valknar/stacks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
53 Commits 1 Branch 0 Tags
9c65cfc9e3522b253fad2a5d9bd811e2197116c4
Commit Graph

8 Commits

Author SHA1 Message Date
valknar 9c65cfc9e3 revert(passbolt): remove clock-skew patch — metadata key already created 
The patched PublicKeyValidationService.php and its volume mount are
no longer needed now that the metadata key exists in the database.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 22:48:41 +02:00
valknar 5c398ee77c fix(passbolt): add 300s clock-skew tolerance to key creation date check 
The isNotCreatedInTheFutureRule has zero tolerance, causing the
browser extension to fail when generating a metadata key if the
browser clock is even 1 second ahead of the server. Patching
isDateInFuture to allow 300 seconds tolerance and mounting the
file as a read-only volume so the fix survives image updates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 22:16:56 +02:00
valknar 2e31c1dcc9 fix(passbolt): persist GPG keyring as volume to survive restarts 
Passbolt's entrypoint creates /var/lib/passbolt/.gnupg/pubring.kbx
as root while PHP-FPM runs as www-data. Without a volume this file
is recreated with wrong ownership on every container recreate, breaking
all GPG operations. Mounting the dir as a volume keeps the chown
33:33 fix permanent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 21:44:20 +02:00
valknar 6f12bf9af7 fix(passbolt): disable metadata encryption for new instance setup 
Passbolt 5.x's isNotCreatedInTheFutureRule has zero tolerance for
clock skew — even 1 second between browser and server causes the
metadata key creation to fail during first setup. Disabling the
automatic metadata setup for new instances allows the browser
extension to complete account setup successfully.

Encrypted metadata can be enabled from the admin panel post-setup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 21:24:51 +02:00
valknar 758e69300f fix(passbolt): add TZ env var (Europe/Amsterdam) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 21:06:01 +02:00
valknar ae81935376 fix(passbolt): clean setup with correct GPG fingerprint 
Passbolt 5.x does not auto-persist the server key fingerprint across
container restarts (no passbolt.php is written). The fingerprint env var
is required and corresponds to the key auto-generated on first clean start.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 20:39:55 +02:00
valknar d8cfcd23d1 fix(passbolt): fix DB hostname, encoding, and GPG fingerprint 
- Use container_name passbolt_db instead of service name db (service names
  are ambiguous on the shared falcon_network — 6 other stacks also have a
  service named db)
- Add DATASOURCES_DEFAULT_ENCODING=utf8 to override MySQL's utf8mb4 default
- Add DATASOURCES_QUOTE_IDENTIFIER=true for PostgreSQL identifier quoting
- Set PASSBOLT_GPG_SERVER_KEY_FINGERPRINT for the auto-generated server key
- Add PASSBOLT_GPG_SERVER_KEY_EMAIL for correct server key identity

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 20:14:57 +02:00
valknar a1f0f7091b feat(passbolt): add Passbolt CE stack 
Password manager with GPG encryption. Uses PostgreSQL for consistency
with other stacks. Backed up alongside existing databases. Vaultwarden
kept running during migration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-09 20:00:05 +02:00