improve secret handling for whiteboard

2025-05-20 18:17:46 +02:00
parent cb453e884d
commit a3cd6741eb
4 changed files with 32 additions and 3 deletions
--- a/.env.sample
+++ b/.env.sample
@ -67,7 +67,7 @@ DEFAULT_QUOTA="10 GB"

 # COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
 # APPS="$APPS whiteboard"
-# WHITEBOARD_JWT="" # generate JWT token for whiteboard!
+# SECRET_WHITEBOARD_JWT_VERSION=v1

 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
--- a/abra.sh
+++ b/abra.sh
@ -4,6 +4,7 @@ export FPM_TUNE_VERSION=v5
 export NGINX_CONF_VERSION=v7
 export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_WHITEBOARD_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2

@ -96,7 +97,7 @@ install_collabora() {
 install_whiteboard() {
    install_apps whiteboard
    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
-    set_app_config whiteboard jwt_secret_key "${WHITEBOARD_JWT}"
+    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
 }


--- a/compose.whiteboard.yml
+++ b/compose.whiteboard.yml
@ -1,6 +1,10 @@
 version: "3.8"

 services:
+  app:
+    secrets:
+      - whiteboard_jwt
+
  whiteboard:
    image: ghcr.io/nextcloud-releases/whiteboard:v1.0.5
    deploy:
@ -13,10 +17,28 @@ services:
        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
+    configs:
+      - source: entrypoint_whiteboard
+        target: /custom-entrypoint.sh
+    entrypoint: ["sh", "/custom-entrypoint.sh"]
+    user: root
    networks:
     - proxy
    ports:
      - 3002:3002
+    secrets:
+      - whiteboard_jwt
    environment:
      - NEXTCLOUD_URL=https://$DOMAIN
-      - JWT_SECRET_KEY=${WHITEBOARD_JWT}
+      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
+
+secrets:
+  whiteboard_jwt:
+    external: true
+    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
+
+configs:
+  entrypoint_whiteboard:
+    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
+    file: entrypoint.whiteboard.sh.tmpl
+    template_driver: golang
--- a/entrypoint.whiteboard.sh.tmpl
+++ b/entrypoint.whiteboard.sh.tmpl
@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
+
+exec npm run server:start