rockstor · phillxnet · Nov 30, 2023 · Dec 1, 2023 · Dec 2, 2023 · Hooverdan96
diff --git a/conf/rockstor-bootstrap.service b/conf/rockstor-bootstrap.service
@@ -5,6 +5,7 @@ Requires=rockstor.service
 
 [Service]
 Environment="DJANGO_SETTINGS_MODULE=settings"
+Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
 ExecStart=/opt/rockstor/.venv/bin/bootstrap
 Type=oneshot

diff --git a/conf/rockstor-pre.service b/conf/rockstor-pre.service
@@ -5,7 +5,17 @@ Requires=postgresql.service
 
 [Service]
 Environment="DJANGO_SETTINGS_MODULE=settings"
+Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
+# Avoid `pass` stdout leaking generated passwords (N.B. 2>&1 >/dev/null failed).
+StandardOutput=null
+# Idempotent: failure tolerated for pgp as key likely already exists (rc 2).
+ExecStartPre=-/usr/bin/gpg --quick-generate-key --batch --passphrase '' rockstor@localhost
+# Idempotent.
+ExecStartPre=/usr/bin/pass init rockstor@localhost
+# Rotate Django SECRET_KEY: failure tolerated in rename in case of no prior SECRET_KEY.
+ExecStartPre=-/usr/bin/pass rename --force python-keyring/rockstor/SECRET_KEY python-keyring/rockstor/SECRET_KEY_FALLBACK
+ExecStartPre=/usr/bin/pass generate --no-symbols --force python-keyring/rockstor/SECRET_KEY 100
 ExecStart=/usr/local/bin/poetry run initrock
 Type=oneshot
 RemainAfterExit=yes

diff --git a/conf/rockstor.service b/conf/rockstor.service
@@ -5,6 +5,7 @@ Requires=rockstor-pre.service
 
 [Service]
 Environment="DJANGO_SETTINGS_MODULE=settings"
+Environment="PASSWORD_STORE_DIR=/root/.password-store"
 WorkingDirectory=/opt/rockstor
 ExecStart=/usr/local/bin/poetry run supervisord -c /opt/rockstor/etc/supervisord.conf
 ExecStop=/usr/local/bin/poetry run supervisorctl shutdown

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -81,6 +81,7 @@ psutil = "==5.9.4"
 pyzmq = "*"
 distro = "*"
 URLObject = "==2.1.1"
+keyring-pass = "*"
 # https://pypi.org/project/supervisor/ 4.1.0 onwards embeds unmaintained meld3
 supervisor = "==4.2.4"
 

diff --git a/src/rockstor/settings.py b/src/rockstor/settings.py
@@ -21,7 +21,10 @@
 import os
 import distro
 import secrets
+import keyring
+import keyring_pass
 from huey import SqliteHuey
+from keyring.errors import KeyringError
 
 # By default, DEBUG = False, honour this by True only if env var == "True"
 DEBUG = os.environ.get("DJANGO_DEBUG", "") == "True"
@@ -112,10 +115,25 @@
     "pipeline.finders.PipelineFinder",
 )
 
-# Make this unique, and don't share it with anybody.
-SECRET_KEY = "odk7(t)1y$ls)euj3$2xs7e^i=a9b&amp;xtf&amp;z=-2bz$687&amp;^q0+3"
+# Resource keyring for Django's cryptographic signing key.
+# https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key
+# Used for Sessions, Messages, PasswordResetView tokens.
+# "... not used for passwords of users and key rotation will not affect them."
+SECRET_KEY = keyring.get_password("rockstor", "SECRET_KEY")
+
+try:
+    secret_key_fallback = keyring.get_password("rockstor", "SECRET_KEY_FALLBACK")
+    if secret_key_fallback is not None:
+        # New in Django 4.1: https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key-fallbacks
+        SECRET_KEY_FALLBACKS = [secret_key_fallback]
+    else:
+        print("No SECRET_KEY_FALLBACK.")
+except keyring.errors.KeyringError:
+    print("KeyringError")
+
 
 # API client secret
+# TODO: move to install persistence and resourced from keyring.
 CLIENT_SECRET = secrets.token_urlsafe()
 
 # New in Django 1.8 to cover all prior TEMPLATE_* settings.