fix: first run at secrets

See coop-cloud/outline#2.

.env.sample

@@ -8,10 +8,11 @@ LETS_ENCRYPT_ENV=production
 
 # –––––––––––––––– REQUIRED ––––––––––––––––
 
+SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SECRET_KEY_VERSION=v1  # length=32
 SECRET_UTILS_SECRET_VERSION=v1  # length=32
-
 SECRET_AWS_SECRET_ACCESS_KEY=v1
+SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
 AWS_ACCESS_KEY_ID=
 AWS_REGION=

abra.sh

@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1

compose.yml

@@ -7,6 +7,16 @@ services:
       - backend
       - proxy
     image: outlinewiki/outline:0.60.3
+    secrets:
+      - aws_secret_key
+      - db_password
+      - oidc_client_secret
+      - secret_key
+      - utils_secret
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
     volumes:
       - outline_data:/opt/outline
     environment:
@@ -17,13 +27,12 @@ services:
       - AWS_S3_UPLOAD_BUCKET_NAME
       - AWS_S3_UPLOAD_BUCKET_URL
       - AWS_S3_UPLOAD_MAX_SIZE
-      - AWS_SECRET_ACCESS_KEY
-      - DATABASE_URL=postgres://user:pass@${STACK_NAME}_postgres:5432/outline
-      - DATABASE_URL_TEST=postgres://user:pass@${STACK_NAME}_postgres:5432/outline-test
+      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_key
+      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - FORCE_HTTPS=true
       - OIDC_AUTH_URI
       - OIDC_CLIENT_ID
-      - OIDC_CLIENT_SECRET
+      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
       - OIDC_DISPLAY_NAME
       - OIDC_SCOPES
       - OIDC_TOKEN_URI
@@ -31,10 +40,12 @@ services:
       - OIDC_USERNAME_CLAIM
       - PGSSLMODE=disable  
       - REDIS_URL=redis://${STACK_NAME}_redis:6379
-      - SECRET_KEY
+      - SECRET_KEY_FILE=/run/secrets/secret_key
       - TEAM_LOGO
       - URL=https://$DOMAIN
-      - UTILS_SECRET
+      - UTILS_SECRET_FILE=/run/secrets/utils_secret
+    command: yarn start
+    entrypoint: /docker-entrypoint.sh
     deploy:
       labels:
         - "traefik.enable=true"
@@ -57,18 +68,43 @@ services:
     image: postgres:11
     networks:
       - backend
+    secrets:
+      - db_password
     environment:
       POSTGRES_DB: outline
-      POSTGRES_PASSWORD: pass
-      POSTGRES_USER: user
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+      POSTGRES_USER: outline
     volumes:
       - "postgres_data:/var/lib/postgresql/data"
 
+secrets:
+  secret_key:
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+    external: true
+  utils_secret:
+    name: ${STACK_NAME}_utils_secret_${SECRET_UTILS_SECRET_VERSION}
+    external: true
+  aws_access_key:
+    name: ${STACK_NAME}_aws_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
+    external: true
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION}
+    external: true
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+
 networks:
   proxy:
     external: true
   backend:
-    
+
 volumes:
   outline_data:
   postgres_data:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang

entrypoint.sh.tmpl

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "AWS_SECRET_ACCESS_KEY"
+file_env "OIDC_CLIENT_SECRET"
+file_env "UTILS_SECRET"
+file_env "DATABASE_PASSWORD"
+
+export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"