Secrets

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨Dust0741@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

I would like to migrate away from using .env for secrets, and use something hashicorp vault. How would one do this for something like pihole, where there is an env var with the password?

source

Comments

Sort:hotnew top

slazer2au@lemmy.world ⁨1⁩ ⁨week⁩ ago
What I have seen people do in the past is use ansible secrets to secure the env file.

So only when the playbook is running does the env get decrypted.

Digital Ocean has an extensive how to on it.

digitalocean.com/…/how-to-use-vault-to-protect-se…

source
folekaule@lemmy.world ⁨1⁩ ⁨week⁩ ago
See if a light weight kubernetes installation is for you. Secrets are first class citizens in k8s. You can make maintain secrets in a number of different ways, but they are exposed to containers the same way. They can become files or environment variables, whether you need.

I recommend looking at k3s to run on your Pi and see if that works for you. You can add vault software on top of that later without changing your containers.

source
remotelove@lemmy.ca ⁨1⁩ ⁨week⁩ ago
I would look into something like Doppler instead of Vault. (I don’t trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)

Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.

This is actually a host security problem, not generally a key storage problem per se.

Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it’s supporting apps…)

If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn’t need root again until you start performing patches.

source
ryokimball@infosec.pub ⁨1⁩ ⁨week⁩ ago
github.com/hashicorp/envconsul

source