Michael Schiemer
77abc65cd7
Some checks failed
Deploy Application / deploy (push) Has been cancelled
123 lines
2.7 KiB
Markdown
123 lines
2.7 KiB
Markdown
# Secrets Management
|
|
|
|
Anleitung zur Verwaltung von Secrets für die Infrastruktur-Stacks.
|
|
|
|
## Übersicht
|
|
|
|
Secrets werden als Dateien in `secrets/` Verzeichnissen pro Stack gespeichert und via Docker Secrets in Container eingebunden.
|
|
|
|
## Secrets-Struktur
|
|
|
|
```
|
|
infrastructure/
|
|
├── traefik/secrets/
|
|
│ └── acme_email.txt
|
|
├── gitea/secrets/
|
|
│ ├── postgres_password.txt
|
|
│ └── redis_password.txt
|
|
└── postgresql/secrets/
|
|
└── postgres_password.txt
|
|
```
|
|
|
|
## Secrets-Generierung
|
|
|
|
### Passwort-Generierung
|
|
|
|
```bash
|
|
# Sichere Passwort-Generierung (32 Bytes, Base64)
|
|
openssl rand -base64 32 > secrets/password.txt
|
|
chmod 600 secrets/password.txt
|
|
```
|
|
|
|
### E-Mail für Let's Encrypt
|
|
|
|
```bash
|
|
# Traefik ACME E-Mail
|
|
echo "your-email@example.com" > traefik/secrets/acme_email.txt
|
|
chmod 600 traefik/secrets/acme_email.txt
|
|
```
|
|
|
|
## Setup pro Stack
|
|
|
|
### Traefik
|
|
|
|
```bash
|
|
cd traefik
|
|
echo "your-email@example.com" > secrets/acme_email.txt
|
|
chmod 600 secrets/acme_email.txt
|
|
```
|
|
|
|
### Gitea
|
|
|
|
```bash
|
|
cd gitea
|
|
openssl rand -base64 32 > secrets/postgres_password.txt
|
|
openssl rand -base64 32 > secrets/redis_password.txt
|
|
chmod 600 secrets/*.txt
|
|
```
|
|
|
|
### PostgreSQL
|
|
|
|
```bash
|
|
cd postgresql
|
|
openssl rand -base64 32 > secrets/postgres_password.txt
|
|
chmod 600 secrets/postgres_password.txt
|
|
```
|
|
|
|
## Sicherheitsrichtlinien
|
|
|
|
1. **Nie committen:** Secrets-Dateien sind gitignored
|
|
2. **Sichere Berechtigungen:** Immer `chmod 600` für Secrets-Dateien
|
|
3. **Rotation:** Passwörter regelmäßig rotieren (empfohlen: alle 90 Tage)
|
|
4. **Backup:** Secrets sicher aufbewahren (verschlüsselt)
|
|
|
|
## Secrets-Rotation
|
|
|
|
### Passwort ändern
|
|
|
|
1. Neues Passwort generieren
|
|
2. Passwort in Secrets-Datei aktualisieren
|
|
3. Stack neu starten: `docker compose restart`
|
|
4. Services aktualisieren, die das Passwort nutzen
|
|
|
|
**Beispiel (PostgreSQL):**
|
|
```bash
|
|
# Neues Passwort generieren
|
|
openssl rand -base64 32 > secrets/postgres_password.txt.new
|
|
|
|
# Passwort in Datenbank ändern
|
|
docker compose exec postgres psql -U postgres -c "ALTER USER postgres WITH PASSWORD '$(cat secrets/postgres_password.txt.new)';"
|
|
|
|
# Secrets-Datei aktualisieren
|
|
mv secrets/postgres_password.txt.new secrets/postgres_password.txt
|
|
|
|
# Stack neu starten
|
|
docker compose restart
|
|
```
|
|
|
|
## Backup von Secrets
|
|
|
|
**Wichtig:** Secrets müssen sicher gesichert werden!
|
|
|
|
```bash
|
|
# Secrets verschlüsselt sichern (z.B. mit GPG)
|
|
tar czf secrets-backup.tar.gz infrastructure/*/secrets/
|
|
gpg -c secrets-backup.tar.gz
|
|
rm secrets-backup.tar.gz
|
|
|
|
# Oder mit Ansible Vault
|
|
ansible-vault encrypt secrets-backup.tar.gz
|
|
```
|
|
|
|
## Wiederherstellung
|
|
|
|
```bash
|
|
# Secrets aus Backup wiederherstellen
|
|
gpg -d secrets-backup.tar.gz.gpg | tar xzf -
|
|
# Oder
|
|
ansible-vault decrypt secrets-backup.tar.gz
|
|
tar xzf secrets-backup.tar.gz
|
|
chmod 600 infrastructure/*/secrets/*
|
|
```
|
|
|