0940dc6972
Follow-up to the incident where an unwritable /data made Steward silently mint a fresh ephemeral secret key on every boot, orphaning all encrypted secrets — only discovered when an Ansible run failed. Make both failure modes loud and visible. - config._resolve_secret_key: if a new key must be generated but can't be persisted (no STEWARD_SECRET_KEY, unwritable /data), raise RuntimeError and refuse to start, with an actionable fix (set STEWARD_SECRET_KEY, or make /data writable by uid 1000). Also raises a clear error if an existing key file can't be read. First-run on a writable volume still generates + persists normally. - core.settings: detect secrets stored as ciphertext that won't decrypt with the current key (scan_undecryptable_secrets at startup; _is_undecryptable helper). Cached in memory; set_setting discards a key on a fresh write so the banner clears without a restart. - app.py: run the scan after migrate_plaintext_secrets, log a warning, and inject undecryptable_secrets into the template context. - base.html: admin banner naming which secrets to re-enter, each linked to its settings tab. - compose.deploy.yml: document the uid-1000 /data write requirement and the STEWARD_SECRET_KEY option for multi-node Swarm. - Tests: secret-key resolver (reuse existing file, generate when writable, raise when unpersistable) and the undecryptable-secret detection helper. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016Jg27rgypiW2efULXJDtMC
70 lines
2.7 KiB
YAML
70 lines
2.7 KiB
YAML
# Remote deployment — pulls the published :dev image instead of building locally.
|
|
#
|
|
# This is NOT the local-dev compose. `docker-compose.yml` bind-mounts ./steward
|
|
# + ./plugins and runs --debug for live editing; THIS file runs the image as the
|
|
# source of truth (no bind-mounts, no reloader) for a persistent remote instance
|
|
# that tracks the dev CI line.
|
|
#
|
|
# Standup + update runbook: see README → "Remote dev instance".
|
|
|
|
services:
|
|
steward:
|
|
image: git.fabledsword.com/bvandeusen/steward:dev
|
|
container_name: steward
|
|
# Re-pull :dev on every `up` so restarting the stack picks up the latest
|
|
# green dev build without a manual `docker pull`.
|
|
pull_policy: always
|
|
ports:
|
|
- "5000:5000"
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
# /data holds the auto-generated secret key, third-party plugins, and the
|
|
# Ansible playbook cache — all of which must survive image updates. No
|
|
# source bind-mounts: core + first-party plugins live inside the image.
|
|
#
|
|
# The container runs as the unprivileged 'app' user (uid 1000), so /data
|
|
# MUST be writable by uid 1000. A named docker volume (below) gets that
|
|
# automatically. If you bind-mount a host/NFS path instead, chown it to
|
|
# 1000:1000 (and mind NFS root_squash) — otherwise the app can't persist
|
|
# its secret key, mints a fresh one each boot, and every encrypted secret
|
|
# (managed SSH key, SMTP/OIDC/LDAP creds) becomes unrecoverable. The app
|
|
# now refuses to start in that state rather than silently degrade.
|
|
- app_data:/data
|
|
environment:
|
|
- STEWARD_DATABASE_URL=postgresql+asyncpg://steward:${POSTGRES_PASSWORD:-steward}@db/steward
|
|
# STEWARD_SECRET_KEY is intentionally absent — the app generates a random
|
|
# key on first boot and persists it to /data/secret.key, which the app_data
|
|
# volume keeps across image updates. On multi-node Swarm with a shared bind
|
|
# mount, pin STEWARD_SECRET_KEY (env or a docker secret) instead, so the key
|
|
# never depends on filesystem ownership being correct on every node.
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
|
|
db:
|
|
image: postgres:16-alpine
|
|
networks:
|
|
- backend
|
|
environment:
|
|
POSTGRES_USER: steward
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-steward}
|
|
POSTGRES_DB: steward
|
|
volumes:
|
|
- pgdata:/var/lib/postgresql/data
|
|
# No host port published — db is reachable only on the backend network.
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U steward"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
restart: unless-stopped
|
|
|
|
networks:
|
|
backend:
|
|
|
|
volumes:
|
|
pgdata:
|
|
app_data:
|