Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Improve Secrets Handling #32

New Issue
Closed
opened 2022-07-13 23:24:09 -07:00 by Jafner · 21 comments
Jafner commented 2022-07-13 23:24:09 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

References

https://docs.docker.com/engine/swarm/secrets/
https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets

# References https://docs.docker.com/engine/swarm/secrets/ https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets
Jafner commented 2022-07-14 23:22:33 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

assigned to @Jafner

assigned to @Jafner
Jafner commented 2022-07-14 23:25:57 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked this issue as related to #34

marked this issue as related to #34
Jafner commented 2022-10-31 22:08:50 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in issue #36

mentioned in issue #36
Jafner commented 2022-11-01 10:53:58 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Docker secrets might not be the right solution here. I use a cosmopolitan array of images, which means I cannot reasonably control whether the images themselves support secret-style file-based values for sensitive information.

https://stackoverflow.com/questions/52492359/docker-secrets-passing-as-environment-variable

So instead we'll add a gitignore entry for files matching *_secrets.env and manually remove already-tracked secrets.

Docker secrets might not be the right solution here. I use a cosmopolitan array of images, which means I cannot reasonably control whether the images themselves support secret-style file-based values for sensitive information. https://stackoverflow.com/questions/52492359/docker-secrets-passing-as-environment-variable So instead we'll add a gitignore entry for files matching `*_secrets.env` and [manually remove](https://stackoverflow.com/questions/1274057/how-do-i-make-git-forget-about-a-file-that-was-tracked-but-is-now-in-gitignore) already-tracked secrets.
Jafner commented 2022-11-01 10:58:02 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 3804024435

mentioned in commit 380402443537ea8159f3ab582cb30603842d7dac
Jafner commented 2022-11-01 11:10:54 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit ef7da5ce08

mentioned in commit ef7da5ce08fc216ba629ef3605349e9ad34309bb
Jafner commented 2022-11-01 11:15:44 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

While this task is complete, we will also need to do one of the following:

  1. Create a new repository for #34. Current secrets are still present in the Git history.
  2. Replace all secrets. Make the exposure of current secrets irrelevant by replacing them with new ones.

I prefer the latter, as it preserves the valuable Git history. It also provides procedure experience for secret replacement.

While this task *is* complete, we will also need to do one of the following: 1. Create a new repository for #34. Current secrets are still present in the Git history. 2. Replace all secrets. Make the exposure of current secrets irrelevant by replacing them with new ones. I prefer the latter, as it preserves the valuable Git history. It also provides procedure experience for secret replacement.
Jafner commented 2022-11-23 08:41:01 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Let's take inventory of the secrets used:

Let's take inventory of the secrets used: - [Matrix - Postgres](/server/config/matrix) `POSTGRES_PASSWORD` - [DDNS - Cloudflare](/server/config/ddns) `API_KEY` - [Fireshare - Fireshare](/server/config/fireshare) `ADMIN_PASSWORD`, `SECRET_KEY` - [Keycloak - Keycloak](/server/config/keycloak) `KEYCLOAK_ADMIN_PASSWORD` - [Keycloak - Forwardauth](/server/config/keycloak) `CLIENT_SECRET`, `SECRET`, `ENCRYPTION_KEY` - [Librespeed - Librespeed](/server/config/librespeed) `IPINFO_APIKEY`, `PASSWORD` - [Monitoring - Exporter-NZBd](/server/config/monitoring) `SABNZBD_APIKEYS` - [Plex - Plex](/server/config/plex) `PLEX_CLAIM` - [Wireguard](/server/config/wireguard) `PASSWORD`
Jafner commented 2023-01-24 23:39:36 -08:00 (Migrated from gitlab.jafner.net)
Copy Link
  • Matrix - bc451b8d
  • Cloudflare - Rolled to new token
  • Fireshare - Generated new password and key
  • Keycloak - Generated new password
  • Forwardauth - TODO
  • Librespeed - IPINFO API key does not appear to be rotatable, which is insane. Password rotated.
  • SABNZBd - TODO, requires rotating key for all connected services
  • Plex - PLEX_CLAIM token expires after like 15 minutes. Only used for setup.
  • Wireguard - Rotated password.
- Matrix - bc451b8d - Cloudflare - Rolled to new token - Fireshare - Generated new password and key - Keycloak - Generated new password - Forwardauth - TODO - Librespeed - IPINFO API key [does not appear to be rotatable](https://ipinfo.io/faq/article/127-how-to-use-the-token-security-feature), which is insane. Password rotated. - SABNZBd - TODO, requires rotating key for all connected services - Plex - `PLEX_CLAIM` token expires after like 15 minutes. Only used for setup. - Wireguard - Rotated password.
Jafner commented 2023-01-24 23:46:12 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Forwardauth

  • SECRET is a simple encryption secret. Should be able to rotate without issue.
  • ENCRYPTION_KEY used to be called SESSION_KEY

Used to sign cookies authentication, should be a random (e.g. openssl rand -hex 16)
Should be able to rotate without issue.

  • CLIENT_SECRET comes from the Keycloak client. Rotate it in Keycloak and copy it to the forwardauth secrets file.
**Forwardauth** - [x] `SECRET` is a simple encryption secret. Should be able to rotate without issue. - [x] `ENCRYPTION_KEY` used to be called `SESSION_KEY` > Used to sign cookies authentication, should be a random (e.g. `openssl rand -hex 16`) Should be able to rotate without issue. - [x] `CLIENT_SECRET` comes from the Keycloak client. Rotate it in Keycloak and copy it to the forwardauth secrets file.
Jafner commented 2023-01-24 23:55:44 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

SABNZBd
List of applications that might be using the SABNZBd API token:

**SABNZBd** List of applications that *might* be using the SABNZBd API token: - [monitoring_exporter-sabnzbd](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/server/config/monitoring/docker-compose.yml) - [Radarr](https://radarr.jafner.net/settings/downloadclients) - [Sonarr](https://sonarr.jafner.net/settings/downloadclients) - [Lidarr](https://lidarr.jafner.net/settings/downloadclients) - [NZBHydra](https://nzbhydra.jafner.net/config/downloading)
Jafner commented 2023-01-25 08:23:39 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

API key has been rolled and each of the listed services have been updated.

API key has been rolled and each of the listed services have been updated.
Jafner commented 2023-02-10 12:14:29 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

ddclient.conf contains secret credentials.
Re-opening issue to determine how we can handle these credentials.

[ddclient.conf](https://gitlab.jafner.net/Jafner/homelab/-/blob/main/server/config/ddns/ddclient/ddclient.conf) contains secret credentials. Re-opening issue to determine how we can handle these credentials.
Jafner commented 2023-02-10 12:33:16 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

changed title from Imp{-lement Docker Secrets for sensitive information-} to Imp{+rove Secrets Handling+}

changed title from **Imp{-lement Docker Secrets for sensitive information-}** to **Imp{+rove Secrets Handling+}**
Jafner commented 2023-02-10 12:33:27 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

https://github.com/linuxserver/docker-ddclient/issues/44

https://github.com/linuxserver/docker-ddclient/issues/44
Jafner commented 2023-02-10 12:37:47 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Rotate these secrets:

  • Login and password for jafner.dev in google domains. Exposed in ddclient.conf
  • Login and password for meganmcdonough.art in google domains. Exposed in ddclient.conf
Rotate these secrets: - [x] Login and password for jafner.dev in google domains. Exposed in ddclient.conf - [ ] Login and password for meganmcdonough.art in google domains. Exposed in ddclient.conf
Jafner commented 2023-02-10 12:45:38 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

And for handling secrets in ddclient.conf, we can use envsubst with a ddclient_secrets.env file.

And for handling secrets in ddclient.conf, we can use [`envsubst`](https://www.baeldung.com/linux/envsubst-command) with a `ddclient_secrets.env` file.
Jafner commented 2023-02-10 13:33:10 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit dac3146ac0

mentioned in commit dac3146ac0770d37409f3712435bc9c555c3a3b6
Jafner commented 2023-02-10 13:34:47 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in commit 57a5d95394

mentioned in commit 57a5d95394932ba632e507919a98f9b99c244061
Jafner commented 2023-09-18 12:41:02 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in issue #99

mentioned in issue #99
Jafner commented 2023-12-11 21:39:33 -08:00
Copy Link

All described secrets have been rotated and removed from version control.

All described secrets have been rotated and removed from version control.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Jafner/homelab#32
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?