mount secrets subfolder as read-only volume to protect them

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2020-11-30 17:35:31 +01:00 · 2020-11-30 17:35:31 +01:00 · e48761352b
parent fbfb216910
commit e48761352b
2 changed files with 9 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,6 +11,9 @@ beacon_node_cont_vol: '/docker/{{ beacon_node_cont_name }}'
 beacon_node_cont_entrypoint: '/usr/local/bin/nimbus_beacon_node'
 beacon_node_cont_update_enabled: true

+# Subfolders for separate read-only mounting
+beacon_node_secrets_path: '{{ beacon_node_cont_vol }}/data/{{ beacon_node_data_folder }}/secrets'
+
 # connectivity settings
 beacon_node_discovery_port: 9000
 beacon_node_listening_port: 9000
--- a/tasks/compose.yml
+++ b/tasks/compose.yml
@ -6,6 +6,9 @@
    owner: dockremap
    group: docker
    mode: 0750
+  with_items:
+    - '{{ beacon_node_cont_vol }}/data'
+    - '{{ beacon_node_secrets_path }}'

 - name: Verify network name
  assert:
@ -31,6 +34,9 @@
            - '{{ beacon_node_listening_port }}:{{ beacon_node_listening_port }}/tcp'
            - '{{ beacon_node_discovery_port }}:{{ beacon_node_discovery_port }}/udp'
          entrypoint: '{{ beacon_node_cont_entrypoint }}'
+          volumes:
+            - '{{ beacon_node_cont_vol }}/data:/data'
+            - '{{ beacon_node_secrets_path }}:/data/{{ beacon_node_data_folder }}/secrets:ro'
          command: >-
            --network={{ beacon_node_network }}
            --data-dir='/data/{{ beacon_node_data_folder }}'
@ -47,5 +53,3 @@
            --metrics
            --metrics-address=0.0.0.0
            --metrics-port={{ beacon_node_metrics_port }}
-          volumes:
-            - '{{ beacon_node_cont_vol }}/data:/data'