#!/usr/bin/env bash # gen-secrets.sh — generate all bootstrap secrets for the net-kingdom SSO/MFA platform # # Usage: # ./gen-secrets.sh [OUTPUT_DIR] # # Generates all pre-cluster secrets and writes them to OUTPUT_DIR (default: ./secrets). # Output files are structured by component to mirror the KeePassXC entry layout. # # WARNING: The secrets/ directory must NEVER be committed to git. # After entering values into KeePassXC, shred the generated files: # find secrets/ -type f -exec shred -u {} \; # # PI_ENCFILE is NOT generated here — it must be produced inside the privacyIDEA # container after deployment: # kubectl exec -n mfa -- pi-manage create_enckey # Extract the resulting file, store it in KeePassXC as a binary attachment on the # privacyIDEA/PI_ENCFILE entry, then create the k8s secret from it. set -euo pipefail OUT_DIR="${1:-./secrets}" if [[ -e "$OUT_DIR" ]]; then echo "ERROR: $OUT_DIR already exists. Delete it first or choose a different path." >&2 exit 1 fi # Helpers rnd_hex() { openssl rand -hex "$1"; } rnd_b64() { openssl rand -base64 "$1" | tr -d '\n/+=' | head -c "$2"; } mkdir -p \ "$OUT_DIR/privacyidea" \ "$OUT_DIR/postgres" \ "$OUT_DIR/keycloak" \ "$OUT_DIR/breakglass" # ── privacyIDEA ──────────────────────────────────────────────────────────────── PI_SECRET_KEY="$(rnd_hex 32)" # 64 hex chars — Flask/PI app secret PI_PEPPER="$(rnd_hex 16)" # 32 hex chars — password hashing pepper PI_DB_PASS="$(rnd_b64 32 40)" # 40 printable chars — DB password PI_ADMIN_PASS="$(rnd_b64 32 40)" cat > "$OUT_DIR/privacyidea/secrets.env" < -- pi-manage create_enckey # kubectl cp -n mfa :/etc/privacyidea/enckey ./secrets/privacyidea/pi.enc # Then store pi.enc as a binary attachment in KeePassXC → net-kingdom/privacyIDEA/PI_ENCFILE EOF # ── PostgreSQL ───────────────────────────────────────────────────────────────── PG_ROOT_PASS="$(rnd_b64 32 40)" PG_KC_PASS="$(rnd_b64 32 40)" # privacyIDEA DB user reuses PI_DB_PASS (single source of truth) cat > "$OUT_DIR/postgres/secrets.env" < "$OUT_DIR/keycloak/secrets.env" < "$OUT_DIR/breakglass/secrets.env" < /dev/null; echo "${PI_SECRET_KEY:0:16}…")" echo " PI_PEPPER : ${PI_PEPPER:0:8}…" echo " PI_DB_PASSWORD : ${PI_DB_PASS:0:8}…" echo " PI_ADMIN_PASSWORD: ${PI_ADMIN_PASS:0:8}…" echo " PI_ENCFILE : *** generate after container deploy (see comments) ***" echo "" echo " PostgreSQL:" echo " PG_ROOT_PASSWORD : ${PG_ROOT_PASS:0:8}…" echo " PG_KEYCLOAK_PASSWORD: ${PG_KC_PASS:0:8}…" echo " PG_PI_PASSWORD : (same as PI_DB_PASSWORD)" echo "" echo " Keycloak:" echo " KC_ADMIN_PASSWORD: ${KC_ADMIN_PASS:0:8}…" echo " KC_DB_PASSWORD : (same as PG_KEYCLOAK_PASSWORD)" echo "" echo " Break-glass:" echo " BREAKGLASS_PASSWORD: ${BG_PASS:0:8}…" echo "" echo "Next steps:" echo " 1. Enter each value into KeePassXC (see comments in each secrets.env file)." echo " 2. Run pack-bundle.sh to create an age-encrypted offsite backup." echo " 3. Shred the generated files:" echo " find $OUT_DIR -type f -exec shred -u {} \\;" echo "" echo "NEVER commit $OUT_DIR/ to git."