mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 16:01:09 +00:00
Oleksandr Bezdieniezhnykh
f369153149
Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from security_report_cycle2.md (F-INFRA-1..F-INFRA-4). AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical) scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder). .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo scan in scripts/ and .env.example returns 0 offenders. AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical) start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host directory with operator-actionable error messages. AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High) Program.cs DataProtection wiring now fails fast in Production when KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys. Development behaviour unchanged (ephemeral default). AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High) secrets/README.md schema fully rewritten; new "Host-side directories" subsection with bind-mount table + ownership/permission guidance. Cycle-1 JwtConfig__Secret removed from live schema (one prose deprecation paragraph retained). Adjacent hygiene module-layout.md "Owns" extended to include scripts/, secrets/, env/, .env.example (gap from Step 9 new-task layout-delta). Tests e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec, 11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests cover preflight/restart/Production-only paths verified at deploy gate. Build: 0W 0E across Azaion.AdminApi + Azaion.E2E. Test run deferred to autodev Step 11 (Run Tests). Tracker transition deferred to next batch (MCP availability unverified in this session — Leftovers pattern). Co-authored-by: Cursor <cursoragent@cursor.com>
74 lines
4.5 KiB
Bash
74 lines
4.5 KiB
Bash
# =============================================================================
|
|
# Azaion Admin API — environment variable template
|
|
# Copy to `.env` (git-ignored) and fill in real values for your environment.
|
|
# Production secrets MUST come from the secret manager, not from a checked-in
|
|
# file. See _docs/04_deploy/reports/deploy_status_report.md for the full table.
|
|
# =============================================================================
|
|
|
|
# ---------- ASP.NET Core runtime --------------------------------------------
|
|
ASPNETCORE_ENVIRONMENT=Development # Development | Staging | Production
|
|
ASPNETCORE_URLS=http://+:8080 # Kestrel bind address inside the container
|
|
|
|
# ---------- Database (PostgreSQL on port 4312 in prod, 5432 in test) --------
|
|
# Two roles: reader (read-only) and admin (read/write). See env/db/01_permissions.sql.
|
|
ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;Username=azaion_reader;Password=CHANGE_ME
|
|
ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME
|
|
|
|
# ---------- JWT (ES256, 15 min access, 8/12 h refresh — AZ-531/AZ-532) ------
|
|
# AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in the
|
|
# folder named by KeysFolder (the kid is the filename without `.pem`); generate
|
|
# with scripts/generate-jwt-key.sh. The cycle-1 symmetric secret was removed in
|
|
# cycle 2; verifiers now fetch the public key from /.well-known/jwks.json.
|
|
ASPNETCORE_JwtConfig__Issuer=AzaionApi
|
|
ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
|
|
ASPNETCORE_JwtConfig__KeysFolder=/etc/azaion/jwt-keys
|
|
# AZ-552/AZ-553 — ActiveKid is REQUIRED in production deployments. The
|
|
# preflight in scripts/start-services.sh fails fast if it is unset.
|
|
ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000
|
|
ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15
|
|
|
|
# AZ-553 — host-side directory holding the ES256 PEMs. Bind-mounted RO into
|
|
# the container at $JwtConfig__KeysFolder. Must be owned by (or readable by)
|
|
# the container's `app` UID. See secrets/README.md "Host-side directories".
|
|
DEPLOY_HOST_JWT_KEYS_DIR=/var/lib/azaion/jwt-keys
|
|
|
|
# AZ-531 — refresh-token windows. Sliding extends on every rotation; absolute
|
|
# caps the family lifetime regardless of activity.
|
|
ASPNETCORE_SessionConfig__RefreshSlidingHours=8
|
|
ASPNETCORE_SessionConfig__RefreshAbsoluteHours=12
|
|
|
|
# ---------- DataProtection (AZ-554) -----------------------------------------
|
|
# AZ-554 — DataProtection master keys MUST persist across container restarts;
|
|
# otherwise the cycle-2 MFA secret ciphertexts become unreadable and every
|
|
# MFA-enrolled user is locked out at the next deploy. Production deployments
|
|
# MUST set this; non-prod uses the ephemeral default if unset.
|
|
ASPNETCORE_DataProtection__KeysFolder=/var/lib/azaion/dp-keys
|
|
|
|
# AZ-554 — host-side directory holding the DataProtection key ring. Bind-mounted
|
|
# RW into the container at $DataProtection__KeysFolder. Must be writable by the
|
|
# container's `app` UID. NEVER world-readable (chmod 0700).
|
|
DEPLOY_HOST_DP_KEYS_DIR=/var/lib/azaion/dp-keys
|
|
|
|
# ---------- Resource storage (filesystem) -----------------------------------
|
|
ASPNETCORE_ResourcesConfig__ResourcesFolder=Content
|
|
|
|
# ---------- Container build / image label ------------------------------------
|
|
# Injected at build time as --build-arg CI_COMMIT_SHA=… by Woodpecker.
|
|
# Local builds may leave it unset (Dockerfile defaults to "unknown").
|
|
# CI_COMMIT_SHA=
|
|
|
|
# ---------- Deploy targets (consumed by scripts/, not by the API process) ---
|
|
DEPLOY_HOST=admin.azaion.com # SSH target for scripts/deploy.sh
|
|
DEPLOY_SSH_USER=root # SSH user on DEPLOY_HOST
|
|
DEPLOY_CONTAINER_NAME=azaion.api # Docker container name on the host
|
|
DEPLOY_HOST_PORT=4000 # Port published on DEPLOY_HOST (mapped to 8080 in container)
|
|
DEPLOY_HOST_CONTENT_DIR=/root/api/content # Bind-mount for resource files
|
|
DEPLOY_HOST_LOGS_DIR=/root/api/logs # Bind-mount for Serilog rolling files
|
|
|
|
# ---------- Container registry ----------------------------------------------
|
|
REGISTRY_HOST=docker.azaion.com # Private registry; CI may use localhost:5000
|
|
REGISTRY_IMAGE=azaion/admin # Image path inside REGISTRY_HOST
|
|
REGISTRY_TAG=dev-arm # main→arm, stage→stage-arm, dev→dev-arm
|
|
REGISTRY_USER= # CI / scripts only — leave empty in dev .env
|
|
REGISTRY_TOKEN= # CI / scripts only — leave empty in dev .env
|