Refactor CI/CD setup: streamline Python package installations and add bcrypt hashing for email credentials

This commit is contained in:
2025-04-24 19:15:04 +02:00
parent 4b8ad821b4
commit 5253d4dd41
10 changed files with 69 additions and 17 deletions
+2 -4
View File
@@ -30,12 +30,10 @@ outputs:
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Install Python and required packages - name: Install required python packages
shell: bash shell: bash
run: | run: |
sudo apt-get update python3 -m pip install -r requirements/ansible.txt
sudo apt-get install -y python3-pip
python3 -m pip install -r requirements.txt
- name: Prepare SSH key - name: Prepare SSH key
shell: bash shell: bash
+6
View File
@@ -17,3 +17,9 @@ runs:
- name: Setup Sectool - name: Setup Sectool
uses: a13labs/setup-sectool@v1 uses: a13labs/setup-sectool@v1
- name: Install Python and required packages
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y python3-pip
@@ -8,3 +8,8 @@ runs:
uses: hashicorp/setup-terraform@v1 uses: hashicorp/setup-terraform@v1
with: with:
terraform_version: 1.10.5 terraform_version: 1.10.5
- name: Install required python packages
shell: bash
run: |
python3 -m pip install -r requirements/terraform.txt
+27
View File
@@ -0,0 +1,27 @@
import sys
import json
import bcrypt
import binascii
# Read input JSON from stdin
input_data = json.load(sys.stdin)
password = input_data.get("password")
cost = int(input_data.get("cost", "10")) # Default cost 10
if not password:
print(json.dumps({"error": "Password is required"}), file=sys.stderr)
sys.exit(1)
# Generate bcrypt hash
hashed_bytes = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=cost))
hashed_string = hashed_bytes.decode('utf-8')
# Hex encode for Glauth
hex_encoded_hash = binascii.hexlify(hashed_string.encode('utf-8')).decode('utf-8')
# Output JSON to stdout
output_data = {
"bcrypt_hash": hashed_string,
"hex_encoded_bcrypt_hash": hex_encoded_hash
}
print(json.dumps(output_data))
+1
View File
@@ -0,0 +1 @@
bcrypt
-1
View File
@@ -1 +0,0 @@
../../repository.vault
+24 -8
View File
@@ -1,9 +1,10 @@
locals { locals {
mail_path = "${local.persistent_folder}/mail" mail_path = "${local.persistent_folder}/mail"
mailboxes_path = "${local.mail_path}/mailboxes" mailboxes_path = "${local.mail_path}/mailboxes"
getmail_path = "${local.mail_path}/getmail" getmail_path = "${local.mail_path}/getmail"
postfix_path = "${local.mail_path}/postfix" postfix_path = "${local.mail_path}/postfix"
mail_backup_path = "${local.persistent_folder}/backup.mail" mail_backup_path = "${local.persistent_folder}/backup.mail"
email_domain_name = "alexpires.me"
email_accounts = [ email_accounts = [
{ {
@@ -44,7 +45,8 @@ locals {
# Email configuration # Email configuration
SMTP_HOST = local.scaleway_smtp_host SMTP_HOST = local.scaleway_smtp_host
SMTP_PORT = 465 SMTP_PORT = 465
MY_DESTINATION = "alexpires.me" MY_PRIMARY_DOMAIN = local.email_domain_name
MY_DESTINATION = join(",", [for account in local.email_accounts : account.domain])
MY_NETWORKS = "127.0.0.0/8" MY_NETWORKS = "127.0.0.0/8"
MAILNAME = "smtp.alexpires.me" MAILNAME = "smtp.alexpires.me"
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local" DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
@@ -54,6 +56,10 @@ locals {
LOG_TO_STDOUT = 1 LOG_TO_STDOUT = 1
} }
password_hashes = {
for account in local.email_accounts : account.username => data.external.password_hasher[account.username].result.hex_encoded_bcrypt_hash
}
postfix_secrets = { postfix_secrets = {
SMTP_USER = { SMTP_USER = {
key = "username" key = "username"
@@ -67,6 +73,16 @@ locals {
} }
} }
data "external" "password_hasher" {
for_each = { for account in local.email_accounts : account.username => account }
program = ["python3", "${path.module}/../../lib/bcrypt_hash.py"]
query = {
password = each.value.password
cost = "10"
}
}
resource "kubernetes_namespace" "mail" { resource "kubernetes_namespace" "mail" {
metadata { metadata {
annotations = { annotations = {
@@ -85,7 +101,7 @@ resource "kubernetes_secret" "dovecot_users" {
namespace = kubernetes_namespace.mail.metadata[0].name namespace = kubernetes_namespace.mail.metadata[0].name
} }
data = { data = {
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{plain}${account.password}:1000:1000::/var/mail/${account.username}::"]) "users" = join("\n", [for account in local.email_accounts : "${account.username}:{BLF-CRYPT.HEX}${local.password_hashes[account.username]}:1000:1000::/var/mail/${account.username}::"])
} }
} }
@@ -419,7 +435,7 @@ resource "kubernetes_deployment" "dovecot" {
ignore_changes = [spec[0].template[0].metadata[0].annotations] ignore_changes = [spec[0].template[0].metadata[0].annotations]
replace_triggered_by = [ replace_triggered_by = [
kubernetes_config_map.dovecot_config, kubernetes_config_map.dovecot_config,
kubernetes_secret.dovecot_users, # kubernetes_secret.dovecot_users,
kubernetes_config_map.dovecot_sieve, kubernetes_config_map.dovecot_sieve,
] ]
} }
+4 -4
View File
@@ -25,9 +25,10 @@ if [ -z "$DOVECOT_AUTH_PORT" ]; then
fi fi
postconf -e "myhostname=$MAILNAME" postconf -e "myhostname=$MAILNAME"
postconf -e "mydomain=$MY_DESTINATION" postconf -e "mydomain=$MY_PRIMARY_DOMAIN"
postconf -e "myorigin=$MY_DESTINATION" postconf -e "myorigin=$MY_PRIMARY_DOMAIN"
postconf -e "smtpd_banner = \$myhostname ESMTP \$mail_name" postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
postconf -e "mydestination=$MY_DESTINATION"
# Relay configuration # Relay configuration
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT" postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
@@ -47,7 +48,6 @@ postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination" postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_sasl_authenticated_header=yes" postconf -e "smtpd_sasl_authenticated_header=yes"
postconf -e "smtpd_tls_wrappermode=yes" postconf -e "smtpd_tls_wrappermode=yes"
postconf -e "smtpd_sasl_local_domain=$MY_DESTINATION"
# TLS configuration # TLS configuration
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt" postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"