Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions

fix(bookstack): drop hardcoded secrets from defaults

Browse source 
bookstack_db_root_password, bookstack_db_password and
bookstack_admin_password shipped as real strings in defaults, despite
the comment two lines above promising 'empty defaults force assert to
fail until set'. The Validate task in tasks/main.yml asserts each is
non-empty, so set them to '' and let the assert do its job.

Mirror the docstring comment to show how to generate each one with
openssl rand.
This commit is contained in:
Simon Bärlocher 2026-05-26 15:13:21 +02:00
parent 9d539d0da4
commit 1dbeece5f0
No known key found for this signature in database
GPG key ID: 63DE20495932047A
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
roles/bookstack/defaults/main.yml
View file

@ -38,9 +38,14 @@ bookstack_db_user: "bookstack"
# REQUIRED SECRETS — empty defaults force `assert` to fail until set.
# Provide via OpenBao lookup, Ansible Vault, or extra-vars.
# Never commit real secrets to version control.
bookstack_db_root_password: "txwmMJD9xTNz3Y73fPWSMPZTR2fEpfF5"
bookstack_db_password: "DgLYFudJg324yLydLxS3vmgux9LQL9bb"
bookstack_admin_password: "NE7TN7cTjCnLHJ2Y4xfiTp"
#
# Generate with:
# bookstack_db_root_password: openssl rand -base64 32 | tr -d '/+='
# bookstack_db_password: openssl rand -base64 32 | tr -d '/+='
# bookstack_admin_password: openssl rand -base64 24 | tr -d '/+='
bookstack_db_root_password: ""
bookstack_db_password: ""
bookstack_admin_password: ""
bookstack_oidc_client_secret: ""
# APP_KEY is generated automatically on first run and persisted on the host.