Enhanced secret generation in start.sh and cleaned up .env file

.gitignore

@@ -6,10 +6,9 @@ elasticsearch-cloudron-package.zip
 .DS_Store
 
 # Environment files that might contain sensitive information (template provided instead)
-.env
 
 # Directories not needed for the package
 CloudronPackage/
 elasticsearch-cloudron/data/
 elasticsearch-cloudron/exec/
-elasticsearch-cloudron/setup/ 
+elasticsearch-cloudron/setup/ 

elasticsearch-cloudron/.env

@@ -0,0 +1,27 @@
+# Password for the 'elastic' user (at least 6 characters)
+# Will be dynamically generated on first startup if empty
+ELASTIC_PASSWORD=
+
+# Password for the 'kibana_system' user (at least 6 characters)
+# Will be dynamically generated on first startup if empty
+KIBANA_PASSWORD=
+
+# Version of Elastic products
+STACK_VERSION=8.17.3
+
+# Set the cluster name
+CLUSTER_NAME=cloudron-cluster
+
+# Set to 'basic' or 'trial' to automatically start the 30-day trial
+LICENSE=basic
+#LICENSE=trial
+
+# Port to expose Elasticsearch HTTP API to the host
+# For Cloudron, we always use 127.0.0.1 to ensure it's only accessible internally
+ES_PORT=127.0.0.1:9200
+
+# Increase or decrease based on the available host memory (in bytes)
+MEM_LIMIT=1073741824
+
+# Data directory for Cloudron
+CLOUDRON_DATA_DIR=/app/data

elasticsearch-cloudron/start.sh

@@ -4,11 +4,32 @@ set -e
 # Source environment variables
 source /app/.env
 
-# Set default variables if not provided
-ELASTIC_PASSWORD=${ELASTIC_PASSWORD:-cloudron}
+# Function to generate a random password
+generate_password() {
+    cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1
+}
+
+# Generate a random password for Elasticsearch if not provided
+if [ -z "$ELASTIC_PASSWORD" ]; then
+    ELASTIC_PASSWORD=$(generate_password)
+    # Save the password to the .env file
+    sed -i "s/^ELASTIC_PASSWORD=.*/ELASTIC_PASSWORD=$ELASTIC_PASSWORD/" /app/.env
+    echo "Generated new secure password for Elasticsearch user 'elastic'"
+fi
+
+# Generate a random password for Kibana if not provided
+if [ -z "$KIBANA_PASSWORD" ]; then
+    KIBANA_PASSWORD=$(generate_password)
+    # Save the password to the .env file
+    sed -i "s/^KIBANA_PASSWORD=.*/KIBANA_PASSWORD=$KIBANA_PASSWORD/" /app/.env
+    echo "Generated new secure password for Elasticsearch user 'kibana_system'"
+fi
+
+# Set default variables
 STACK_VERSION=${STACK_VERSION:-8.17.3}
 CLUSTER_NAME=${CLUSTER_NAME:-cloudron-cluster}
 LICENSE=${LICENSE:-basic}
+ES_PORT=${ES_PORT:-127.0.0.1:9200}
 
 # Ensure data directories exist
 mkdir -p /app/data/elasticsearch
@@ -65,5 +86,45 @@ until $(curl --output /dev/null --silent --head --fail http://localhost:9200); d
 done
 echo "Elasticsearch is up and running!"
 
+# If kibana password is set, configure the kibana_system user
+if [ ! -z "$KIBANA_PASSWORD" ]; then
+    echo "Setting kibana_system user password..."
+    until curl -s -X POST -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" http://localhost:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do
+        echo "Waiting for Elasticsearch to be ready to set kibana_system password..."
+        sleep 5
+    done
+    echo "kibana_system password set."
+fi
+
+# Display the credentials
+echo "-----------------------------"
+echo "Elasticsearch is ready to use!"
+echo "URL: http://localhost:9200"
+echo ""
+echo "Authentication credentials:"
+echo "  User: elastic"
+echo "  Password: $ELASTIC_PASSWORD"
+if [ ! -z "$KIBANA_PASSWORD" ]; then
+    echo ""
+    echo "Kibana system credentials:"
+    echo "  User: kibana_system"
+    echo "  Password: $KIBANA_PASSWORD"
+fi
+echo "-----------------------------"
+
+# Create a credentials file for reference
+cat > /app/data/credentials.txt << EOL
+Elasticsearch credentials:
+URL: http://localhost:9200
+User: elastic
+Password: $ELASTIC_PASSWORD
+
+Kibana system credentials:
+User: kibana_system
+Password: $KIBANA_PASSWORD
+EOL
+
+echo "Credentials saved to /app/data/credentials.txt"
+
 # Keep script running
 exec tail -f /dev/null