From 660f5a39eedf8c85e988765600dae39e2c7f0f9b Mon Sep 17 00:00:00 2001
From: Jonathan Dahan <git@jonathan.is>
Date: Tue, 7 Nov 2023 16:00:39 -0500
Subject: [PATCH] Commit secrets generation, make some nice scripts

---
 .gitignore                        |  6 ++----
 readme.md                         | 17 +++++++----------
 scripts/down                      |  7 +++++++
 scripts/up                        |  7 +++++++
 services/auth.yaml                | 16 ++++++++--------
 services/backup.yaml              | 17 ++++++++++-------
 services/mail.yaml                | 18 ++++++++----------
 services/secrets.yaml             |  7 +++++++
 services/secrets/check-secrets    | 14 ++++++++++++++
 services/secrets/generate-secrets | 13 +++++++++++++
 10 files changed, 83 insertions(+), 39 deletions(-)
 create mode 100755 scripts/down
 create mode 100755 scripts/up
 create mode 100755 services/secrets/check-secrets
 create mode 100755 services/secrets/generate-secrets

diff --git a/.gitignore b/.gitignore
index 99fc3de..bc2623c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
-secrets/
-data/
-.redo
-*.tmp
+/secrets/
+/data/
 env.production
diff --git a/readme.md b/readme.md
index 370d58a..82b0b32 100644
--- a/readme.md
+++ b/readme.md
@@ -21,16 +21,13 @@ Fill out env.template and make sure to pass it in the next command
 
 ## running
 
-To enable additional services, add their compose file to the following command
-
-    podman compose --env-file env.production \
-      --file services/secrets.yaml \
-      --file services/backup.yaml \
-      --file services/smtp.yaml \
-      --file services/caddy.yaml \
-      --file services/authelia.yaml \
-      --file services/web.yaml \
-      up --build --abort-on-container-exit
+We have two scripts in the `scripts/` directory - up and down
+
+    ./scripts/up
+
+To stop all the containers, you can ctrl+c, or 
+
+    ./scripts/down
 
 ## port forwarding
 
diff --git a/scripts/down b/scripts/down
new file mode 100755
index 0000000..f88a9ef
--- /dev/null
+++ b/scripts/down
@@ -0,0 +1,7 @@
+podman compose --env-file env.production \
+  --file services/secrets.yaml \
+  --file services/backup.yaml  \
+  --file services/proxy.yaml \
+  --file services/auth.yaml \
+  --file services/web.yaml \
+  down --volumes
diff --git a/scripts/up b/scripts/up
new file mode 100755
index 0000000..aa0e61f
--- /dev/null
+++ b/scripts/up
@@ -0,0 +1,7 @@
+podman compose --env-file env.production \
+  --file services/secrets.yaml \
+  --file services/backup.yaml  \
+  --file services/proxy.yaml \
+  --file services/auth.yaml \
+  --file services/web.yaml \
+  up --build
diff --git a/services/auth.yaml b/services/auth.yaml
index 6358b59..087cc36 100644
--- a/services/auth.yaml
+++ b/services/auth.yaml
@@ -9,6 +9,10 @@ services:
     volumes:
       - ../data/auth:/mnt/backup/src/auth:ro
 
+  generate-secrets:
+    volumes:
+      - ../secrets/auth/zitadel/MASTER_KEY:/secrets/auth/zitadel/MASTER_KEY
+
   zitadel:
     restart: 'unless-stopped'
     image: 'ghcr.io/zitadel/zitadel:latest'
@@ -22,7 +26,7 @@ services:
       - MASTER_KEY
     command: "start-from-init --masterkeyFile /run/secrets/MASTER_KEY --tlsMode disabled"
     depends_on:
-      secrets:
+      generate-secrets:
         condition: 'service_completed_successfully'
       caddy:
         condition: 'service_healthy'
@@ -31,17 +35,13 @@ services:
     ports:
       - '8321:8080'
 
-  generate-secrets:
-    volumes:
-      - ../secrets/auth/zitadel/MASTER_KEY:/secrets/auth/zitadel/MASTER_KEY
-
   crdb:
     restart: unless-stopped
-    image: 'cockroachdb/cockroach:latest-v22.2'
+    image: 'cockroachdb/cockroach:latest-v23.1'
     depends_on:
-      secrets:
+      generate-secrets:
         condition: 'service_completed_successfully'
-    command: "start-single-node --insecure"
+    command: "start-single-node --insecure --store=path=/cockroach/cockroach-data,size=20%"
     healthcheck:
       test: ["CMD", "curl", "--fail", "http://localhost:8080/health?ready=1"]
       interval: '10s'
diff --git a/services/backup.yaml b/services/backup.yaml
index d1e11b8..78d785f 100644
--- a/services/backup.yaml
+++ b/services/backup.yaml
@@ -11,15 +11,12 @@ secrets:
     file: ../secrets/backup/duplicity/PASSPHRASE
 
 services:
-  generate-secrets:
-    volumes:
-      - ../secrets/backup/duplicity/BUCKET_NAME:/secrets/backup/duplicity/BUCKET_NAME
-      - ../secrets/backup/duplicity/PASSPHRASE:/secrets/backup/duplicity/PASSPHRASE
-
-  duplicity:
+  backup:
     image: tecnativa/docker-duplicity:latest
     restart: unless-stopped
-    depends_on: [secrets]
+    depends_on: 
+      generate-secrets:
+        condition: 'service_completed_successfully'
     secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
     environment:
       HOSTNAME: ${DOMAIN}
@@ -28,6 +25,12 @@ services:
       - ./backup/backup-files:/backup-files:ro
     entrypoint: ["/bin/sh", "/backup-files"]
 
+  generate-secrets:
+    volumes:
+      - ../secrets/backup/duplicity/BUCKET_NAME:/secrets/backup/duplicity/BUCKET_NAME
+      - ../secrets/backup/duplicity/PASSPHRASE:/secrets/backup/duplicity/PASSPHRASE
+
+
 #  duplicity-postgres:
 #    image: tecnativa/docker-duplicity-postgres:latest
 #    restart: unless-stopped
diff --git a/services/mail.yaml b/services/mail.yaml
index 29357b6..4e01def 100644
--- a/services/mail.yaml
+++ b/services/mail.yaml
@@ -7,7 +7,7 @@ secrets:
 services:
   generate-secrets:
     volumes:
-      - ../secrets/mail/maddy/MASTER_KEY:/secrets/mail/maddy/MASTER_KEY
+      - ../secrets/mail/maddy/SMTP_PASSWORD:/secrets/mail/maddy/SMTP_PASSWORD
 
   backup:
     volumes:
@@ -21,7 +21,10 @@ services:
     image: foxcpp/maddy:latest
     secrets: [SMTP_PASSWORD]
     restart: unless-stopped
-    depends_on: ["smtp-setup"]
+    depends_on:
+      generate-secrets:
+        condition: 'service_completed_successfully'
+
     environment:
       - MADDY_HOSTNAME=mx.mail.${DOMAIN}
       - MADDY_DOMAIN=mail.${DOMAIN}
@@ -49,11 +52,6 @@ services:
     ports:
       - 9002:80
 
-  smtp-setup:
-    container_name: smtp-setup
-    image: alpine
-    restart: no
-    secrets: [SMTP_PASSWORD]
-    volumes:
-      - ./secrets/check-secrets:/check-secrets:ro
-    entrypoint: ["/check-secrets"]
+  check-secrets:
+    secrets: 
+      - SMTP_PASSWORD
diff --git a/services/secrets.yaml b/services/secrets.yaml
index aeeed63..fd3afd3 100644
--- a/services/secrets.yaml
+++ b/services/secrets.yaml
@@ -7,3 +7,10 @@ services:
     volumes:
       - ./secrets/generate-secrets:/generate-secrets:ro
     entrypoint: ["/generate-secrets"]
+
+  check-secrets:
+    image: alpine
+    restart: no
+    volumes:
+      - ./secrets/check-secrets:/check-secrets:ro
+    entrypoint: ["/check-secrets"]
diff --git a/services/secrets/check-secrets b/services/secrets/check-secrets
new file mode 100755
index 0000000..8cde7f8
--- /dev/null
+++ b/services/secrets/check-secrets
@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+
+# this throws an error if any secrets are empty
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+for secret in /run/secrets/* ; do
+  if [ -s "$secret" ]; then
+    >&2 echo "ERROR: empty secret: $(basename $secret)" 
+    exit 1
+  fi
+done
diff --git a/services/secrets/generate-secrets b/services/secrets/generate-secrets
new file mode 100755
index 0000000..914c078
--- /dev/null
+++ b/services/secrets/generate-secrets
@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+# this generates a random 64 char hex string for all empty secret files in /secrets/*/*/*
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+for secret in /secrets/*/*/* ; do
+  test -d "$secret" && rmdir "$secret"
+  test -s "$secret" && continue
+  openssl rand -hex 64 > $secret
+done