feat: provide .env file with matcher replace for config secrets

2024-05-30 15:12:12 +02:00 · 2024-05-30 15:12:12 +02:00 · 4c0af61306
parent dd73a3efb5
commit 4c0af61306
5 changed files with 43 additions and 14 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1,28 @@
+# FORGEJO
+
+## OAUTH2
+FORGEJO_OAUTH2_JWT_SECRET = ""
+
+## SECURITY
+FORGEJO_SECURITY_INTERNAL_TOKEN = ""
+FORGEJO_SECURITY_SECRET_KEY = ""
+
+## DB
+FORGEJO_DB_HOST = ""
+FORGEJO_DB_USER = ""
+FORGEJO_DB_NAME = ""
+FORGEJO_DB_PASSWD = ""
+
+## SERVER
+FORGEJO_SERVER_LFS_JWT_SECRET = ""
+
+# WIREGUARD
+
+## SERVER
+WIREGUARD_SERVER_PRIVATE_KEY = ""
+WIREGUARD_SERVER_PUBLIC_KEY = ""
+WIREGUARD_SERVER_LISTEN_PORT = ""
+
+## WIFI_FABLAB
+WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
+WIREGUARD_WIFI_FABLAB_PRIVATE_KEY = ""
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.env
--- a/forgejo/forgejo/app.ini
+++ b/forgejo/forgejo/app.ini
@ -7,22 +7,22 @@ WORK_PATH = /var/lib/forgejo
 DISABLE_REGULAR_ORG_CREATION = false

 [oauth2]
-JWT_SECRET = #! TODO use Secrets
+JWT_SECRET = {{ FORGEJO_OAUTH2_JWT_SECRET }}

 [security]
-INTERNAL_TOKEN = #! TODO use Secrets
+INTERNAL_TOKEN = {{ FORGEJO_SECURITY_INTERNAL_TOKEN }}
 INSTALL_LOCK = true
-SECRET_KEY = #! TODO use Secrets
+SECRET_KEY = {{ FORGEJO_SECURITY_SECRET_KEY }}
 PASSWORD_HASH_ALGO = pbkdf2
 # ajout de la ligne suivante dans le cadre de la création d'un git hook pour le projet portfolios (par habib)
 DISABLE_GIT_HOOKS = false

 [database]
 DB_TYPE = postgres
-HOST = #! TODO use Secrets
-NAME = #! TODO use Secrets
-USER = #! TODO use Secrets
-PASSWD = #! TODO use Secrets
+HOST = {{ FORGEJO_DB_HOST }}
+NAME = {{ FORGEJO_DB_NAME }}
+USER = {{ FORGEJO_DB_USER }}
+PASSWD = {{ FORGEJO_DB_PASSWD }}
 SCHEMA =
 SSL_MODE = disable
 CHARSET = utf8
@ -48,7 +48,7 @@ SSH_LISTEN_HOST = 0.0.0.0
 START_SSH_SERVER = true
 LFS_START_SERVER = true
 # LFS_CONTENT_PATH = /var/lib/forgejo/data/lfs
-LFS_JWT_SECRET = # TODO use Secrets
+LFS_JWT_SECRET = {{ FORGEJO_SERVER_LFS_JWT_SECRET }}
 OFFLINE_MODE = false

 [mailer]
--- a/wireguard/clients/wifi_fablab.conf
+++ b/wireguard/clients/wifi_fablab.conf
@ -1,11 +1,11 @@
 [Interface]
 Address = 10.0.0.2/24
-PrivateKey = #! TODO use Secrets
+PrivateKey = {{ WIREGUARD_WIFI_FABLAB_PRIVATE_KEY }}
 DNS = 208.67.222.222, 208.67.220.220
 MTU = 1420

 [Peer]
 AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # Don't intercept local traffic
-Endpoint = cohabit.fr:#! TODO use Secrets
+Endpoint = cohabit.fr:{{ WIREGUARD_SERVER_LISTEN_PORT }}
 PersistentKeepalive = 25
-PublicKey = #! TODO use Secrets
+PublicKey = {{ WIREGUARD_SERVER_PUBLIC_KEY }}
--- a/wireguard/server/wg0.conf
+++ b/wireguard/server/wg0.conf
@ -1,13 +1,13 @@
 [Interface]
-PrivateKey = #! TODO use Secrets
+PrivateKey = {{ WIREGUARD_SERVER_PRIVATE_KEY }}
 Address = 10.0.0.1/24
 MTU = 1420
-ListenPort = #! TODO use Secrets
+ListenPort = {{ WIREGUARD_SERVER_LISTEN_PORT }}
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE

 ### Wifi Fablab ###
 [Peer]
-PublicKey = #! TODO use Secrets
+PublicKey = {{ WIREGUARD_WIFI_FABLAB_PUBLIC_KEY }}
 AllowedIPs = 10.0.0.2/32
 ###################