Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support client_sign.properties as a secure file. #186

Merged
merged 1 commit into from
Jun 21, 2024
Merged

Support client_sign.properties as a secure file. #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion docs/operations_guide/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,9 @@ You should have separate .env files for each environment. For example, staging v

## Secured Files/Certs

For files that you want to keep out of the Docker image, you should set up a private Fly.io Tigris bucket. This is Fly.io's equivalent of AWS's S3 service. When a Fly.io machine starts up, the fly_startup_script.sh will run. The script will pull down the keystore cert from Tigris if the file is not already in the system. While Fly.io will automatically inject the AWS config values into your application the first time you setup Tigris, you should also store the AWS config values in your .env file in case you need to reference them again or re-create a Fly.io app in the future.
For files that you want to keep out of the Docker image, you should set up a private Fly.io Tigris bucket. This is Fly.io's equivalent of AWS's S3 service. When a Fly.io machine starts up, the fly_startup_script.sh will run. The script will pull down any secure files that are not already present from Tigris. This includes the PFX certificate and client_sign.properties. See the secured files section in the env.example file for the full list of supported files.

While Fly.io will automatically inject the AWS config values into your application the first time you setup Tigris, you should also store the AWS config values in your .env file in case you need to reference them again or re-create a Fly.io app in the future.

For more details, check out:
https://fly.io/docs/reference/tigris/
Expand Down
5 changes: 5 additions & 0 deletions env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,13 @@ JEFFERSON_ENDPOINT=https://example.com
# NOTE: this ONLY needs to be in the Docassemble server.
JEFFERSON_KEY=

##### Secured Files #####
# These are secured files that are stored in encrypted cloud storage. Use this for any secured files that are not
# baked into your Docker image. This is useful in the case of continuous deployment.
# For Fly.io, this is the private Tigris (S3-compatible object store) URL to the cert referenced by PATH_TO_KEYSTORE
#S3_TO_KEYSTORE_CERT=s3://my-tigris-url/MyOrg.pfx
# Private Tigris URL to the client_sign.properties
#S3_TO_CLIENT_SIGN_PROPERTIES=s3://my-tigris-url/client_sign.properties

# Fly.io Tigris
#BUCKET_NAME=
Expand Down
7 changes: 6 additions & 1 deletion fly_startup_script.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ if test -n "$FLY_MACHINE_ID"; then
if ! test -f "$PATH_TO_KEYSTORE"; then
echo "Installing cert"
apk add --no-cache aws-cli
aws s3 cp $S3_TO_KEYSTORE_CERT .
aws s3 cp "$S3_TO_KEYSTORE_CERT" .
fi
if ! test -f "client_sign.properties"; then
echo "Installing client_sign.properties"
apk add --no-cache aws-cli
aws s3 cp "$S3_TO_CLIENT_SIGN_PROPERTIES" .
fi
fi
Loading