From fa7fac3f65ddd53cd33efd20a4c1be8d5ef2bef5 Mon Sep 17 00:00:00 2001 From: Justus Grunow Date: Thu, 14 Nov 2024 11:15:16 -0500 Subject: [PATCH] Replaced and rotated all secrets in docker-ext compose --- ansible/assets/docker-ext/compose.yml.j2 | 18 +++++++-------- ansible/inventory/host_vars/docker-ext/vars | 7 ++++++ ansible/inventory/host_vars/docker-ext/vault | 23 ++++++++++++++++++++ 3 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 ansible/inventory/host_vars/docker-ext/vars create mode 100644 ansible/inventory/host_vars/docker-ext/vault diff --git a/ansible/assets/docker-ext/compose.yml.j2 b/ansible/assets/docker-ext/compose.yml.j2 index a37ada6..018f62a 100644 --- a/ansible/assets/docker-ext/compose.yml.j2 +++ b/ansible/assets/docker-ext/compose.yml.j2 @@ -43,9 +43,9 @@ services: - backend - docker_default labels: - - "traefik.http.middlewares.authtest.basicauth.users=user:$$apr1$$VKJibd3x$$SwY/BRH.QTeVEaRDnLKvv0" + - "traefik.http.middlewares.authtest.basicauth.users=user:{{ traefik_basicauth_password }}" - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true" - - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdseclapikey=dTkMpqDs/ryjvw1tQaV3k0VtCFQUlh+hrdZMEWnxfXc" + - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdseclapikey={{ traefik_crowdsec_bouncer_lapi_key }}" - "traefik.http.middlewares.authchain.chain.middlewares=crowdsec@docker,authentik@docker" - "traefik.http.middlewares.internalOnly.ipallowlist.sourcerange=192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12" - "traefik.http.middlewares.internalOnlyWithAuth.chain.middlewares=internalOnly@docker,crowdsec@docker,authentik@docker" @@ -178,13 +178,13 @@ services: environment: # - MYSQL_ROOT_PASSWORD=wallaroot - POSTGRES_USER=wallabag - - POSTGRES_PASSWORD=Mo8ntF92q5oWNV6TbS7t + - POSTGRES_PASSWORD="{{ wallabag_postgres_password }}" - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql - SYMFONY__ENV__DATABASE_HOST=postgres.injust.us - SYMFONY__ENV__DATABASE_PORT=5432 - SYMFONY__ENV__DATABASE_NAME=wallabag - SYMFONY__ENV__DATABASE_USER=wallabag - - SYMFONY__ENV__DATABASE_PASSWORD=Mo8ntF92q5oWNV6TbS7t + - SYMFONY__ENV__DATABASE_PASSWORD="{{ wallabag_postgres_password }}" - SYMFONY__ENV__DATABASE_TABLE_PREFIX="wallabag_" - SYMFONY__ENV__MAILER_DSN=smtp://127.0.0.1 - SYMFONY__ENV__FROM_EMAIL=wallabag@example.com @@ -511,7 +511,7 @@ services: - DB_HOST=bookstack_db - DB_PORT=3306 - DB_USER=bookstack - - DB_PASS=Chn8i#ExmX@J1C + - DB_PASS="{{ bookstack_db_password }}" - DB_DATABASE=bookstackapp env_file: - .env-bookstack @@ -529,16 +529,16 @@ services: - "traefik.http.routers.bookstack.tls.certresolver=myresolver" - "traefik.http.routers.bookstack.tls=true" bookstack_db: - image: lscr.io/linuxserver/mariadb:v24.10.1-ls173 + image: lscr.io/linuxserver/mariadb:10.11.10-r0-ls161 container_name: bookstack_db environment: - PUID=1000 - PGID=1000 - TZ=America/Thunder_Bay - - MYSQL_ROOT_PASSWORD=cSoO1dcaS5sI&t + - MYSQL_ROOT_PASSWORD="{{ bookstack_db_root_password }}" - MYSQL_DATABASE=bookstackapp - MYSQL_USER=bookstack - - MYSQL_PASSWORD=Chn8i#ExmX@J1C + - MYSQL_PASSWORD="{{ bookstack_db_password }}" volumes: - ./bookstack_db_data:/config restart: unless-stopped @@ -550,7 +550,7 @@ services: DB_HOST: postgres.injust.us DB_PORT: 5432 DB_USER: wikijs - DB_PASS: 3Jfr7nmY4KBauR3nuHno + DB_PASS: "{{ wikijs_postgres_password }}" DB_NAME: wikijs restart: unless-stopped labels: diff --git a/ansible/inventory/host_vars/docker-ext/vars b/ansible/inventory/host_vars/docker-ext/vars new file mode 100644 index 0000000..9428d86 --- /dev/null +++ b/ansible/inventory/host_vars/docker-ext/vars @@ -0,0 +1,7 @@ +--- +traefik_basicauth_password: "{{ vault_traefik_basicauth_password }}" +traefik_crowdsec_bouncer_lapi_key: "{{ vault_traefik_crowdsec_bouncer_lapi_key }}" +wallabag_postgres_password: "{{ vault_wallabag_postgres_password }}" +bookstack_db_password: "{{ vault_bookstack_db_password }}" +bookstack_db_root_password: "{{ vault_bookstack_db_root_password }}" +wikijs_postgres_password: "{{ vault_wikijs_postgres_password }}" diff --git a/ansible/inventory/host_vars/docker-ext/vault b/ansible/inventory/host_vars/docker-ext/vault new file mode 100644 index 0000000..6f2a699 --- /dev/null +++ b/ansible/inventory/host_vars/docker-ext/vault @@ -0,0 +1,23 @@ +$ANSIBLE_VAULT;1.1;AES256 +32646563666534663266663566376431616161363333386234313761663134333734616233396133 +6563303763323332666264633964363366316136383332610a306365663331363737626664373234 +31346265613762636538353865613438386636643038303166303362616336323837323034333333 +6430646535656334360a633835343963623332633065323666346337396134316461376666363861 +33333465323366613837616134666139663162323035366162663466366261646661393262636133 +63663230353131363363313062323932643064386462646432613232643166386632626662336139 +66326238393733396337666430323265346635356562366432636635353938613033663562613934 +33376663623665323262396230313936343363333763393762373565303536666363326337316136 +31313262366538393362383762616166626561346339656466396331363338393663313361376163 +35386334623363353530373464663733616639313063386266626666663262616532373738386237 +32613136306463656433383035373737363735303538336462386461613664393635623463646434 +66366138333938646138643664643136663164613536626234663335643466396237373431393464 +63636132663436613465636239666533376666303235636235323838313830353936393563353235 +61336331356639623336643030393466336662383136386330636465613735633539636161323333 +39363932343235343838636265653830626161343032666331323362316533396366353131323736 +37663565343237613734353466343963363132306434306162346564303538623164613435623765 +32323062363833386364343939626535326562636465626131306534356165313566343237326632 +38393032656338313661333765326530353537366631653965303838393166393066653237323165 +38353538393536643361303665356631306166653162373763643137316362373536373162636364 +61646331326366363737663662656238393166366238636161343836376565346535653963663131 +33333539663330653663633033313832326334306634653833336133626234663739386632376630 +6230663035396165336139333439333461633534303766333934