fix docker backend and secrets setup

Author: itsbekas

backend/Dockerfile

@@ -29,6 +29,11 @@ FROM python:3.13-slim-bookworm AS runner
 
 WORKDIR /app
 
+# Install necessary runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libmariadb3 && \
+    rm -rf /var/lib/apt/lists/*
+
 # Copy necessary files from the builder stage
 COPY --from=builder /app /app
 

backend/lifehub/config/checks.py

@@ -4,7 +4,6 @@
 from lifehub.config.constants import cfg
 from lifehub.config.providers import setup_providers
 from lifehub.config.util.schemas import *  # noqa: F401,F403
-from lifehub.config.vault import setup_vault
 from lifehub.core.common.base.db_model import BaseModel
 from lifehub.core.common.database_service import get_engine, get_session
 from lifehub.core.provider.repository.provider import ProviderRepository

docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   lifehub-backend:
     build:
@@ -8,15 +6,16 @@ services:
     environment:
       - ENVIRONMENT=production
       - UVICORN_HOST=0.0.0.0
-      - DB_HOST=lifehub-mariadb
+      - DB_HOST=host.docker.internal
       - DB_NAME=lifehub
       - FRONTEND_URL=http://lifehub-frontend
-      - VAULT_ADDR=http://192.168.100.1:8200
+      - VAULT_ADDR=http://host.docker.internal:8200
       - VAULT_APPROLE_ROLE_ID=${VAULT_APPROLE_ROLE_ID}
       - VAULT_APPROLE_SECRET_ID=${VAULT_APPROLE_SECRET_ID}
     networks:
-      - vault-net
       - lifehub-net
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
   lifehub-frontend:
     build:
@@ -34,11 +33,5 @@ services:
       - lifehub-net
 
 networks:
-  vault-net:
-    external: true
   lifehub-net:
     driver: bridge
-
-volumes:
-  dbdata:
-    driver: local

load-secrets.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Load the .env file
+set -a
+. backend/.env
+set +a
+
+set -e  # Exit on error
+set -u  # Treat unset variables as errors
+set -o pipefail  # Catch pipeline errors
+
+# Write to kv/lifehub/metadata
+vault kv put kv/lifehub/metadata \
+    AUTH_SECRET_KEY="$AUTH_SECRET_KEY" \
+    ADMIN_PASSWORD="$ADMIN_PASSWORD"
+
+vault kv put kv/lifehub/api-tokens \
+    GOCARDLESS_CLIENT_ID="$GOCARDLESS_CLIENT_ID" \
+    GOCARDLESS_CLIENT_SECRET="$GOCARDLESS_CLIENT_SECRET" \
+    GOOGLE_CALENDAR_CLIENT_ID="$GOOGLE_CALENDAR_CLIENT_ID" \
+    GOOGLE_CALENDAR_CLIENT_SECRET="$GOOGLE_CALENDAR_CLIENT_SECRET" \
+    GOOGLE_TASKS_CLIENT_ID="$GOOGLE_TASKS_CLIENT_ID" \
+    GOOGLE_TASKS_CLIENT_SECRET="$GOOGLE_TASKS_CLIENT_SECRET" \
+    SPOTIFY_CLIENT_ID="$SPOTIFY_CLIENT_ID" \
+    SPOTIFY_CLIENT_SECRET="$SPOTIFY_CLIENT_SECRET" \
+    STRAVA_CLIENT_ID="$STRAVA_CLIENT_ID" \
+    STRAVA_CLIENT_SECRET="$STRAVA_CLIENT_SECRET" \
+    YNAB_CLIENT_ID="$YNAB_CLIENT_ID" \
+    YNAB_CLIENT_SECRET="$YNAB_CLIENT_SECRET"

mariadb/setup-db.sh

@@ -1,66 +1,76 @@
 #!/bin/bash
 
-db_name=lifehub
+set -e  # Exit on error
+set -u  # Treat unset variables as errors
+set -o pipefail  # Catch pipeline errors
 
-db_user=lifehub
-db_password=testing
+VAULT_ADDR="http://localhost:8200"
+export VAULT_ADDR
+
+
+db_name="lifehub"
+db_user="lifehub"
+db_password="testing" # TODO: Read from env or vault
+db_host="localhost"
 
 vault_user="vault"
-vault_password="vault-testing"
+vault_password=$(vault kv get -field=password kv/vault-metadata/mariadb)
+vault_host="localhost"
+#vault_host="bernardo-arch"
 
 # Must be root to run this script
-if [ "$(id -u)" -ne 0 ]; then
-  echo "Error: This script must be run as root"
-  exit 1
-fi
+#if [ "$(id -u)" -ne 0 ]; then
+#  echo "Error: This script must be run as root"
+#  exit 1
+#fi
 
 # Check if mariadb is running
 echo "Checking if MariaDB is running..."
-if ! mariadb-admin ping -h localhost --silent; then
+if ! sudo mariadb-admin ping -h localhost --silent; then
   echo "Error: MariaDB is not running"
   exit 1
 fi
 
 # Setup the database and user for the application
 echo "Setting up database and user..."
-mariadb -u root <<EOF
+sudo mariadb -u root <<EOF
 CREATE DATABASE IF NOT EXISTS ${db_name};
-CREATE USER IF NOT EXISTS '${db_user}'@'%' IDENTIFIED BY '${db_password}';
-GRANT ALL PRIVILEGES ON ${db_name}.* TO '${db_user}'@'%';
+CREATE USER IF NOT EXISTS '${db_user}'@'${vault_host}' IDENTIFIED BY '${db_password}';
+GRANT ALL PRIVILEGES ON ${db_name}.* TO '${db_user}'@'${vault_host}';
 FLUSH PRIVILEGES;
 EOF
 
 # Check if the database was created
-if ! mariadb -u root -e "USE ${db_name}"; then
+if ! sudo mariadb -u root -e "USE ${db_name}"; then
   echo "Error: Failed to create database"
   exit 1
 fi
 
 # Check if the user was created
-if ! mariadb -u root -e "SELECT User FROM mysql.user WHERE User='${db_user}'"; then
+if ! sudo mariadb -u root -e "SELECT User FROM mysql.user WHERE User='${db_user}'"; then
   echo "Error: Failed to create user"
   exit 1
 fi
 
 # Setup Vault user and grant privileges
 # This user is used by the Vault server to create ephemeral users for applications
 echo "Setting up Vault user and granting privileges..."
-mariadb -u root <<EOF
-CREATE USER IF NOT EXISTS '${vault_user}'@'%' IDENTIFIED BY '${vault_password}';
-GRANT CREATE USER, DROP, SELECT, INSERT, UPDATE, DELETE, ALTER, EXECUTE ON *.* TO '${vault_user}'@'%';
-GRANT ALL PRIVILEGES ON mysql.* TO '${vault_user}'@'%';
-GRANT ALL PRIVILEGES ON ${db_name}.* TO '${vault_user}'@'%' WITH GRANT OPTION;
+sudo mariadb -u root <<EOF
+CREATE USER IF NOT EXISTS '${vault_user}'@'${vault_host}' IDENTIFIED BY '${vault_password}';
+GRANT CREATE USER, DROP, SELECT, INSERT, UPDATE, DELETE, ALTER, EXECUTE ON *.* TO '${vault_user}'@'${vault_host}';
+GRANT ALL PRIVILEGES ON mysql.* TO '${vault_user}'@'${vault_host}';
+GRANT ALL PRIVILEGES ON ${db_name}.* TO '${vault_user}'@'${vault_host}' WITH GRANT OPTION;
 FLUSH PRIVILEGES;
 EOF
 
 # Check if the Vault user was created
-if ! mariadb -u root -e "SELECT User FROM mysql.user WHERE User='${vault_user}'"; then
+if ! sudo mariadb -u root -e "SELECT User FROM mysql.user WHERE User='${vault_user}'"; then
   echo "Error: Failed to create Vault user"
   exit 1
 fi
 
 # Check if the Vault user has the correct privileges
-if ! mariadb -u root -e "SHOW GRANTS FOR '${vault_user}'@'%'"; then
+if ! sudo mariadb -u root -e "SHOW GRANTS FOR '${vault_user}'@'${vault_host}'"; then
   echo "Error: Failed to grant privileges to Vault user"
   exit 1
 fi

setup-vault.sh

@@ -1,16 +1,16 @@
 #!/bin/bash
 
-set -e  # Exit on error
+# set -e  # Exit on error
 set -u  # Treat unset variables as errors
 set -o pipefail  # Catch pipeline errors
 
 # Vault address and login
-VAULT_ADDR="http://192.168.100.1:8200"
+VAULT_ADDR="http://localhost:8200"
 export VAULT_ADDR
 
 # Always make sure these are synced with the backend config
 DB_NAME="lifehub"
-DB_HOST="192.168.100.1"
+DB_HOST="localhost"
 VAULT_DB_USER="vault"
 VAULT_DB_ROLE="lifehub-app"
 VAULT_DB_ADMIN_ROLE="lifehub-admin"
@@ -70,8 +70,8 @@ else
 fi
 
 # --- Setup Vault Policies ---
-echo "Applying user-keystore policy..."
-vault policy write user-keystore - <<EOF
+echo "Applying lifehub-user policy..."
+vault policy write lifehub-user - <<EOF
 # Allow users to encrypt data using only their own KEK
 path "transit/lifehub/encrypt/user-{{identity.entity.id}}" {
     capabilities = ["update"]
@@ -88,8 +88,8 @@ path "kv/lifehub/user-keys/{{identity.entity.id}}" {
 }
 EOF
 
-echo "Applying backend-keystore policy..."
-vault policy write backend-keystore - <<EOF
+echo "Applying lifehub-app policy..."
+vault policy write lifehub-app - <<EOF
 # Backend can encrypt data using any user's KEK
 path "transit/lifehub/encrypt/user-*" {
     capabilities = ["update"]
@@ -105,10 +105,26 @@ path "transit/lifehub/keys/user-*" {
     capabilities = ["create", "update", "read", "delete"]
 }
 
-# Backend has full access to all user KEK metadata in Vault KV
-path "kv/lifehub/user-keys/*" {
+# Backend has full access to all data in the lifehub KV store
+path "kv/lifehub/*" {
     capabilities = ["create", "update", "read", "delete"]
 }
+
+# Backend can read and write to the lifehub database
+path "database/lifehub/*" {
+    capabilities = ["create", "read", "update", "delete"]
+}
 EOF
 
+# --- Setup Vault Auth Methods ---
+echo "Enabling AppRole authentication..."
+vault auth enable approle &> /dev/null || echo "AppRole authentication already enabled."
+
+echo "Creating AppRole for lifehub-app..."
+vault write auth/approle/role/lifehub-app \
+    token_policies="lifehub-app" \
+    token_ttl="10m" \
+    token_max_ttl="30m" \
+    secret_id_num_uses="1" &> /dev/null
+
 echo "Vault setup completed successfully!"