Remove sensitive env vars before writing

2026-01-27 18:18:55 +00:00 · 2021-09-22 16:26:34 +00:00
parent 5a9410dc37
commit 82912f41ba
3 changed files with 14 additions and 3 deletions
--- a/omnibus/cookbooks/firezone/libraries/config.rb
+++ b/omnibus/cookbooks/firezone/libraries/config.rb
@@ -210,7 +210,9 @@ class Firezone
      end
    end

-    def self.app_env(attributes)
+    def self.app_env(attributes, reject = [])
+      attributes = attributes.reject { |k| reject.include?(k) }
+
      env = {
        'EGRESS_INTERFACE' => attributes['egress_interface'],
        'WG_PATH' => "#{attributes['install_directory']}/embedded/bin/wg",
@@ -224,7 +226,6 @@ class Firezone
        'PHOENIX_PORT' => attributes['phoenix']['port'].to_s,
        'URL_HOST' => attributes['url_host'],
        'ADMIN_EMAIL' => attributes['admin_email'],
-        'DEFAULT_ADMIN_PASSWORD' => attributes['default_admin_password'],
        'WIREGUARD_INTERFACE_NAME' => attributes['wireguard']['interface_name'],
        'WIREGUARD_ENDPOINT_IP' => attributes['wireguard']['endpoint_ip'],
        'WIREGUARD_PORT' => attributes['wireguard']['port'].to_s,
@@ -240,6 +241,10 @@ class Firezone
        env.merge!('DATABASE_PASSWORD' => attributes['database']['password'])
      end

+      if attributes.dig('default_admin_password')
+        env.merge!('DEFAULT_ADMIN_PASSWORD' => attributes['default_admin_password'])
+      end
+
      env
    end

--- a/omnibus/cookbooks/firezone/recipes/app.rb
+++ b/omnibus/cookbooks/firezone/recipes/app.rb
@@ -32,6 +32,12 @@ file 'environment-variables' do
  path "#{node['firezone']['var_directory']}/etc/env"

  attributes = node['firezone'].to_hash
+
+  # Remove sensitive fields
+  attributes.delete('wireguard_private_key')
+  attributes.delete('default_admin_password')
+
+  # Add needed fields
  attributes.merge!(
    'force_ssl' => node['firezone']['nginx']['force_ssl'],
    'mix_env' => 'prod'
--- a/omnibus/cookbooks/firezone/templates/sv-phoenix-run.erb
+++ b/omnibus/cookbooks/firezone/templates/sv-phoenix-run.erb
@@ -6,7 +6,7 @@ export LD_LIBRARY_PATH=<%= node['firezone']['install_directory'] %>/embedded/lib
 export DIR=<%= node['firezone']['app_directory'] %>
 export HOME=$DIR
 <%= "export OPENSSL_FIPS=1" if node['firezone']['fips_enabled'] == true %>
-<%= Firezone::Config.environment_variables_from(Firezone::Config.app_env(node['firezone'])) %>
+<%= Firezone::Config.environment_variables_from(Firezone::Config.app_env(node['firezone'], reject: ['default_admin_password'])) %>
 <%= Firezone::Config.locale_variables %>

 cd $DIR