jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/scripts/setup-secure-homelab.sh
Jeremie Fraeys cd5640ebd2 Slim and secure: move scripts, clean configs, remove secrets 
- Move ci-test.sh and setup.sh to scripts/
- Trim docs/src/zig-cli.md to current structure
- Replace hardcoded secrets with placeholders in configs
- Update .gitignore to block .env*, secrets/, keys, build artifacts
- Slim README.md to reflect current CLI/TUI split
- Add cleanup trap to ci-test.sh
- Ensure no secrets are committed
2025-12-07 13:57:51 -05:00

169 lines
4.5 KiB
Bash
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Secure Homelab Setup Script for Fetch ML
# This script generates secure API keys and TLS certificates
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
CONFIG_DIR="$PROJECT_ROOT/configs/environments"
SSL_DIR="$PROJECT_ROOT/ssl"
echo "🔒 Setting up secure homelab configuration..."
# Create SSL directory
mkdir -p "$SSL_DIR"
# Generate TLS certificates
echo "📜 Generating TLS certificates..."
if [[ ! -f "$SSL_DIR/cert.pem" ]] || [[ ! -f "$SSL_DIR/key.pem" ]]; then
openssl req -x509 -newkey rsa:4096 -keyout "$SSL_DIR/key.pem" -out "$SSL_DIR/cert.pem" -days 365 -nodes \
-subj "/C=US/ST=Homelab/L=Local/O=FetchML/OU=Homelab/CN=localhost" \
-addext "subjectAltName=DNS:localhost,DNS:$(hostname),IP:127.0.0.1"
chmod 600 "$SSL_DIR/key.pem"
chmod 644 "$SSL_DIR/cert.pem"
echo "✅ TLS certificates generated in $SSL_DIR/"
else
echo " TLS certificates already exist, skipping generation"
fi
# Generate secure API keys
echo "🔑 Generating secure API keys..."
generate_api_key() {
openssl rand -hex 32
}
# Hash function
hash_key() {
echo -n "$1" | sha256sum | cut -d' ' -f1
}
# Generate keys
ADMIN_KEY=$(generate_api_key)
USER_KEY=$(generate_api_key)
ADMIN_HASH=$(hash_key "$ADMIN_KEY")
USER_HASH=$(hash_key "$USER_KEY")
# Create secure config
echo "⚙️ Creating secure configuration..."
cat > "$CONFIG_DIR/config-homelab-secure.yaml" << EOF
# Secure Homelab Configuration
# IMPORTANT: Keep your API keys safe and never share them!
redis:
url: "redis://localhost:6379"
max_connections: 10
auth:
enabled: true
api_keys:
homelab_admin:
hash: $ADMIN_HASH
admin: true
roles:
- admin
permissions:
'*': true
homelab_user:
hash: $USER_HASH
admin: false
roles:
- researcher
permissions:
'experiments': true
'datasets': true
'jupyter': true
server:
address: ":9101"
tls:
enabled: true
cert_file: "$SSL_DIR/cert.pem"
key_file: "$SSL_DIR/key.pem"
security:
rate_limit:
enabled: true
requests_per_minute: 60
burst_size: 10
ip_whitelist:
- "127.0.0.1"
- "::1"
- "localhost"
- "192.168.1.0/24" # Adjust to your network
- "10.0.0.0/8"
logging:
level: "info"
file: "logs/fetch_ml.log"
console: true
resources:
cpu_limit: "2"
memory_limit: "4Gi"
gpu_limit: 0
disk_limit: "10Gi"
# Prometheus metrics
metrics:
enabled: true
listen_addr: ":9100"
tls:
enabled: false
EOF
# Save API keys to a secure file
echo "🔐 Saving API keys..."
cat > "$PROJECT_ROOT/.api-keys" << EOF
# Fetch ML Homelab API Keys
# IMPORTANT: Keep this file secure and never commit to version control!
ADMIN_API_KEY: $ADMIN_KEY
USER_API_KEY: $USER_KEY
# Usage examples:
# curl -H "X-API-Key: $ADMIN_KEY" https://localhost:9101/health
# curl -H "X-API-Key: $USER_KEY" https://localhost:9101/api/jupyter/services
EOF
chmod 600 "$PROJECT_ROOT/.api-keys"
# Create environment file for JWT secret
JWT_SECRET=$(generate_api_key)
cat > "$PROJECT_ROOT/.env.secure" << EOF
# Secure environment variables for Fetch ML
# IMPORTANT: Keep this file secure and never commit to version control!
JWT_SECRET=$JWT_SECRET
# Source this file before running the server:
# source .env.secure
EOF
chmod 600 "$PROJECT_ROOT/.env.secure"
# Update .gitignore to exclude sensitive files
echo "📝 Updating .gitignore..."
if ! grep -q ".api-keys" "$PROJECT_ROOT/.gitignore"; then
echo -e "\n# Security files\n.api-keys\n.env.secure\nssl/\n*.pem\n*.key" >> "$PROJECT_ROOT/.gitignore"
fi
echo ""
echo "🎉 Secure homelab setup complete!"
echo ""
echo "📋 Next steps:"
echo "1. Review and adjust the IP whitelist in config-homelab-secure.yaml"
echo "2. Start the server with: ./api-server -config configs/environments/config-homelab-secure.yaml"
echo "3. Source the environment: source .env.secure"
echo "4. Your API keys are saved in .api-keys"
echo ""
echo "🔐 API Keys:"
echo " Admin: $ADMIN_KEY"
echo " User: $USER_KEY"
echo ""
echo "⚠️ IMPORTANT:"
echo " - Never share your API keys"
echo " - Never commit .api-keys or .env.secure to version control"
echo " - Backup your SSL certificates and API keys securely"
echo " - Consider using a password manager for storing keys"
Reference in a new issue View git blame Copy permalink