sVd6PfC/aJWMk/+1NojW5hCOAYAPCEqLTBBmWYyLKG0=,tag:qCasD+ngKjdxo6zTLngSRw==,type:str]
+forwardauthprivileged_ENCRYPTION_KEY=ENC[AES256_GCM,data:eARXrKKaoE+me1PchYuUPMPL/M63OBEgLO67kDYslyA3Pw==,iv:Dw+3wn+i+afIPlQxuh5wswAcTMhzroBXaHBnF0j2mDw=,tag:OeFSu50RsPvRlRu5YS3etA==,type:str]
+postgres_POSTGRES_PASSWORD=ENC[AES256_GCM,data:aWfkhXHRslusFrelk4IMGsElEZKqiFnhGjhZJA3l/t/RpA==,iv:TZcDiACS4d3WttS6pmICCpgxLpyTg6o45P4rqoR6i2c=,tag:JBCv4hefBOU/kU/CXAhe4g==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSmVTS0ZnRVk1UURUZlJY\nSWJVZHY1RlJuQW5VMGRTZ29nR0hPYWZ0VVFVCkZndy81UXArOVNpWjJrekE5UVFU\ndHBQOWNoSzNpSjR0Y282Rno4OUZLUG8KLS0tIHMwS2pUT0NSUkRUcHpwbGIrMk81\ndWltUUtJRVI4SEJrN045cjkxMUdOTHcKN49PAzlu6yfWItZy5UdkmJzkVwCID6Tl\nL/os2MZF4ZjxuAcbltt8Jc7/rHmZwPKivyVeJ71e13ar+hYdU9h/dg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00
+sops_lastmodified=2024-08-14T06:28:48Z
+sops_mac=ENC[AES256_GCM,data:mPzTbLH3nEo0D3w1RJ1Ik/VzRim8hs82ApAklzNPkUxMhDOXR2m9XuKITyDxORcRSeiMyiTWSvL6ePNDrrVkbMCM6wcsyrA+unrSWYTDaFkXJ+1sXxlOH8yYoUJrWRytuRhLmwM7Kf+CUdrQKgAitekfc9K0HbIYczsotM4ZQBo=,iv:DL1ym0PQiHbwOPV7WJzUhYC4kWq68KET/8WzbcsALcM=,tag:Vhcq3BbfN4m/82jwqjvzNw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.0