#!/bin/bash # Secure Homelab Setup Script for Fetch ML # This script generates secure API keys and TLS certificates set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" CONFIG_DIR="$PROJECT_ROOT/configs/environments" SSL_DIR="$PROJECT_ROOT/ssl" echo "🔒 Setting up secure homelab configuration..." # Create SSL directory mkdir -p "$SSL_DIR" # Generate TLS certificates echo "📜 Generating TLS certificates..." if [[ ! -f "$SSL_DIR/cert.pem" ]] || [[ ! -f "$SSL_DIR/key.pem" ]]; then openssl req -x509 -newkey rsa:4096 -keyout "$SSL_DIR/key.pem" -out "$SSL_DIR/cert.pem" -days 365 -nodes \ -subj "/C=US/ST=Homelab/L=Local/O=FetchML/OU=Homelab/CN=localhost" \ -addext "subjectAltName=DNS:localhost,DNS:$(hostname),IP:127.0.0.1" chmod 600 "$SSL_DIR/key.pem" chmod 644 "$SSL_DIR/cert.pem" echo "✅ TLS certificates generated in $SSL_DIR/" else echo "ℹī¸ TLS certificates already exist, skipping generation" fi # Generate secure API keys echo "🔑 Generating secure API keys..." generate_api_key() { openssl rand -hex 32 } # Hash function hash_key() { echo -n "$1" | sha256sum | cut -d' ' -f1 } # Generate keys ADMIN_KEY=$(generate_api_key) USER_KEY=$(generate_api_key) ADMIN_HASH=$(hash_key "$ADMIN_KEY") USER_HASH=$(hash_key "$USER_KEY") # Create secure config echo "⚙ī¸ Creating secure configuration..." cat > "$CONFIG_DIR/config-homelab-secure.yaml" << EOF # Secure Homelab Configuration # IMPORTANT: Keep your API keys safe and never share them! redis: url: "redis://localhost:6379" max_connections: 10 auth: enabled: true api_keys: homelab_admin: hash: $ADMIN_HASH admin: true roles: - admin permissions: '*': true homelab_user: hash: $USER_HASH admin: false roles: - researcher permissions: 'experiments': true 'datasets': true 'jupyter': true server: address: ":9101" tls: enabled: true cert_file: "$SSL_DIR/cert.pem" key_file: "$SSL_DIR/key.pem" security: rate_limit: enabled: true requests_per_minute: 60 burst_size: 10 ip_whitelist: - "127.0.0.1" - "::1" - "localhost" - "192.168.1.0/24" # Adjust to your network - "10.0.0.0/8" logging: level: "info" file: "logs/fetch_ml.log" console: true resources: cpu_limit: "2" memory_limit: "4Gi" gpu_limit: 0 disk_limit: "10Gi" # Prometheus metrics metrics: enabled: true listen_addr: ":9100" tls: enabled: false EOF # Save API keys to a secure file echo "🔐 Saving API keys..." cat > "$PROJECT_ROOT/.api-keys" << EOF # Fetch ML Homelab API Keys # IMPORTANT: Keep this file secure and never commit to version control! ADMIN_API_KEY: $ADMIN_KEY USER_API_KEY: $USER_KEY # Usage examples: # curl -H "X-API-Key: $ADMIN_KEY" https://localhost:9101/health # curl -H "X-API-Key: $USER_KEY" https://localhost:9101/api/jupyter/services EOF chmod 600 "$PROJECT_ROOT/.api-keys" # Create environment file for JWT secret JWT_SECRET=$(generate_api_key) cat > "$PROJECT_ROOT/.env.secure" << EOF # Secure environment variables for Fetch ML # IMPORTANT: Keep this file secure and never commit to version control! JWT_SECRET=$JWT_SECRET # Source this file before running the server: # source .env.secure EOF chmod 600 "$PROJECT_ROOT/.env.secure" # Update .gitignore to exclude sensitive files echo "📝 Updating .gitignore..." if ! grep -q ".api-keys" "$PROJECT_ROOT/.gitignore"; then echo -e "\n# Security files\n.api-keys\n.env.secure\nssl/\n*.pem\n*.key" >> "$PROJECT_ROOT/.gitignore" fi echo "" echo "🎉 Secure homelab setup complete!" echo "" echo "📋 Next steps:" echo "1. Review and adjust the IP whitelist in config-homelab-secure.yaml" echo "2. Start the server with: ./api-server -config configs/environments/config-homelab-secure.yaml" echo "3. Source the environment: source .env.secure" echo "4. Your API keys are saved in .api-keys" echo "" echo "🔐 API Keys:" echo " Admin: $ADMIN_KEY" echo " User: $USER_KEY" echo "" echo "⚠ī¸ IMPORTANT:" echo " - Never share your API keys" echo " - Never commit .api-keys or .env.secure to version control" echo " - Backup your SSL certificates and API keys securely" echo " - Consider using a password manager for storing keys"