parent
3462f137ad
commit
ca3b7d83a2
15
docs/Secrets.md
Normal file
15
docs/Secrets.md
Normal file
@ -0,0 +1,15 @@
|
||||
# Secrets
|
||||
Our repository contains as many configuration details as reasonable. But we must secure our secrets: passwords, API keys, encryption seeds, etc..
|
||||
|
||||
## Docker Env Vars
|
||||
1. We store our Docker env vars in a file named after the service. For example `keycloak.env`.
|
||||
2. We separate our secrets from non-secret env vars by placing them in a file with a similar name, but with `_secrets` appended to the service name. For example `keycloak_secrets.env`. These files exist only on the host for which they are necessary, and must be created manually on the host.
|
||||
3. Our repository `.gitignore` excludes all files matching `*.secret`, and `*_secrets.env`.
|
||||
|
||||
Note: This makes secrets very fragile. Accidental deletion or other data loss can destroy the secret permanently.
|
||||
|
||||
## Generating Secrets
|
||||
We use the password manager's generator to create secrets with the desired parameters, preferring the following parameters:
|
||||
- 64 characters
|
||||
- Capital letters, lowercase letters, numbers, and standard symbols (`^*@#!&$%`)
|
||||
If necessary, we will reduce characterset by cutting out symbols before reducing string length.
|
||||
@ -6,7 +6,7 @@ Our credentials are stored in `ddclient_secrets.env`, which is git-ignored. Addi
|
||||
So we generate the config file when it must be updated. To update the file, we can run the following command:
|
||||
|
||||
```bash
|
||||
cd ~/homelab/jafner-net/config/ddns/ && \
|
||||
cd ~/homelab/fighter/config/ddns/ && \
|
||||
export $(cat ddclient_secrets.env | xargs) && \
|
||||
envsubst < ./ddclient/ddclient.template > ./ddclient/ddclient.conf && \
|
||||
unset $(grep -v '^#' ddclient_secrets.env | sed -E 's/(.*)=.*/\1/' | xargs) && \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user