jtwaleson · December 8, 2017 13:06
diff --git a/m2ee-crypt.sh b/m2ee-crypt.sh
 #!/bin/bash
 set -e

 # Use this script instead of m2ee directly
 #
 # It will dynamically create a sensitive configuration file in RAM which
 # will be used by m2ee and will be removed directly afterwards

 # Preparation: remove sensitive parts from the m2ee.yaml file and store them somewhere safely
 # such as in HashiCorp Vault or an encrypted gpg file. You can keep the rest of the m2ee.yaml
 # file in place as is, or you can encrypt the entire file.

 # 1 - set up tempory file in RAM backed tmpfs
 #
 # this uses RAM backed tmpfs on /dev/shm
 IN_MEMORY_FILE="$(mktemp -p /dev/shm)"

 # 2 - set up a trap to delete the temporary file after this script finishes, on any condition
 trap "rm -f $IN_MEMORY_FILE" EXIT INT ERR TERM

 # 3 - assemble a sensitive m2ee config file and store it in RAM
 #
 # there are many possibilities here, we chose two common ones                                           
 #
 # 3a - example using HashiCorp Vault
 #

 ADMIN_PASS="$(vault read -field=admin_pass mendixapp/config)"
 SMTP_PASS="$(vault read -field=smtp_pass mendixapp/config)"
 DB_PASS="$(vault read -field=db_pass mendixapp/config)"

 cat << EOF > "$IN_MEMORY_FILE"
 m2ee:
 admin_pass: "$ADMIN_PASS"
 mxruntime:
 MicroflowConstants:
  SMTPModule.EmailServerPassword: "$SMTP_PASS"
 DatabasePassword: "$DB_PASS"
 EOF

 # 3b - example using gpg
 # 
 gpg -qd /home/user/.m2ee/encrypted-config.yaml > "$IN_MEMORY_FILE"


 # 4 - start m2ee with multiple config files
 # 
 # m2ee will merge the two configuration files, so there can be overlap
 # for example, both files can contain an mxruntime section
 # we pass the original arguments of this script 
 m2ee -c /home/user/.m2ee/m2ee.yaml -c "$IN_MEMORY_FILE" $@
	#!/bin/bash
	set -e

	# Use this script instead of m2ee directly
	#
	# It will dynamically create a sensitive configuration file in RAM which
	# will be used by m2ee and will be removed directly afterwards

	# Preparation: remove sensitive parts from the m2ee.yaml file and store them somewhere safely
	# such as in HashiCorp Vault or an encrypted gpg file. You can keep the rest of the m2ee.yaml
	# file in place as is, or you can encrypt the entire file.

	# 1 - set up tempory file in RAM backed tmpfs
	#
	# this uses RAM backed tmpfs on /dev/shm
	IN_MEMORY_FILE="$(mktemp -p /dev/shm)"

	# 2 - set up a trap to delete the temporary file after this script finishes, on any condition
	trap "rm -f $IN_MEMORY_FILE" EXIT INT ERR TERM

	# 3 - assemble a sensitive m2ee config file and store it in RAM
	#
	# there are many possibilities here, we chose two common ones
	#
	# 3a - example using HashiCorp Vault
	#

	ADMIN_PASS="$(vault read -field=admin_pass mendixapp/config)"
	SMTP_PASS="$(vault read -field=smtp_pass mendixapp/config)"
	DB_PASS="$(vault read -field=db_pass mendixapp/config)"

	cat << EOF > "$IN_MEMORY_FILE"
	m2ee:
	admin_pass: "$ADMIN_PASS"
	mxruntime:
	MicroflowConstants:
	SMTPModule.EmailServerPassword: "$SMTP_PASS"
	DatabasePassword: "$DB_PASS"
	EOF

	# 3b - example using gpg
	#
	gpg -qd /home/user/.m2ee/encrypted-config.yaml > "$IN_MEMORY_FILE"


	# 4 - start m2ee with multiple config files
	#
	# m2ee will merge the two configuration files, so there can be overlap
	# for example, both files can contain an mxruntime section
	# we pass the original arguments of this script
	m2ee -c /home/user/.m2ee/m2ee.yaml -c "$IN_MEMORY_FILE" $@