diff --git a/scripts/setup/generate_secrets.py b/scripts/setup/generate_secrets.py index 2a714bbfad..72490a20c1 100755 --- a/scripts/setup/generate_secrets.py +++ b/scripts/setup/generate_secrets.py @@ -76,7 +76,10 @@ def generate_secrets(development=False): add_secret("local_database_password", generate_random_token(64)) if need_secret('secret_key'): - add_secret('secret_key', generate_django_secretkey()) + secret_key = generate_django_secretkey() + add_secret('secret_key', secret_key) + # To prevent Django ImproperlyConfigured error + settings.SECRET_KEY = secret_key if need_secret('camo_key'): add_secret('camo_key', get_random_string(64)) @@ -88,6 +91,37 @@ def generate_secrets(development=False): ): add_secret("memcached_password", generate_random_token(64)) + if ( + not development + and settings.REDIS_HOST == "127.0.0.1" + and need_secret("redis_password") + ): + # To prevent Puppet from restarting Redis, which would lose + # data because we configured Redis to disable persistence, set + # the Redis password on the running server and edit the config + # file directly. + + import redis + from zerver.lib.redis_utils import get_redis_client + + redis_password = generate_random_token(64) + + for filename in ["/etc/redis/zuli-redis.conf", "/etc/redis/zulip-redis.conf"]: + if os.path.exists(filename): + with open(filename, "a") as f: + f.write( + "# Set a Redis password based on zulip-secrets.conf\n" + "requirepass '%s'\n" % (redis_password,) + ) + break + + try: + get_redis_client().config_set("requirepass", redis_password) + except redis.exceptions.ConnectionError: + pass + + add_secret("redis_password", redis_password) + # zulip_org_key is generated using os.urandom(). # zulip_org_id does not require a secure CPRNG, # it only needs to be unique.