mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
security: redact credentials and remove corporate hostname/vault references
- README: replace zesticai-non-prod vault name and bigbox hostname with generic placeholders; replace hardcoded Tailscale IP with descriptive text - deploy-to-bigbox.sh: make BIGBOX and TAILSCALE_IP configurable via env vars (auto-detect via tailscale ip -4); replace op_zesticai_non_prod.sh with op_credentials.sh - Caddyfile: remove bigbox hostname from comment - RESEARCH doc: remove hardcoded S3 access key and secret key values from the secrets table; replace with generic op:// reference format - docker-compose_kitchen_sink.yml: replace hardcoded S3 credentials with CHANGE_ME placeholders Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -231,12 +231,12 @@ Internet ──▶ Caddy (:443/:80)
|
||||
### 1Password Secrets Required
|
||||
Based on current configuration, the following secrets must exist in 1Password:
|
||||
|
||||
| Secret | Purpose | Current Hardcoded Value |
|
||||
|--------|---------|------------------------|
|
||||
| `op://zesticai-non-prod/gitea-postgres/password` | PostgreSQL password | gitea |
|
||||
| `op://zesticai-non-prod/gitea-s3/access-key` | S3 access key | REDACTED_S3_ACCESS_KEY |
|
||||
| `op://zesticai-non-prod/gitea-s3/secret-key` | S3 secret key | REDACTED_S3_SECRET_KEY |
|
||||
| `op://zesticai-non-prod/gitea-jwt/secret` | Gitea JWT secret | (not currently set) |
|
||||
| Secret | Purpose |
|
||||
|--------|---------|
|
||||
| `op://your-vault/gitea-postgres/password` | PostgreSQL password |
|
||||
| `op://your-vault/gitea-s3/access-key` | S3 access key |
|
||||
| `op://your-vault/gitea-s3/secret-key` | S3 secret key |
|
||||
| `op://your-vault/gitea-jwt/secret` | Gitea JWT secret |
|
||||
|
||||
### Caddy Configuration Requirements
|
||||
```caddyfile
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Caddyfile for gitea-stack on bigbox
|
||||
# This adds Gitea to the existing Caddy instance on bigbox
|
||||
# Caddyfile for gitea-stack
|
||||
# This adds Gitea to the existing Caddy instance on your server
|
||||
# Copy this snippet to the existing Caddy configuration at /etc/caddy/Caddyfile
|
||||
# or use 'caddy reload' to add this route to the running Caddy instance
|
||||
|
||||
|
||||
@@ -15,21 +15,21 @@ Self-hosted Git infrastructure with S3-compatible storage, monitoring, and prope
|
||||
|
||||
### Prerequisites
|
||||
|
||||
1. **1Password Vault Items** - Create in `zesticai-non-prod` vault:
|
||||
1. **1Password Vault Items** - Create in your 1Password vault:
|
||||
```bash
|
||||
op item create --vault="zesticai-non-prod" --category=login \
|
||||
op item create --vault="your-vault" --category=login \
|
||||
--title="gitea-postgres" --generate-password=20 username=gitea
|
||||
|
||||
op item create --vault="zesticai-non-prod" --category=custom \
|
||||
op item create --vault="your-vault" --category=custom \
|
||||
--title="gitea-s3" access-key="$(openssl rand -hex 20)" \
|
||||
secret-key="$(openssl rand -hex 40)"
|
||||
```
|
||||
|
||||
2. **SSH Access** - Ensure `ssh bigbox` works
|
||||
2. **SSH Access** - Ensure `ssh your-server` works
|
||||
|
||||
3. **1Password Service Account** - `~/op_zesticai_non_prod.sh` on bigbox
|
||||
3. **1Password Service Account** - `~/op_credentials.sh` on your server (sets `OP_SERVICE_ACCOUNT_TOKEN`)
|
||||
|
||||
### Deploy to Bigbox
|
||||
### Deploy
|
||||
|
||||
```bash
|
||||
./deploy-to-bigbox.sh
|
||||
@@ -41,11 +41,11 @@ After deployment:
|
||||
|
||||
**Public (via HTTPS on terraphim.cloud):**
|
||||
- **Gitea Web**: https://git.terraphim.cloud
|
||||
- **Gitea SSH**: ssh://bigbox:222
|
||||
- **Gitea SSH**: ssh://your-server:222
|
||||
|
||||
**Tailscale Network Only (100.106.66.7):**
|
||||
- **Prometheus**: http://100.106.66.7:9000
|
||||
- **S3 API**: http://100.106.66.7:8333
|
||||
**Tailscale Network Only (your Tailscale node IP):**
|
||||
- **Prometheus**: http://<tailscale-ip>:9000
|
||||
- **S3 API**: http://<tailscale-ip>:8333
|
||||
|
||||
*Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.*
|
||||
|
||||
|
||||
+22
-22
@@ -1,21 +1,21 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Deploy Gitea Stack to Bigbox with 1Password Secrets Management
|
||||
# Deploy Gitea Stack with 1Password Secrets Management
|
||||
#
|
||||
# Prerequisites:
|
||||
# - SSH access to bigbox configured
|
||||
# - 1Password CLI installed locally and on bigbox
|
||||
# - op_zesticai_non_prod.sh exists on bigbox with valid service account token
|
||||
# - SSH access to target server configured (BIGBOX env var or "your-server" alias)
|
||||
# - 1Password CLI installed locally and on the server
|
||||
# - op_credentials.sh exists on the server (sets OP_SERVICE_ACCOUNT_TOKEN)
|
||||
# - 1Password vault items created (gitea-postgres, gitea-s3)
|
||||
# - Caddy already running on bigbox
|
||||
# - Caddy already running on the server
|
||||
#
|
||||
# Network Configuration:
|
||||
# - Gitea: Public via Caddy (git.terraphim.cloud) -> localhost:3000
|
||||
# - Prometheus: Tailscale only (100.106.66.7:9000)
|
||||
# - S3: Tailscale only (100.106.66.7:8333)
|
||||
# - Prometheus: Tailscale only (TAILSCALE_IP:9000)
|
||||
# - S3: Tailscale only (TAILSCALE_IP:8333)
|
||||
#
|
||||
# Usage:
|
||||
# ./deploy-to-bigbox.sh
|
||||
# BIGBOX=your-server TAILSCALE_IP=$(tailscale ip -4) ./deploy-to-bigbox.sh
|
||||
#
|
||||
|
||||
set -euo pipefail
|
||||
@@ -27,11 +27,11 @@ YELLOW='\033[1;33m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
# Configuration
|
||||
BIGBOX="bigbox"
|
||||
BIGBOX="${BIGBOX:-your-server}"
|
||||
REMOTE_DIR="~/gitea-stack"
|
||||
TAILSCALE_IP="100.106.66.7"
|
||||
TAILSCALE_IP="${TAILSCALE_IP:-$(tailscale ip -4 2>/dev/null || echo 'SET_TAILSCALE_IP')}"
|
||||
|
||||
echo -e "${GREEN}=== Gitea Stack Deployment to Bigbox ===${NC}"
|
||||
echo -e "${GREEN}=== Gitea Stack Deployment to ${BIGBOX} ===${NC}"
|
||||
echo ""
|
||||
|
||||
# Step 1: Verify local prerequisites
|
||||
@@ -49,8 +49,8 @@ fi
|
||||
echo -e "${GREEN}✓ Local prerequisites verified${NC}"
|
||||
echo ""
|
||||
|
||||
# Step 2: Verify bigbox prerequisites
|
||||
echo -e "${YELLOW}Step 2: Verifying bigbox prerequisites...${NC}"
|
||||
# Step 2: Verify server prerequisites
|
||||
echo -e "${YELLOW}Step 2: Verifying server prerequisites...${NC}"
|
||||
ssh "$BIGBOX" << 'CHECKSCRIPT'
|
||||
set -e
|
||||
|
||||
@@ -73,13 +73,13 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
|
||||
fi
|
||||
|
||||
# Check service account script
|
||||
if [ ! -f "$HOME/op_zesticai_non_prod.sh" ]; then
|
||||
echo "Error: op_zesticai_non_prod.sh not found in home directory"
|
||||
if [ ! -f "$HOME/op_credentials.sh" ]; then
|
||||
echo "Error: op_credentials.sh not found in home directory"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Test 1Password authentication
|
||||
source "$HOME/op_zesticai_non_prod.sh"
|
||||
source "$HOME/op_credentials.sh"
|
||||
if ! op vault list &> /dev/null; then
|
||||
echo "Error: 1Password authentication failed"
|
||||
exit 1
|
||||
@@ -100,11 +100,11 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
|
||||
echo "All prerequisites verified"
|
||||
CHECKSCRIPT
|
||||
|
||||
echo -e "${GREEN}✓ Bigbox prerequisites verified${NC}"
|
||||
echo -e "${GREEN}✓ Server prerequisites verified${NC}"
|
||||
echo ""
|
||||
|
||||
# Step 3: Transfer files
|
||||
echo -e "${YELLOW}Step 3: Transferring files to bigbox...${NC}"
|
||||
echo -e "${YELLOW}Step 3: Transferring files to ${BIGBOX}...${NC}"
|
||||
ssh "$BIGBOX" "mkdir -p $REMOTE_DIR"
|
||||
|
||||
rsync -avz --progress \
|
||||
@@ -130,7 +130,7 @@ ssh "$BIGBOX" << DEPLOYSCRIPT
|
||||
cd $REMOTE_DIR
|
||||
|
||||
echo "Loading 1Password credentials..."
|
||||
source ~/op_zesticai_non_prod.sh
|
||||
source ~/op_credentials.sh
|
||||
|
||||
echo "Injecting secrets into docker-compose.yml..."
|
||||
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
|
||||
@@ -260,14 +260,14 @@ echo " - Prometheus: http://${TAILSCALE_IP}:9000"
|
||||
echo " - S3 API: http://${TAILSCALE_IP}:8333"
|
||||
echo ""
|
||||
echo "SSH Access:"
|
||||
echo " - Gitea SSH: ssh://bigbox:222"
|
||||
echo " - Gitea SSH: ssh://${BIGBOX}:222"
|
||||
echo ""
|
||||
echo "Note: Prometheus and S3 are NOT accessible from the public internet."
|
||||
echo " Connect via Tailscale first: tailscale up"
|
||||
echo ""
|
||||
echo "Next steps:"
|
||||
echo " 1. Ensure DNS points git.terraphim.cloud to bigbox"
|
||||
echo " 1. Ensure DNS points git.terraphim.cloud to ${BIGBOX}"
|
||||
echo " 2. Access Gitea at https://git.terraphim.cloud to complete setup"
|
||||
echo " 3. Change default admin password after first login"
|
||||
echo " 4. Review Caddy logs: ssh bigbox 'sudo tail -f /var/log/caddy/gitea-access.log'"
|
||||
echo " 4. Review Caddy logs: ssh ${BIGBOX} 'sudo tail -f /var/log/caddy/gitea-access.log'"
|
||||
echo ""
|
||||
|
||||
@@ -20,8 +20,8 @@ services:
|
||||
- GITEA__repository__LFS_START_SERVER=true
|
||||
- GITEA__repository__LFS_CONTENT_PATH=/data/lfs
|
||||
- GITEA__storage__type=minio
|
||||
- GITEA__storage__MINIO_ACCESS_KEY_ID=REDACTED_S3_ACCESS_KEY
|
||||
- GITEA__storage__MINIO_SECRET_ACCESS_KEY=REDACTED_S3_SECRET_KEY
|
||||
- GITEA__storage__MINIO_ACCESS_KEY_ID=CHANGE_ME_S3_ACCESS_KEY
|
||||
- GITEA__storage__MINIO_SECRET_ACCESS_KEY=CHANGE_ME_S3_SECRET_KEY
|
||||
- GITEA__storage__MINIO_BUCKET=gitea
|
||||
- GITEA__storage__MINIO_LOCATION=us-east-1
|
||||
- GITEA__storage__MINIO_ENDPOINT=http://s3:8333
|
||||
@@ -120,8 +120,8 @@ services:
|
||||
restart: on-failure
|
||||
environment:
|
||||
S3_BUCKET_NAME: gitea
|
||||
AWS_ACCESS_KEY_ID: "REDACTED_S3_ACCESS_KEY"
|
||||
AWS_SECRET_ACCESS_KEY: "REDACTED_S3_SECRET_KEY"
|
||||
AWS_ACCESS_KEY_ID: "CHANGE_ME_S3_ACCESS_KEY"
|
||||
AWS_SECRET_ACCESS_KEY: "CHANGE_ME_S3_SECRET_KEY"
|
||||
AWS_SIGS_VERSION: 4
|
||||
S3_SERVER: s3
|
||||
S3_SERVER_PORT: 8333
|
||||
|
||||
Reference in New Issue
Block a user