#!/usr/bin/env bash # gen-secrets.sh — generate all bootstrap secrets for the net-kingdom SSO/MFA platform # # Usage: # ./gen-secrets.sh [OUTPUT_DIR] # # Generates all pre-cluster secrets and writes them to OUTPUT_DIR (default: ./secrets). # Output files are structured by component to mirror the KeePassXC entry layout. # # WARNING: The secrets/ directory must NEVER be committed to git. # After entering values into KeePassXC, shred the generated files: # find secrets/ -type f -exec shred -u {} \; # # PI_ENCFILE is NOT generated here — it must be produced inside the privacyIDEA # container after deployment: # kubectl exec -n mfa -- pi-manage create_enckey # Extract the resulting file, store it in KeePassXC as a binary attachment on the # privacyIDEA/PI_ENCFILE entry, then create the k8s secret from it. set -euo pipefail OUT_DIR="${1:-./secrets}" if [[ -e "$OUT_DIR" ]]; then echo "ERROR: $OUT_DIR already exists. Delete it first or choose a different path." >&2 exit 1 fi # Helpers rnd_hex() { openssl rand -hex "$1"; } rnd_b64() { openssl rand -base64 "$1" | tr -d '\n/+=' | head -c "$2"; } mkdir -p \ "$OUT_DIR/privacyidea" \ "$OUT_DIR/postgres" \ "$OUT_DIR/lldap" \ "$OUT_DIR/authelia" \ "$OUT_DIR/keycape" \ "$OUT_DIR/breakglass" # ── privacyIDEA ──────────────────────────────────────────────────────────────── PI_SECRET_KEY="$(rnd_hex 32)" # 64 hex chars — Flask/PI app secret PI_PEPPER="$(rnd_hex 16)" # 32 hex chars — password hashing pepper PI_DB_PASS="$(rnd_b64 32 40)" # 40 printable chars — DB password PI_ADMIN_PASS="$(rnd_b64 32 40)" cat > "$OUT_DIR/privacyidea/secrets.env" < -- pi-manage create_enckey # kubectl cp -n mfa :/etc/privacyidea/enckey ./secrets/privacyidea/pi.enc # Then store pi.enc as a binary attachment in KeePassXC → net-kingdom/privacyIDEA/PI_ENCFILE EOF # ── PostgreSQL ───────────────────────────────────────────────────────────────── PG_ROOT_PASS="$(rnd_b64 32 40)" # privacyIDEA DB user reuses PI_DB_PASS (single source of truth) # Note: no keycloak DB user — Keycloak was replaced by the Authelia+LLDAP+KeyCape stack. cat > "$OUT_DIR/postgres/secrets.env" < "$OUT_DIR/lldap/secrets.env" < "$OUT_DIR/authelia/secrets.env" < "$OUT_DIR/keycape/secrets.env" < "$OUT_DIR/breakglass/secrets.env" <