feat(install): per-host auto-generated secrets for Docker installs
Each fresh 1Panel/Docker install generates unique MYSQL and NEXUS keys via scripts/generate_nexus_secrets.py; install wizard reuses compose env.
This commit is contained in:
+23
-6
@@ -98,6 +98,18 @@ def _build_redis_url(req: InitDbRequest) -> str:
|
||||
return url
|
||||
|
||||
|
||||
def _install_keys_from_environment() -> tuple[str, str, str] | None:
|
||||
"""Reuse keys pre-generated by Docker install (docker/.env.prod → compose env)."""
|
||||
import os
|
||||
|
||||
sk = os.environ.get("NEXUS_SECRET_KEY", "").strip()
|
||||
ak = os.environ.get("NEXUS_API_KEY", "").strip()
|
||||
ek = os.environ.get("NEXUS_ENCRYPTION_KEY", "").strip()
|
||||
if sk and ak and ek:
|
||||
return sk, ak, ek
|
||||
return None
|
||||
|
||||
|
||||
def _escape_env_value(value: str) -> str:
|
||||
"""Escape a value for safe inclusion in a .env file.
|
||||
|
||||
@@ -512,12 +524,17 @@ async def init_db(req: InitDbRequest):
|
||||
except Exception:
|
||||
pool_size, max_overflow = 160, 120
|
||||
|
||||
# Generate keys
|
||||
secret_key = secrets.token_hex(32)
|
||||
api_key = secrets.token_hex(16)
|
||||
# Generate Fernet-compatible encryption key (32 url-safe base64 bytes)
|
||||
import base64
|
||||
encryption_key = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
|
||||
# Keys: reuse Docker install pre-seed, else generate (must match install wizard)
|
||||
preseed = _install_keys_from_environment()
|
||||
if preseed:
|
||||
secret_key, api_key, encryption_key = preseed
|
||||
logger.info("Using pre-generated NEXUS keys from install environment")
|
||||
else:
|
||||
secret_key = secrets.token_hex(32)
|
||||
api_key = secrets.token_hex(16)
|
||||
import base64
|
||||
|
||||
encryption_key = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
|
||||
|
||||
# Insert settings
|
||||
settings_kv = {
|
||||
|
||||
Reference in New Issue
Block a user