41 lines
1.3 KiB
Bash
Executable File
41 lines
1.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Generates a 20-secrets.yaml with fresh random component passwords.
|
|
# Usage:
|
|
# ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
|
|
# kubectl apply -f infra/k3s/20-secrets.yaml
|
|
#
|
|
# Re-running rotates the passwords — every component then needs to be
|
|
# restarted (kubectl rollout restart) so they pick up the new env.
|
|
|
|
set -eu
|
|
|
|
# 24 random bytes → 32 base64 chars, stripped of slashes/+ for safety in
|
|
# env vars + URLs. Avoids the SIGPIPE issue with `tr | head` under
|
|
# pipefail.
|
|
rand() { openssl rand -hex 16; } # 32 hex chars = 16 bytes entropy, plenty for component auth
|
|
|
|
JICOFO_COMPONENT_SECRET=$(rand)
|
|
JICOFO_AUTH_PASSWORD=$(rand)
|
|
JVB_AUTH_PASSWORD=$(rand)
|
|
TURN_CREDENTIALS_SECRET=$(rand)
|
|
|
|
cat <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: jitsi-secrets
|
|
namespace: jitsi
|
|
type: Opaque
|
|
stringData:
|
|
JICOFO_COMPONENT_SECRET: "${JICOFO_COMPONENT_SECRET}"
|
|
JICOFO_AUTH_USER: "focus"
|
|
JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
|
|
JVB_AUTH_USER: "jvb"
|
|
JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
|
|
# Same HMAC value under two keys: Prosody's mod_external_services
|
|
# template reads TURN_CREDENTIALS; coturn's start-script reads
|
|
# TURN_CREDENTIALS_SECRET. Both must match.
|
|
TURN_CREDENTIALS: "${TURN_CREDENTIALS_SECRET}"
|
|
TURN_CREDENTIALS_SECRET: "${TURN_CREDENTIALS_SECRET}"
|
|
EOF
|