feat(install): per-host auto-generated secrets for Docker installs

Each fresh 1Panel/Docker install generates unique MYSQL and NEXUS keys
via scripts/generate_nexus_secrets.py; install wizard reuses compose env.
This commit is contained in:
Nexus Deploy
2026-06-06 00:25:57 +08:00
parent e613aecc8e
commit 83ce11f55c
14 changed files with 431 additions and 89 deletions
+23 -6
View File
@@ -98,6 +98,18 @@ def _build_redis_url(req: InitDbRequest) -> str:
return url
def _install_keys_from_environment() -> tuple[str, str, str] | None:
"""Reuse keys pre-generated by Docker install (docker/.env.prod → compose env)."""
import os
sk = os.environ.get("NEXUS_SECRET_KEY", "").strip()
ak = os.environ.get("NEXUS_API_KEY", "").strip()
ek = os.environ.get("NEXUS_ENCRYPTION_KEY", "").strip()
if sk and ak and ek:
return sk, ak, ek
return None
def _escape_env_value(value: str) -> str:
"""Escape a value for safe inclusion in a .env file.
@@ -512,12 +524,17 @@ async def init_db(req: InitDbRequest):
except Exception:
pool_size, max_overflow = 160, 120
# Generate keys
secret_key = secrets.token_hex(32)
api_key = secrets.token_hex(16)
# Generate Fernet-compatible encryption key (32 url-safe base64 bytes)
import base64
encryption_key = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
# Keys: reuse Docker install pre-seed, else generate (must match install wizard)
preseed = _install_keys_from_environment()
if preseed:
secret_key, api_key, encryption_key = preseed
logger.info("Using pre-generated NEXUS keys from install environment")
else:
secret_key = secrets.token_hex(32)
api_key = secrets.token_hex(16)
import base64
encryption_key = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
# Insert settings
settings_kv = {