Refactor CI/CD setup: streamline Python package installations and add bcrypt hashing for email credentials
This commit is contained in:
@@ -30,12 +30,10 @@ outputs:
|
|||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
steps:
|
steps:
|
||||||
- name: Install Python and required packages
|
- name: Install required python packages
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
sudo apt-get update
|
python3 -m pip install -r requirements/ansible.txt
|
||||||
sudo apt-get install -y python3-pip
|
|
||||||
python3 -m pip install -r requirements.txt
|
|
||||||
|
|
||||||
- name: Prepare SSH key
|
- name: Prepare SSH key
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
@@ -17,3 +17,9 @@ runs:
|
|||||||
|
|
||||||
- name: Setup Sectool
|
- name: Setup Sectool
|
||||||
uses: a13labs/setup-sectool@v1
|
uses: a13labs/setup-sectool@v1
|
||||||
|
|
||||||
|
- name: Install Python and required packages
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install -y python3-pip
|
||||||
|
|||||||
@@ -8,3 +8,8 @@ runs:
|
|||||||
uses: hashicorp/setup-terraform@v1
|
uses: hashicorp/setup-terraform@v1
|
||||||
with:
|
with:
|
||||||
terraform_version: 1.10.5
|
terraform_version: 1.10.5
|
||||||
|
|
||||||
|
- name: Install required python packages
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
python3 -m pip install -r requirements/terraform.txt
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import bcrypt
|
||||||
|
import binascii
|
||||||
|
|
||||||
|
# Read input JSON from stdin
|
||||||
|
input_data = json.load(sys.stdin)
|
||||||
|
password = input_data.get("password")
|
||||||
|
cost = int(input_data.get("cost", "10")) # Default cost 10
|
||||||
|
|
||||||
|
if not password:
|
||||||
|
print(json.dumps({"error": "Password is required"}), file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Generate bcrypt hash
|
||||||
|
hashed_bytes = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=cost))
|
||||||
|
hashed_string = hashed_bytes.decode('utf-8')
|
||||||
|
|
||||||
|
# Hex encode for Glauth
|
||||||
|
hex_encoded_hash = binascii.hexlify(hashed_string.encode('utf-8')).decode('utf-8')
|
||||||
|
|
||||||
|
# Output JSON to stdout
|
||||||
|
output_data = {
|
||||||
|
"bcrypt_hash": hashed_string,
|
||||||
|
"hex_encoded_bcrypt_hash": hex_encoded_hash
|
||||||
|
}
|
||||||
|
print(json.dumps(output_data))
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
bcrypt
|
||||||
@@ -1 +0,0 @@
|
|||||||
../../repository.vault
|
|
||||||
@@ -4,6 +4,7 @@ locals {
|
|||||||
getmail_path = "${local.mail_path}/getmail"
|
getmail_path = "${local.mail_path}/getmail"
|
||||||
postfix_path = "${local.mail_path}/postfix"
|
postfix_path = "${local.mail_path}/postfix"
|
||||||
mail_backup_path = "${local.persistent_folder}/backup.mail"
|
mail_backup_path = "${local.persistent_folder}/backup.mail"
|
||||||
|
email_domain_name = "alexpires.me"
|
||||||
|
|
||||||
email_accounts = [
|
email_accounts = [
|
||||||
{
|
{
|
||||||
@@ -44,7 +45,8 @@ locals {
|
|||||||
# Email configuration
|
# Email configuration
|
||||||
SMTP_HOST = local.scaleway_smtp_host
|
SMTP_HOST = local.scaleway_smtp_host
|
||||||
SMTP_PORT = 465
|
SMTP_PORT = 465
|
||||||
MY_DESTINATION = "alexpires.me"
|
MY_PRIMARY_DOMAIN = local.email_domain_name
|
||||||
|
MY_DESTINATION = join(",", [for account in local.email_accounts : account.domain])
|
||||||
MY_NETWORKS = "127.0.0.0/8"
|
MY_NETWORKS = "127.0.0.0/8"
|
||||||
MAILNAME = "smtp.alexpires.me"
|
MAILNAME = "smtp.alexpires.me"
|
||||||
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
|
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
|
||||||
@@ -54,6 +56,10 @@ locals {
|
|||||||
LOG_TO_STDOUT = 1
|
LOG_TO_STDOUT = 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
password_hashes = {
|
||||||
|
for account in local.email_accounts : account.username => data.external.password_hasher[account.username].result.hex_encoded_bcrypt_hash
|
||||||
|
}
|
||||||
|
|
||||||
postfix_secrets = {
|
postfix_secrets = {
|
||||||
SMTP_USER = {
|
SMTP_USER = {
|
||||||
key = "username"
|
key = "username"
|
||||||
@@ -67,6 +73,16 @@ locals {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data "external" "password_hasher" {
|
||||||
|
for_each = { for account in local.email_accounts : account.username => account }
|
||||||
|
program = ["python3", "${path.module}/../../lib/bcrypt_hash.py"]
|
||||||
|
|
||||||
|
query = {
|
||||||
|
password = each.value.password
|
||||||
|
cost = "10"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "kubernetes_namespace" "mail" {
|
resource "kubernetes_namespace" "mail" {
|
||||||
metadata {
|
metadata {
|
||||||
annotations = {
|
annotations = {
|
||||||
@@ -85,7 +101,7 @@ resource "kubernetes_secret" "dovecot_users" {
|
|||||||
namespace = kubernetes_namespace.mail.metadata[0].name
|
namespace = kubernetes_namespace.mail.metadata[0].name
|
||||||
}
|
}
|
||||||
data = {
|
data = {
|
||||||
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{plain}${account.password}:1000:1000::/var/mail/${account.username}::"])
|
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{BLF-CRYPT.HEX}${local.password_hashes[account.username]}:1000:1000::/var/mail/${account.username}::"])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -419,7 +435,7 @@ resource "kubernetes_deployment" "dovecot" {
|
|||||||
ignore_changes = [spec[0].template[0].metadata[0].annotations]
|
ignore_changes = [spec[0].template[0].metadata[0].annotations]
|
||||||
replace_triggered_by = [
|
replace_triggered_by = [
|
||||||
kubernetes_config_map.dovecot_config,
|
kubernetes_config_map.dovecot_config,
|
||||||
kubernetes_secret.dovecot_users,
|
# kubernetes_secret.dovecot_users,
|
||||||
kubernetes_config_map.dovecot_sieve,
|
kubernetes_config_map.dovecot_sieve,
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,9 +25,10 @@ if [ -z "$DOVECOT_AUTH_PORT" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
postconf -e "myhostname=$MAILNAME"
|
postconf -e "myhostname=$MAILNAME"
|
||||||
postconf -e "mydomain=$MY_DESTINATION"
|
postconf -e "mydomain=$MY_PRIMARY_DOMAIN"
|
||||||
postconf -e "myorigin=$MY_DESTINATION"
|
postconf -e "myorigin=$MY_PRIMARY_DOMAIN"
|
||||||
postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
|
postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
|
||||||
|
postconf -e "mydestination=$MY_DESTINATION"
|
||||||
|
|
||||||
# Relay configuration
|
# Relay configuration
|
||||||
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
|
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
|
||||||
@@ -47,7 +48,6 @@ postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
|
|||||||
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
|
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
|
||||||
postconf -e "smtpd_sasl_authenticated_header=yes"
|
postconf -e "smtpd_sasl_authenticated_header=yes"
|
||||||
postconf -e "smtpd_tls_wrappermode=yes"
|
postconf -e "smtpd_tls_wrappermode=yes"
|
||||||
postconf -e "smtpd_sasl_local_domain=$MY_DESTINATION"
|
|
||||||
|
|
||||||
# TLS configuration
|
# TLS configuration
|
||||||
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"
|
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"
|
||||||
|
|||||||
Reference in New Issue
Block a user