This repository has been archived by the owner on Feb 28, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgen-heimdall-secrets.sh
executable file
·65 lines (53 loc) · 2.27 KB
/
gen-heimdall-secrets.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/bash
[[ "$@" =~ "-h" ]] && cat <<EOF
$0 [[ --overwrite]]
$0 generates a named volume of asgard_heimdall_secrets which contains random
keys and other initial secrets. The secrets file is left in the config/
directory for ease of use.
--overwrite : Will overwrite an existing set of secrets in the named volume
EOF
[[ "$@" =~ "-h" ]] && exit 0
# Exit if volume exists
docker inspect asgard_heimdall_secrets >/dev/null 2>/dev/null \
&& [[ $1 != --overwrite ]] \
&& echo -e "Volume which may hold keys exists. Run '$0 --overwrite' to force generation
of new keys. This will break any existing Heimdall database containing users." 1>&2 \
&& exit 0
docker volume create asgard_heimdall_secrets
docker run -v asgard_heimdall_secrets:/srv/secrets --name heim_helper busybox true
if [[ ! -a config/secrets.yml ]]
then
echo "Generating secrets."
touch heimdall/config/secrets.yml && chmod 700 heimdall/config/secrets.yml
cat >heimdall/config/secrets.yml <<EOF
development:
secret_key_base: d26decda541d849368ddc0655d5fd63bfb246935443eedb1ab2fb15762161f6da3ad665aeed166bfd86b6f43ce87f62fabad9523ea5e6a0b29dbd49d6aba7502
cipher_password: 'cipher_password'
cipher_salt: 'cipher_salt'
test:
secret_key_base: c432c2a7954794eaa017fc50f68a1877d7bffa761f26c2b2cf50a43f40f5f387d933bd51bc91d4e33fcee02cc6728a698bfcd6b276c132739435282e08ef87c7
cipher_password: 'cipher_password'
cipher_salt: 'cipher_salt'
# Do not keep production secrets in the unencrypted secrets file.
# Instead, either read values from the environment.
# Or, use \`bin/rails secrets:setup\` to configure encrypted secrets
# and move the \`production:\` environment over there.
production:
secret_key_base: `openssl rand -hex 64`
cipher_password: `openssl rand -hex 64`
cipher_salt: `openssl rand -hex 32`
EOF
elif [[ $(grep ENV heimdall/config/secrets.yml) ]]
then
cat <<-EOF
config/secrets.yml exists, but is set to pull vars from the environment.
Rename it if you you'd like this build script to generate a secrets.yml
with random values for keys. Or, if it does not pull from the env...
EOF
exit 2
elif [[ $(grep production config/secrets.yml) ]]
then
echo "Config already exists and has keys for production"
fi
echo Copying secrets into named volume.
docker cp heimdall/config/secrets.yml heim_helper:/srv/secrets/