From 1dbeece5f06ec4362ca3a7c39023405c49a0f2f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=A4rlocher?= <simon@whatwedo.ch>
Date: Tue, 26 May 2026 15:13:21 +0200
Subject: [PATCH] fix(bookstack): drop hardcoded secrets from defaults

bookstack_db_root_password, bookstack_db_password and
bookstack_admin_password shipped as real strings in defaults, despite
the comment two lines above promising 'empty defaults force assert to
fail until set'. The Validate task in tasks/main.yml asserts each is
non-empty, so set them to '' and let the assert do its job.

Mirror the docstring comment to show how to generate each one with
openssl rand.
---
 roles/bookstack/defaults/main.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml
index 152a6c2..3efbadb 100644
--- a/roles/bookstack/defaults/main.yml
+++ b/roles/bookstack/defaults/main.yml
@@ -38,9 +38,14 @@ bookstack_db_user: "bookstack"
 # REQUIRED SECRETS — empty defaults force `assert` to fail until set.
 # Provide via OpenBao lookup, Ansible Vault, or extra-vars.
 # Never commit real secrets to version control.
-bookstack_db_root_password: "txwmMJD9xTNz3Y73fPWSMPZTR2fEpfF5"
-bookstack_db_password: "DgLYFudJg324yLydLxS3vmgux9LQL9bb"
-bookstack_admin_password: "NE7TN7cTjCnLHJ2Y4xfiTp"
+#
+# Generate with:
+#   bookstack_db_root_password:  openssl rand -base64 32 | tr -d '/+='
+#   bookstack_db_password:       openssl rand -base64 32 | tr -d '/+='
+#   bookstack_admin_password:    openssl rand -base64 24 | tr -d '/+='
+bookstack_db_root_password: ""
+bookstack_db_password: ""
+bookstack_admin_password: ""
 bookstack_oidc_client_secret: ""
 
 # APP_KEY is generated automatically on first run and persisted on the host.