commit 8d9f45ebd57d2d665bac76c9a04e775135265729
author Nico Huber <nico.h@gmx.de> Tue Jul 25 13:22:32 2023 +0000
committer Nico Huber <nico.h@gmx.de> Tue Jul 25 16:55:06 2023 +0000
tree ca4796275bbf9979e161b3da30aa92bfd3e1e462
parent f4fbab5570580690800658a758bed27702f9f40a

Start using a docker secret for local passwords

.gitignore

diff --git a/.gitignore b/.gitignore
index 1f89b79..fa0a277 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+/.seed
 /certbot/lib/
 /certbot/www/
 /certs/

TODO.on.site

diff --git a/TODO.on.site b/TODO.on.site
index 56a0960..da83a0e 100644
--- a/TODO.on.site
+++ b/TODO.on.site
@@ -1,3 +1,8 @@
+Create secret seed:
+We use a single secret seed that internal passwords (e.g.
+robot mail accounts, databases) are derived from.
+* `dd if=/dev/urandom bs=1 count=16 | base 64 >.seed`
+
 Create environment files (cf. `git ls-files \*environment.template`):
 * Set SA_PUBLIC_DOMAIN_NAME in `environment`
 * Set CANONICAL_WEB_URL in `gerrit/environment`

docker-compose.yml

diff --git a/docker-compose.yml b/docker-compose.yml
index 65dccaf..0b60856 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -154,3 +154,6 @@
     ipam:
       config:
         - subnet: 10.12.14.48/29
+secrets:
+  seed:
+    file: .seed