Commit c147f794 authored by Jérome Perrin's avatar Jérome Perrin

software/metabase: generate proper passwords

parent 46c9fd3e
# Metabae # Metabase
https://www.metabase.com/ https://www.metabase.com/
## TODO: ## TODO:
* export backups for resilience * export backups for resilience
* security (proper passwords, verifiable certificate, study metabase encryption option) * security (verifiable certificate, study metabase encryption option)
[instance-profile] [instance-profile]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = d611a567cdd2bb919b0263a44b8bb754 md5sum = 10bfacf784241b080d3e8b22cf2b5359
...@@ -49,19 +49,56 @@ promise = check_url_available ...@@ -49,19 +49,56 @@ promise = check_url_available
name = $${:_buildout_section_name_}.py name = $${:_buildout_section_name_}.py
config-url= $${metabase-instance:url}/api/session/properties config-url= $${metabase-instance:url}/api/session/properties
[metabase-keystore-password]
recipe = slapos.cookbook:generate.password
bytes = 24
[metabase-keystore] [metabase-keystore]
recipe = plone.recipe.command recipe = plone.recipe.command
stop-on-error = true
command = command =
if [ -f $${:file} ]
then
# XXX password used to be "insecure", but we changed to proper password.
# We try to list the store with the new password and if it fail we change
# the keystore password.
if ! ${java:location}/bin/keytool \
-list \
-keystore "$${:file}" \
-storepass "$${:password}"
then
echo "Migrating keystore password" && \
${java:location}/bin/keytool \
-storepasswd \
-keystore "$${:file}" \
-storepass insecure \
-new "$${:password}" && \
echo "Migrating certificate key password" && \
${java:location}/bin/keytool \
-keypasswd \
-alias "$${:alias}" \
-keypass insecure \
-new "$${:password}" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi
else
${java:location}/bin/keytool \ ${java:location}/bin/keytool \
-genkeypair \ -genkeypair \
-alias "metabase" \ -alias "$${:alias}" \
-keyalg RSA \ -keyalg RSA \
-keypass "$${:password}" \ -keypass "$${:password}" \
-dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \ -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-keystore "$${:file}" \ -keystore "$${:file}" \
-storepass "$${:password}" -storepass "$${:password}"
fi
file = $${directory:etc}/.metabase_keystore file = $${directory:etc}/.metabase_keystore
password = insecure password = $${metabase-keystore-password:passwd}
alias = metabase
[postgresql-password]
recipe = slapos.cookbook:generate.password
bytes = 24
[postgresql] [postgresql]
recipe = slapos.cookbook:postgres recipe = slapos.cookbook:postgres
...@@ -69,7 +106,7 @@ bin = ${postgresql10:location}/bin/ ...@@ -69,7 +106,7 @@ bin = ${postgresql10:location}/bin/
services = $${directory:service} services = $${directory:service}
dbname = metabase_db dbname = metabase_db
superuser = metabase-psql superuser = metabase-psql
password = insecure password = $${postgresql-password:passwd}
pgdata-directory = $${directory:srv}/postgresql pgdata-directory = $${directory:srv}/postgresql
ipv4 = $${instance-parameter:ipv4-random} ipv4 = $${instance-parameter:ipv4-random}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment