feat(docker): add encryption key generation for integration secrets (#1202)

* feat(docker): add encryption key generation for integration secrets * chore: address pull request feedback * fix: build failing * fix: docker build fails because of error when encryption key not defined
2024-10-03 19:59:44 +02:00
parent 770a0d63f9
commit 52b45d835d
6 changed files with 44 additions and 2 deletions
--- a/5
+++ b/5
@@ -46,6 +46,7 @@ COPY --from=builder /app/cli-out/full/ .
 # Copy static data as it is not part of the build
 COPY static-data ./static-data
 ARG SKIP_ENV_VALIDATION='true'
 ARG CI='true'
 ARG DISABLE_REDIS_LOGS='true'
 RUN corepack enable pnpm && pnpm build
@@ -58,6 +59,8 @@ RUN mkdir /appdata
 RUN mkdir /appdata/db
 RUN mkdir /appdata/redis
 VOLUME /appdata
 RUN mkdir /secrets
 VOLUME /secrets
@@ -71,6 +74,7 @@ RUN chmod +x /usr/bin/homarr
 # Don't run production as root
 RUN chown -R nextjs:nodejs /appdata
 RUN chown -R nextjs:nodejs /secrets
 RUN mkdir -p /var/cache/nginx && chown -R nextjs:nodejs /var/cache/nginx && \
    mkdir -p /var/log/nginx && chown -R nextjs:nodejs /var/log/nginx && \
    mkdir -p /var/lib/nginx && chown -R nextjs:nodejs /var/lib/nginx && \
@@ -93,6 +97,7 @@ COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/.next/standalone ./
 COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/.next/static ./apps/nextjs/.next/static
 COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/public ./apps/nextjs/public
 COPY --chown=nextjs:nodejs scripts/run.sh ./run.sh
 COPY --chown=nextjs:nodejs scripts/generateEncryptionKey.js ./generateEncryptionKey.js
 COPY --chown=nextjs:nodejs packages/redis/redis.conf /app/redis.conf
 COPY --chown=nextjs:nodejs nginx.conf /etc/nginx/templates/nginx.conf
--- a/packages/common/package.json
+++ b/packages/common/package.json
@@ -25,6 +25,7 @@
  },
  "prettier": "@homarr/prettier-config",
  "dependencies": {
    "@homarr/log": "workspace:^0.1.0",
    "dayjs": "^1.11.13",
    "next": "^14.2.14",
    "react": "^18.3.1",
--- a/packages/common/src/encryption.ts
+++ b/packages/common/src/encryption.ts
@@ -1,7 +1,20 @@
 import crypto from "crypto";
 import { logger } from "@homarr/log";
 const algorithm = "aes-256-cbc"; //Using AES encryption
-const key = Buffer.from("1d71cceced68159ba59a277d056a66173613052cbeeccbfbd15ab1c909455a4d", "hex"); // TODO: generate with const data = crypto.randomBytes(32).toString('hex')
+const fallbackKey = "0000000000000000000000000000000000000000000000000000000000000000";
 const encryptionKey = process.env.ENCRYPTION_KEY ?? fallbackKey; // Fallback to a default key for local development
 if (encryptionKey === fallbackKey) {
  logger.warn("Using a fallback encryption key, stored secrets are not secure");
  // We never want to use the fallback key in production
  if (process.env.NODE_ENV === "production" && process.env.CI !== "true") {
    throw new Error("Encryption key is not set");
  }
 }
 const key = Buffer.from(encryptionKey, "hex");
 export function encryptSecret(text: string): `${string}.${string}` {
  const initializationVector = crypto.randomBytes(16);
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -659,6 +659,9 @@ importers:
  packages/common:
    dependencies:
      '@homarr/log':
        specifier: workspace:^0.1.0
        version: link:../log
      dayjs:
        specifier: ^1.11.13
        version: 1.11.13
@@ -11294,7 +11297,7 @@ snapshots:
  estree-walker@3.0.3:
    dependencies:
-      '@types/estree': 1.0.6
+      '@types/estree': 1.0.5
  esutils@2.0.3: {}
--- a/scripts/generateEncryptionKey.js
+++ b/scripts/generateEncryptionKey.js
@@ -0,0 +1,7 @@
 // This script generates a random encryption key
 // This key is used to encrypt and decrypt the integration secrets
 // In production it is generated in run.sh and stored in the environment variable ENCRYPTION_KEY
 // during runtime, it's also stored in a file.
 const crypto = require("crypto");
 console.log(crypto.randomBytes(32).toString("hex"));
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -6,6 +6,19 @@ else
    node ./db/migrations/$DB_DIALECT/migrate.cjs ./db/migrations/$DB_DIALECT
 fi
 # Generates an encryption key if it doesn't exist and saves it to /secrets/encryptionKey
 # Also sets the ENCRYPTION_KEY environment variable
 encryptionKey=""
 if [ -r /secrets/encryptionKey ]; then
    echo "Encryption key already exists"
    encryptionKey=$(cat /secrets/encryptionKey)
 else
    echo "Generating encryption key"
    encryptionKey=$(node ./generateEncryptionKey.js)
    echo $encryptionKey > /secrets/encryptionKey
 fi
 export ENCRYPTION_KEY=$encryptionKey
 # Start nginx proxy
 # 1. Replace the HOSTNAME in the nginx template file
 # 2. Create the nginx configuration file from the template