search

1Password / connect

Access your 1Password secrets using a 1Password Connect Server
https://developer.1password.com/docs/connect
149 stars 28 forks source link

Provide releases with binaries or packages to deploy using SystemD. #79

Open rwenz3l opened 5 months ago

rwenz3l commented 5 months ago

For people in non-cloud native infrastructures, it would be really helpful to provide the connect-server as compiled binaries or even as packages (rpm/deb). Also system service files in the examples would be nice.

I had to put in some trial and error to get this running, but it's totally possible and I think the simplicity of SystemD is sometimes better than the docker/k8s/ecs configuration for smaller environments.

[!NOTE] The cli binaries can be extracted from the docker images like so:

docker pull --platform linux/amd64 1password/connect-api:latest
container_id=$(docker create --platform linux/amd64 1password/connect-api:latest)
docker export "${container_id}" -o connect-api.tar
docker rm "${container_id}"

docker pull --platform linux/amd64 1password/connect-sync:latest
container_id=$(docker create --platform linux/amd64 1password/connect-sync:latest)
docker export "${container_id}" -o connect-sync.tar
docker rm "${container_id}"

tar -xf connect-api.tar bin/
tar -xf connect-sync.tar bin/

rm -rf connect-api.tar
rm -rf connect-sync.tar

[!NOTE] The way one might deploy varies, I created a dedicated user, similar to what is done in the docker image:

# binaries are simply copied into /usr/local/bin

adduser --system --home /srv/connect-server opuser
mkdir -p /srv/connect-server/.op/data
chown -R opuser: /srv/connect-server
chmod -R 700 /srv/connect-server/.op

Now all that is missing are the service files:

# /etc/systemd/system/connect-sync.service
[Unit]
Description=1Password Connect Server SYNC
Documentation=https://github.com/1Password/connect/blob/main/docs/configuration.md
Wants=network-online.target
After=network-online.target

[Service]
User=opuser
Group=opuser
Environment=OP_HTTP_PORT=8081
Environment=OP_BUS_PORT=10001
Environment=OP_BUS_PEERS=localhost:10000
ExecStart=/usr/local/bin/connect-sync

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/connect-api.service
[Unit]
Description=1Password Connect Server API
Documentation=https://github.com/1Password/connect/blob/main/docs/configuration.md
Wants=network-online.target
After=network-online.target

# Depends on connect-sync to create the database first.
Wants=connect-sync.service
After=connect-sync.service

[Service]
User=opuser
Group=opuser
Environment=OP_HTTP_PORT=8080
Environment=OP_BUS_PORT=10000
Environment=OP_BUS_PEERS=localhost:10001
ExecStart=/usr/local/bin/connect-api

[Install]
WantedBy=multi-user.target

Files can be copied into /etc/systemd/system/ and then started

systemctl daemon-reload
systemctl enable --now connect-sync.service
systemctl enable --now connect-api.service

[!IMPORTANT] Of course we also need to create the same connect-server in the web-ui or via the 1password-cli to get the credentials.json And the file needs to be placed in the created service directory, similar to the other deployments.

I also noticed that the currently compiled binaries are build using go1.20.6, which is about 7 months old and will be EOL once go1.22 releases - I expect that to be soon.

I think going for #37 is a bit too much, since we can still inspect the image and find the versions by other means, but it would be much appreciated if this information is not "hidden", but shown clearly. Maybe even a warning is appropriate here.

When building Connect we've taken a great deal in care in making sure to provide you with the same level of security that you have come to expect with 1Password.

I mean, the docker image on docker-hub is 6 months old now, which does not convey "we take security seriously".