fix(#16): Secrets-Management für Unraid implementiert
Some checks are pending
Docker Test / test (push) Waiting to run
Some checks are pending
Docker Test / test (push) Waiting to run
This commit is contained in:
OpenClaw
parent
bbeea75b00
commit
1f831a6edc
3 changed files with 72 additions and 1 deletions
|
|
@ -12,7 +12,8 @@
|
||||||
"db:seed": "node src/db/seed.js",
|
"db:seed": "node src/db/seed.js",
|
||||||
"db:migrate": "node migrations/runner.js --run",
|
"db:migrate": "node migrations/runner.js --run",
|
||||||
"test:smoke": "node scripts/smoke-test.mjs",
|
"test:smoke": "node scripts/smoke-test.mjs",
|
||||||
"test:integration": "node scripts/integration-test.mjs"
|
"test:integration": "node scripts/integration-test.mjs",
|
||||||
|
"preflight": "node ../scripts/preflight-check.js"
|
||||||
},
|
},
|
||||||
"keywords": [],
|
"keywords": [],
|
||||||
"author": "",
|
"author": "",
|
||||||
|
|
|
||||||
35
docs/secrets-strategy.md
Normal file
35
docs/secrets-strategy.md
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Secrets-Management für Unraid
|
||||||
|
|
||||||
|
## Ziel
|
||||||
|
|
||||||
|
Für produktiven Betrieb dürfen DB/JWT/Encryption Secrets nicht im Klartext in Compose/Docs landen.
|
||||||
|
|
||||||
|
## Strategie
|
||||||
|
|
||||||
|
1. **Env-File-Strategie**: Secrets werden via `.env`-Datei geladen.
|
||||||
|
2. **Unraid Secret Mount**: Secrets werden über Unraid's Secret-Mounting Mechanismus bereitgestellt.
|
||||||
|
3. **Preflight-Check**: Vor dem Start wird geprüft, ob alle Pflicht-Secrets vorhanden sind.
|
||||||
|
|
||||||
|
## Dokumentation
|
||||||
|
|
||||||
|
- `.env.example` enthält Platzhalter für alle Secrets.
|
||||||
|
- Die `.env`-Datei wird nicht im Repository getrackt.
|
||||||
|
- Secrets werden in Unraid via Secret-Mounting bereitgestellt.
|
||||||
|
|
||||||
|
## Beispiel-Template
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# .env.example
|
||||||
|
PORT=3000
|
||||||
|
DB_HOST=80.74.142.125
|
||||||
|
DB_PORT=3306
|
||||||
|
DB_NAME=helpyourneighbour
|
||||||
|
DB_USER=helpyourneighbour
|
||||||
|
DB_PASSWORD=change-me
|
||||||
|
JWT_SECRET=change-me-super-secret
|
||||||
|
DATA_ENCRYPTION_KEY=base64-32-byte-key
|
||||||
|
```
|
||||||
|
|
||||||
|
## Preflight-Check
|
||||||
|
|
||||||
|
Beim Start des Backends wird geprüft, ob alle Pflicht-Secrets vorhanden sind. Falls nicht, wird mit einer verständlichen Meldung abgebrochen.
|
||||||
35
scripts/preflight-check.js
Normal file
35
scripts/preflight-check.js
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
const fs = require('fs');
|
||||||
|
const path = require('path');
|
||||||
|
|
||||||
|
// Load .env file
|
||||||
|
const envPath = path.join(__dirname, '../backend/.env');
|
||||||
|
if (!fs.existsSync(envPath)) {
|
||||||
|
console.error('Fehler: .env Datei nicht gefunden.');
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
const envContent = fs.readFileSync(envPath, 'utf8');
|
||||||
|
const envVars = {};
|
||||||
|
envContent.split('\n').forEach(line => {
|
||||||
|
if (line.trim() && !line.startsWith('#')) {
|
||||||
|
const [key, value] = line.split('=');
|
||||||
|
envVars[key.trim()] = value ? value.trim() : '';
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
// Check required secrets
|
||||||
|
const requiredSecrets = ['DB_PASSWORD', 'JWT_SECRET', 'DATA_ENCRYPTION_KEY'];
|
||||||
|
let allPresent = true;
|
||||||
|
|
||||||
|
requiredSecrets.forEach(secret => {
|
||||||
|
if (!envVars[secret] || envVars[secret] === 'change-me' || envVars[secret] === '') {
|
||||||
|
console.error(`Fehler: Pflicht-Secret '${secret}' nicht gesetzt oder auf 'change-me' gesetzt.`);
|
||||||
|
allPresent = false;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!allPresent) {
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('Alle Pflicht-Secrets sind vorhanden.');
|
||||||
Loading…
Add table
Add a link
Reference in a new issue