From a3cd6741ebfa97db04d3801ebdcf7c0d5a002900 Mon Sep 17 00:00:00 2001
From: Simon <s.thiessen@local-it.org>
Date: Tue, 20 May 2025 18:17:46 +0200
Subject: [PATCH] improve secret handling for whiteboard

---
 .env.sample                   |  2 +-
 abra.sh                       |  3 ++-
 compose.whiteboard.yml        | 24 +++++++++++++++++++++++-
 entrypoint.whiteboard.sh.tmpl |  6 ++++++
 4 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 entrypoint.whiteboard.sh.tmpl

diff --git a/.env.sample b/.env.sample
index 2ee651f..4853632 100644
--- a/.env.sample
+++ b/.env.sample
@@ -67,7 +67,7 @@ DEFAULT_QUOTA="10 GB"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
 # APPS="$APPS whiteboard"
-# WHITEBOARD_JWT="" # generate JWT token for whiteboard!
+# SECRET_WHITEBOARD_JWT_VERSION=v1
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
diff --git a/abra.sh b/abra.sh
index 27f4a18..4c1d7fa 100644
--- a/abra.sh
+++ b/abra.sh
@@ -4,6 +4,7 @@ export FPM_TUNE_VERSION=v5
 export NGINX_CONF_VERSION=v7
 export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_WHITEBOARD_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
@@ -96,7 +97,7 @@ install_collabora() {
 install_whiteboard() {
     install_apps whiteboard
     set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
-    set_app_config whiteboard jwt_secret_key "${WHITEBOARD_JWT}"
+    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
 }
 
 
diff --git a/compose.whiteboard.yml b/compose.whiteboard.yml
index 843100b..0a401cd 100644
--- a/compose.whiteboard.yml
+++ b/compose.whiteboard.yml
@@ -1,6 +1,10 @@
 version: "3.8"
 
 services:
+  app:
+    secrets:
+      - whiteboard_jwt
+
   whiteboard:
     image: ghcr.io/nextcloud-releases/whiteboard:v1.0.5
     deploy:
@@ -13,10 +17,28 @@ services:
         - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
         - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
         - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
+    configs:
+      - source: entrypoint_whiteboard
+        target: /custom-entrypoint.sh
+    entrypoint: ["sh", "/custom-entrypoint.sh"]
+    user: root
     networks:
      - proxy
     ports:
       - 3002:3002
+    secrets:
+      - whiteboard_jwt
     environment:
       - NEXTCLOUD_URL=https://$DOMAIN
-      - JWT_SECRET_KEY=${WHITEBOARD_JWT}
\ No newline at end of file
+      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
+
+secrets:
+  whiteboard_jwt:
+    external: true
+    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
+
+configs:
+  entrypoint_whiteboard:
+    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
+    file: entrypoint.whiteboard.sh.tmpl
+    template_driver: golang
\ No newline at end of file
diff --git a/entrypoint.whiteboard.sh.tmpl b/entrypoint.whiteboard.sh.tmpl
new file mode 100644
index 0000000..d40571a
--- /dev/null
+++ b/entrypoint.whiteboard.sh.tmpl
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
+
+exec npm run server:start