nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity
Files
8432286101e1775939e71c7b6d403d7732121d8a
smt/README.md
Nathan Coad 8432286101 readme
2023-04-03 10:39:44 +10:00

85 lines
2.6 KiB
Markdown
Raw Blame History

# CC Secrets
## Overview
Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Requires JWT token to store/retrieve passwords.
This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.
## Installation
1. Copy binary to chosen location, eg /srv/ccsecrets
2. Create .env file in same directory as binary, populate as per Configuration section below
3. Create systemd service definition
4. Start service
## Configuration
|Environment Variable Name| Description | Example | Default |
|--|--|--|--|
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/ccsecrets.log | ./ccsecrets.log
| BIND_IP | Specify the local IP address to bind to. | 127.0.0.1 | Primary IPv4 address |
| BIND_PORT | Specify the TCP/IP port to bind to. | 443 | 8443 |
| TLS_KEY_FILE | Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format | key.pem | privkey.pem |
| TLS_CERT_FILE | Specify the filename of the TLS certificate file in PEM format | cert.pem | cert.pem |
| TOKEN_HOUR_LIFESPAN | Number of hours that the JWT token returned at login is valid | 12 | No default specified, must define this value |
| API_SECRET | Secret to use when generating JWT token | 3c55990bd479322e2053db3a8 | No default specified, must define this value |
| INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password
| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |
## Systemd script
Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload
```
[Unit]
Description=CC Secrets Service
After=network.target
#StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/srv/ccsecrets/ccsecrets
[Install]
WantedBy=multi-user.target
```
## API
### User Operations
#### Register
POST `/api/admin/register`
Data
```
{
"UserName": "",
"Password": "",
"RoleId": 2
}
```
This operation can only be performed by a user with a role that is admin enabled.
#### Login
POST `/api/login`
Data
```
{
"UserName": "",
"Password": ""
}
```
### Secrets Operations
#### Store
#### Retrieve
#### Update
Reference in New Issue View Git Blame Copy Permalink