306 lines
9.2 KiB
Bash
Executable File
306 lines
9.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
#################################################################################
|
|
# Authelia Secrets Generator
|
|
#################################################################################
|
|
#
|
|
# ⚠️ CRITICAL WARNING: DO NOT RUN THIS SCRIPT CASUALLY! ⚠️
|
|
#
|
|
# This script generates completely new secrets for Authelia. Running this will:
|
|
#
|
|
# 1. 🔑 INVALIDATE ALL EXISTING SECRETS - Users will be logged out, tokens invalid
|
|
# 2. 🗄️ REQUIRE UPDATING WOODPECKER CI VAULT - All 10 secrets must be manually
|
|
# updated in your CI/CD system before the new secrets take effect
|
|
# 3. 💾 POTENTIALLY REQUIRE RECREATING DOCKER VOLUMES - If you change encryption
|
|
# keys (STORAGE_ENCRYPTION_KEY), existing encrypted database data will be
|
|
# unreadable and you may need to recreate persistent volumes
|
|
# 4. 🔄 TRIGGER FULL REDEPLOYMENT - The CI/CD pipeline will need to run to apply
|
|
# the new secrets to production
|
|
#
|
|
# ONLY run this script when you intentionally want to rotate ALL secrets, such as:
|
|
# - Security incident requiring credential rotation
|
|
# - Periodic security maintenance (e.g., quarterly rotation)
|
|
# - Setting up a completely new environment
|
|
#
|
|
# REQUIRED STEPS AFTER RUNNING THIS SCRIPT:
|
|
# 1. Update all 10 secrets in Woodpecker CI vault with values from secrets.md
|
|
# 2. Trigger deployment (git push) to apply new secrets
|
|
# 3. Monitor deployment for successful startup
|
|
# 4. If database encryption key changed, may need to recreate volumes/data
|
|
# 5. Test authentication and OIDC functionality
|
|
#
|
|
#################################################################################
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
echo -e "${BLUE}🔐 Authelia Secrets Generator${NC}"
|
|
echo "=================================="
|
|
|
|
# Function to check if a command exists
|
|
command_exists() {
|
|
command -v "$1" >/dev/null 2>&1
|
|
}
|
|
|
|
# Function to check for required tools
|
|
check_requirements() {
|
|
local missing_tools=()
|
|
|
|
echo -e "${BLUE}🔍 Checking required tools...${NC}"
|
|
|
|
# Check for openssl
|
|
if ! command_exists openssl; then
|
|
missing_tools+=("openssl")
|
|
else
|
|
echo -e "${GREEN}✓ openssl found${NC}"
|
|
fi
|
|
|
|
# If any tools are missing, show installation instructions
|
|
if [ ${#missing_tools[@]} -ne 0 ]; then
|
|
echo ""
|
|
echo -e "${RED}❌ Missing required tools: ${missing_tools[*]}${NC}"
|
|
echo ""
|
|
echo -e "${YELLOW}📦 Installation instructions:${NC}"
|
|
|
|
for tool in "${missing_tools[@]}"; do
|
|
case $tool in
|
|
"openssl")
|
|
echo "• OpenSSL:"
|
|
echo " - macOS: brew install openssl"
|
|
echo " - Ubuntu/Debian: sudo apt-get install openssl"
|
|
echo " - CentOS/RHEL: sudo yum install openssl"
|
|
echo " - Alpine: apk add openssl"
|
|
;;
|
|
esac
|
|
done
|
|
|
|
echo ""
|
|
echo -e "${RED}Please install the missing tools and run this script again.${NC}"
|
|
exit 1
|
|
fi
|
|
|
|
echo -e "${GREEN}✅ All required tools are available${NC}"
|
|
echo ""
|
|
}
|
|
|
|
# Function to show critical warnings
|
|
show_warnings() {
|
|
echo -e "${RED}🚨 CRITICAL WARNINGS BEFORE PROCEEDING 🚨${NC}"
|
|
echo -e "${RED}==========================================${NC}"
|
|
echo ""
|
|
echo -e "${YELLOW}This will generate completely NEW secrets that will:${NC}"
|
|
echo -e "${RED}• Invalidate ALL existing user sessions and tokens${NC}"
|
|
echo -e "${RED}• Require manual update of ALL 10 secrets in Woodpecker CI vault${NC}"
|
|
echo -e "${RED}• Potentially require recreating database volumes if encryption key changes${NC}"
|
|
echo -e "${RED}• Cause service downtime until deployment completes${NC}"
|
|
echo ""
|
|
echo -e "${YELLOW}REQUIRED FOLLOW-UP STEPS:${NC}"
|
|
echo "1. Update secrets in Woodpecker CI vault (all 10 values)"
|
|
echo "2. Commit and push to trigger deployment"
|
|
echo "3. Monitor deployment logs for successful startup"
|
|
echo "4. Test authentication functionality"
|
|
echo "5. If STORAGE_ENCRYPTION_KEY changed, may need to recreate volumes"
|
|
echo ""
|
|
echo -e "${BLUE}💡 Only proceed if you understand these implications!${NC}"
|
|
echo ""
|
|
}
|
|
|
|
# Check requirements before proceeding
|
|
check_requirements
|
|
|
|
# Show critical warnings
|
|
show_warnings
|
|
|
|
# Check if secrets.md already exists
|
|
if [[ -f "secrets.md" ]]; then
|
|
echo -e "${YELLOW}⚠️ WARNING: secrets.md already exists!${NC}"
|
|
read -p "Do you want to overwrite it? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
echo -e "${RED}❌ Cancelled by user${NC}"
|
|
exit 1
|
|
fi
|
|
echo -e "${YELLOW}📝 Backing up existing secrets.md to secrets.md.backup${NC}"
|
|
cp secrets.md secrets.md.backup
|
|
fi
|
|
|
|
# Final confirmation before generating secrets
|
|
echo -e "${RED}🔥 FINAL CONFIRMATION 🔥${NC}"
|
|
echo -e "${RED}Are you absolutely sure you want to generate NEW secrets?${NC}"
|
|
echo -e "${YELLOW}This will require updating CI vault and may cause data loss!${NC}"
|
|
read -p "Type 'YES' to confirm: " -r
|
|
echo
|
|
if [[ ! $REPLY == "YES" ]]; then
|
|
echo -e "${RED}❌ Cancelled - must type 'YES' to confirm${NC}"
|
|
exit 1
|
|
fi
|
|
|
|
echo -e "${GREEN}🔄 Generating fresh secrets...${NC}"
|
|
|
|
# Function to generate base64 secret
|
|
generate_base64_secret() {
|
|
openssl rand -base64 48
|
|
}
|
|
|
|
# Function to generate RSA private key
|
|
generate_rsa_key() {
|
|
openssl genrsa 2048 2>/dev/null
|
|
}
|
|
|
|
echo -e "${BLUE}📝 Creating secrets.md file...${NC}"
|
|
|
|
# Create the secrets.md file
|
|
cat > secrets.md << 'EOF'
|
|
# Authelia Production Secrets
|
|
|
|
**DO NOT COMMIT THIS FILE TO VERSION CONTROL**
|
|
|
|
## Core Secrets
|
|
|
|
### AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
|
LDAP authentication backend password
|
|
```
|
|
EOF
|
|
|
|
# Generate and append each secret
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
|
JWT secret for password reset tokens
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### STORAGE_ENCRYPTION_KEY
|
|
Database encryption key
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### SESSION_SECRET
|
|
Session encryption secret
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### NOTIFIER_SMTP_PASSWORD
|
|
SMTP email notifications password
|
|
```
|
|
8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
|
|
```
|
|
|
|
## OIDC Secrets
|
|
|
|
### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
|
|
OIDC HMAC signing secret
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
|
|
OIDC token signing private key
|
|
```
|
|
EOF
|
|
|
|
generate_rsa_key >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
|
|
OIDC JWKS validation key
|
|
```
|
|
EOF
|
|
|
|
generate_rsa_key >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
## Client Secrets
|
|
|
|
### CLIENT_SECRET_HEADSCALE
|
|
Headscale VPN OIDC client secret
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
|
|
### CLIENT_SECRET_HEADADMIN
|
|
Headscale admin panel OIDC client secret
|
|
```
|
|
EOF
|
|
|
|
echo "$(generate_base64_secret)" >> secrets.md
|
|
|
|
cat >> secrets.md << 'EOF'
|
|
```
|
|
EOF
|
|
|
|
echo -e "${GREEN}✅ Fresh secrets.md file generated successfully!${NC}"
|
|
echo ""
|
|
echo -e "${RED}🚨 CRITICAL NEXT STEPS - DO NOT SKIP! 🚨${NC}"
|
|
echo -e "${RED}=====================================${NC}"
|
|
echo -e "${YELLOW}1. 🗄️ UPDATE WOODPECKER CI VAULT:${NC}"
|
|
echo " - Go to your Woodpecker CI secrets management"
|
|
echo " - Update ALL 10 secret values with the new values from secrets.md"
|
|
echo " - Double-check each secret is correctly copied"
|
|
echo ""
|
|
echo -e "${YELLOW}2. 🚀 TRIGGER DEPLOYMENT:${NC}"
|
|
echo " - Commit any changes: git add . && git commit -m 'rotate secrets'"
|
|
echo " - Push to trigger CI/CD: git push"
|
|
echo " - Monitor the deployment logs for successful startup"
|
|
echo ""
|
|
echo -e "${YELLOW}3. 🔍 VERIFY DEPLOYMENT:${NC}"
|
|
echo " - Check service logs: ssh macmini7 'docker service logs authelia_authelia'"
|
|
echo " - Test authentication functionality"
|
|
echo " - Verify OIDC clients can authenticate"
|
|
echo ""
|
|
echo -e "${YELLOW}4. 💾 IF STORAGE_ENCRYPTION_KEY CHANGED:${NC}"
|
|
echo " - Existing encrypted data will be unreadable"
|
|
echo " - May need to recreate database volumes"
|
|
echo " - Users may need to re-register/re-authenticate"
|
|
echo ""
|
|
echo -e "${RED}⚠️ Remember: Keep secrets.md secure and never commit it to version control!${NC}"
|
|
|
|
# Show summary of what was generated
|
|
echo ""
|
|
echo -e "${BLUE}📊 Generated secrets summary:${NC}"
|
|
echo "• AUTHENTICATION_BACKEND_LDAP_PASSWORD (Base64)"
|
|
echo "• IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET (Base64)"
|
|
echo "• STORAGE_ENCRYPTION_KEY (Base64) ⚠️ May require volume recreation"
|
|
echo "• SESSION_SECRET (Base64) ⚠️ Will invalidate all user sessions"
|
|
echo "• NOTIFIER_SMTP_PASSWORD (Fixed production password)"
|
|
echo "• IDENTITY_PROVIDERS_OIDC_HMAC_SECRET (Base64)"
|
|
echo "• IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY (RSA 2048-bit)"
|
|
echo "• IDENTITY_PROVIDERS_OIDC_JWKS_KEY (RSA 2048-bit)"
|
|
echo "• CLIENT_SECRET_HEADSCALE (Base64) ⚠️ Will invalidate Headscale tokens"
|
|
echo "• CLIENT_SECRET_HEADADMIN (Base64) ⚠️ Will invalidate Headadmin tokens" |