diff --git a/Dockerfile b/Dockerfile index 797a45e..cfb0735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM oven/bun:1.2.9-alpine AS base WORKDIR /app -RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite +RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite openssl # ---------------------------- FROM base AS deps diff --git a/README.md b/README.md index 4360623..80a34c6 100644 --- a/README.md +++ b/README.md @@ -233,8 +233,10 @@ The Docker container can be configured with the following environment variables: - `DATABASE_URL`: SQLite database URL (default: `file:data/gitea-mirror.db`) - `HOST`: Host to bind to (default: `0.0.0.0`) - `PORT`: Port to listen on (default: `4321`) -- `JWT_SECRET`: Secret key for JWT token generation (important for security) +- `JWT_SECRET`: Secret key for JWT token generation (auto-generated if not provided) +> [!TIP] +> For security, Gitea Mirror will automatically generate a secure random JWT secret on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts. #### Manual Installation diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a9905f6..08f4d60 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -5,6 +5,31 @@ set -e # Ensure data directory exists mkdir -p /app/data +# Generate a secure JWT secret if one isn't provided or is using the default value +JWT_SECRET_FILE="/app/data/.jwt_secret" +if [ "$JWT_SECRET" = "your-secret-key-change-this-in-production" ] || [ -z "$JWT_SECRET" ]; then + # Check if we have a previously generated secret + if [ -f "$JWT_SECRET_FILE" ]; then + echo "Using previously generated JWT secret" + export JWT_SECRET=$(cat "$JWT_SECRET_FILE") + else + echo "Generating a secure random JWT secret" + # Try to generate a secure random string using OpenSSL + if command -v openssl >/dev/null 2>&1; then + GENERATED_SECRET=$(openssl rand -hex 32) + else + # Fallback to using /dev/urandom if openssl is not available + echo "OpenSSL not found, using fallback method for random generation" + GENERATED_SECRET=$(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1) + fi + export JWT_SECRET="$GENERATED_SECRET" + # Save the secret to a file for persistence across container restarts + echo "$GENERATED_SECRET" > "$JWT_SECRET_FILE" + chmod 600 "$JWT_SECRET_FILE" + fi + echo "JWT_SECRET has been set to a secure random value" +fi + # Skip dependency installation entirely for pre-built images # Dependencies are already installed during the Docker build process diff --git a/src/content/docs/configuration.md b/src/content/docs/configuration.md index 459754e..23bba74 100644 --- a/src/content/docs/configuration.md +++ b/src/content/docs/configuration.md @@ -25,13 +25,15 @@ The following environment variables can be used to configure Gitea Mirror: |----------|-------------|---------------|---------| | `NODE_ENV` | Runtime environment (development, production, test) | `development` | `production` | | `DATABASE_URL` | SQLite database URL | `file:data/gitea-mirror.db` | `file:path/to/your/database.db` | -| `JWT_SECRET` | Secret key for JWT authentication | `your-secret-key-change-this-in-production` | `your-secure-random-string` | +| `JWT_SECRET` | Secret key for JWT authentication | Auto-generated secure random string | `your-secure-random-string` | | `HOST` | Server host | `localhost` | `0.0.0.0` | | `PORT` | Server port | `4321` | `8080` | ### Important Security Note -In production environments, you should always set a strong, unique `JWT_SECRET` to ensure secure authentication. +The application will automatically generate a secure random `JWT_SECRET` on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts. + +While this auto-generation feature provides good security by default, you can still explicitly set your own `JWT_SECRET` for complete control over your deployment. ## Web UI Configuration