diff --git a/.env.sample b/.env.sample index 957cbd3..3e22666 100644 --- a/.env.sample +++ b/.env.sample @@ -8,10 +8,11 @@ LETS_ENCRYPT_ENV=production # –––––––––––––––– REQUIRED –––––––––––––––– +SECRET_DB_PASSWORD_VERSION=v1 SECRET_SECRET_KEY_VERSION=v1 # length=32 SECRET_UTILS_SECRET_VERSION=v1 # length=32 - SECRET_AWS_SECRET_ACCESS_KEY=v1 +SECRET_OIDC_CLIENT_SECRET_VERSION=v1 AWS_ACCESS_KEY_ID= AWS_REGION= diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..7c5fe57 --- /dev/null +++ b/abra.sh @@ -0,0 +1 @@ +export APP_ENTRYPOINT_VERSION=v1 diff --git a/compose.yml b/compose.yml index 9c91793..9e09f8e 100644 --- a/compose.yml +++ b/compose.yml @@ -7,6 +7,16 @@ services: - backend - proxy image: outlinewiki/outline:0.60.3 + secrets: + - aws_secret_key + - db_password + - oidc_client_secret + - secret_key + - utils_secret + configs: + - source: app_entrypoint + target: /docker-entrypoint.sh + mode: 0555 volumes: - outline_data:/opt/outline environment: @@ -17,13 +27,12 @@ services: - AWS_S3_UPLOAD_BUCKET_NAME - AWS_S3_UPLOAD_BUCKET_URL - AWS_S3_UPLOAD_MAX_SIZE - - AWS_SECRET_ACCESS_KEY - - DATABASE_URL=postgres://user:pass@${STACK_NAME}_postgres:5432/outline - - DATABASE_URL_TEST=postgres://user:pass@${STACK_NAME}_postgres:5432/outline-test + - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_key + - DATABASE_PASSWORD_FILE=/run/secrets/db_password - FORCE_HTTPS=true - OIDC_AUTH_URI - OIDC_CLIENT_ID - - OIDC_CLIENT_SECRET + - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret - OIDC_DISPLAY_NAME - OIDC_SCOPES - OIDC_TOKEN_URI @@ -31,10 +40,12 @@ services: - OIDC_USERNAME_CLAIM - PGSSLMODE=disable - REDIS_URL=redis://${STACK_NAME}_redis:6379 - - SECRET_KEY + - SECRET_KEY_FILE=/run/secrets/secret_key - TEAM_LOGO - URL=https://$DOMAIN - - UTILS_SECRET + - UTILS_SECRET_FILE=/run/secrets/utils_secret + command: yarn start + entrypoint: /docker-entrypoint.sh deploy: labels: - "traefik.enable=true" @@ -57,18 +68,43 @@ services: image: postgres:11 networks: - backend + secrets: + - db_password environment: POSTGRES_DB: outline - POSTGRES_PASSWORD: pass - POSTGRES_USER: user + POSTGRES_PASSWORD_FILE: /run/secrets/db_password + POSTGRES_USER: outline volumes: - "postgres_data:/var/lib/postgresql/data" +secrets: + secret_key: + name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} + external: true + utils_secret: + name: ${STACK_NAME}_utils_secret_${SECRET_UTILS_SECRET_VERSION} + external: true + aws_access_key: + name: ${STACK_NAME}_aws_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION} + external: true + oidc_client_secret: + name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET_VERSION} + external: true + db_password: + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + external: true + networks: proxy: external: true backend: - + volumes: outline_data: postgres_data: + +configs: + app_entrypoint: + name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..48311c7 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "AWS_SECRET_ACCESS_KEY" +file_env "OIDC_CLIENT_SECRET" +file_env "UTILS_SECRET" +file_env "DATABASE_PASSWORD" + +export DATABASE_URL="postgres://outline:${DATABASE_PASSWORD}@${STACK_NAME}_postgres:5432/outline"