Commit secrets generation, make some nice scripts

.gitignore

@@ -1,5 +1,3 @@
-secrets/
-data/
-.redo
-*.tmp
+/secrets/
+/data/
 env.production

readme.md

@@ -21,16 +21,13 @@ Fill out env.template and make sure to pass it in the next command
 
 ## running
 
-To enable additional services, add their compose file to the following command
-
-    podman compose --env-file env.production \
-      --file services/secrets.yaml \
-      --file services/backup.yaml \
-      --file services/smtp.yaml \
-      --file services/caddy.yaml \
-      --file services/authelia.yaml \
-      --file services/web.yaml \
-      up --build --abort-on-container-exit
+We have two scripts in the `scripts/` directory - up and down
+
+    ./scripts/up
+
+To stop all the containers, you can ctrl+c, or 
+
+    ./scripts/down
 
 ## port forwarding
 

scripts/down

@@ -0,0 +1,7 @@
+podman compose --env-file env.production \
+  --file services/secrets.yaml \
+  --file services/backup.yaml  \
+  --file services/proxy.yaml \
+  --file services/auth.yaml \
+  --file services/web.yaml \
+  down --volumes

scripts/up

@@ -0,0 +1,7 @@
+podman compose --env-file env.production \
+  --file services/secrets.yaml \
+  --file services/backup.yaml  \
+  --file services/proxy.yaml \
+  --file services/auth.yaml \
+  --file services/web.yaml \
+  up --build

services/auth.yaml

@@ -9,6 +9,10 @@ services:
     volumes:
       - ../data/auth:/mnt/backup/src/auth:ro
 
+  generate-secrets:
+    volumes:
+      - ../secrets/auth/zitadel/MASTER_KEY:/secrets/auth/zitadel/MASTER_KEY
+
   zitadel:
     restart: 'unless-stopped'
     image: 'ghcr.io/zitadel/zitadel:latest'
@@ -22,7 +26,7 @@ services:
       - MASTER_KEY
     command: "start-from-init --masterkeyFile /run/secrets/MASTER_KEY --tlsMode disabled"
     depends_on:
-      secrets:
+      generate-secrets:
         condition: 'service_completed_successfully'
       caddy:
         condition: 'service_healthy'
@@ -31,17 +35,13 @@ services:
     ports:
       - '8321:8080'
 
-  generate-secrets:
-    volumes:
-      - ../secrets/auth/zitadel/MASTER_KEY:/secrets/auth/zitadel/MASTER_KEY
-
   crdb:
     restart: unless-stopped
-    image: 'cockroachdb/cockroach:latest-v22.2'
+    image: 'cockroachdb/cockroach:latest-v23.1'
     depends_on:
-      secrets:
+      generate-secrets:
         condition: 'service_completed_successfully'
-    command: "start-single-node --insecure"
+    command: "start-single-node --insecure --store=path=/cockroach/cockroach-data,size=20%"
     healthcheck:
       test: ["CMD", "curl", "--fail", "http://localhost:8080/health?ready=1"]
       interval: '10s'

services/backup.yaml

@@ -11,15 +11,12 @@ secrets:
     file: ../secrets/backup/duplicity/PASSPHRASE
 
 services:
-  generate-secrets:
-    volumes:
-      - ../secrets/backup/duplicity/BUCKET_NAME:/secrets/backup/duplicity/BUCKET_NAME
-      - ../secrets/backup/duplicity/PASSPHRASE:/secrets/backup/duplicity/PASSPHRASE
-
-  duplicity:
+  backup:
     image: tecnativa/docker-duplicity:latest
     restart: unless-stopped
-    depends_on: [secrets]
+    depends_on: 
+      generate-secrets:
+        condition: 'service_completed_successfully'
     secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
     environment:
       HOSTNAME: ${DOMAIN}
@@ -28,6 +25,12 @@ services:
       - ./backup/backup-files:/backup-files:ro
     entrypoint: ["/bin/sh", "/backup-files"]
 
+  generate-secrets:
+    volumes:
+      - ../secrets/backup/duplicity/BUCKET_NAME:/secrets/backup/duplicity/BUCKET_NAME
+      - ../secrets/backup/duplicity/PASSPHRASE:/secrets/backup/duplicity/PASSPHRASE
+
+
 #  duplicity-postgres:
 #    image: tecnativa/docker-duplicity-postgres:latest
 #    restart: unless-stopped

services/mail.yaml

@@ -7,7 +7,7 @@ secrets:
 services:
   generate-secrets:
     volumes:
-      - ../secrets/mail/maddy/MASTER_KEY:/secrets/mail/maddy/MASTER_KEY
+      - ../secrets/mail/maddy/SMTP_PASSWORD:/secrets/mail/maddy/SMTP_PASSWORD
 
   backup:
     volumes:
@@ -21,7 +21,10 @@ services:
     image: foxcpp/maddy:latest
     secrets: [SMTP_PASSWORD]
     restart: unless-stopped
-    depends_on: ["smtp-setup"]
+    depends_on:
+      generate-secrets:
+        condition: 'service_completed_successfully'
+
     environment:
       - MADDY_HOSTNAME=mx.mail.${DOMAIN}
       - MADDY_DOMAIN=mail.${DOMAIN}
@@ -49,11 +52,6 @@ services:
     ports:
       - 9002:80
 
-  smtp-setup:
-    container_name: smtp-setup
-    image: alpine
-    restart: no
-    secrets: [SMTP_PASSWORD]
-    volumes:
-      - ./secrets/check-secrets:/check-secrets:ro
-    entrypoint: ["/check-secrets"]
+  check-secrets:
+    secrets: 
+      - SMTP_PASSWORD

services/secrets.yaml

@@ -7,3 +7,10 @@ services:
     volumes:
       - ./secrets/generate-secrets:/generate-secrets:ro
     entrypoint: ["/generate-secrets"]
+
+  check-secrets:
+    image: alpine
+    restart: no
+    volumes:
+      - ./secrets/check-secrets:/check-secrets:ro
+    entrypoint: ["/check-secrets"]

services/secrets/check-secrets

@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+
+# this throws an error if any secrets are empty
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+for secret in /run/secrets/* ; do
+  if [ -s "$secret" ]; then
+    >&2 echo "ERROR: empty secret: $(basename $secret)" 
+    exit 1
+  fi
+done

services/secrets/generate-secrets

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+# this generates a random 64 char hex string for all empty secret files in /secrets/*/*/*
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+for secret in /secrets/*/*/* ; do
+  test -d "$secret" && rmdir "$secret"
+  test -s "$secret" && continue
+  openssl rand -hex 64 > $secret
+done