Use Docker secrets for passwords

Closes #1
This commit is contained in:
3wc 2021-07-19 12:09:02 +02:00
parent 91023e3c45
commit 49622215ad
5 changed files with 100 additions and 10 deletions

View File

@ -2,26 +2,46 @@ TYPE=capsul
DOMAIN=capsul.example.com
## Domain aliases
#EXTRA_DOMAINS=', `www.capsul_flask.example.com`'
#EXTRA_DOMAINS=', `www.capsul.example.com`'
LETS_ENCRYPT_ENV=production
HUB_MODEL="capsul-flask"
SPOKE_MODEL="mock"
# Spoke mode, comment above line and uncomment these two:
#SPOKE_MODEL="shell-scripts"
#COMPOSE_FILE="compose.yml:compose.spoke.yml"
# INFO, DEBUG, etc.
LOG_LEVEL="INFO"
#ADMIN_EMAIL_ADDRESSES=""
#ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES="admin@example.com"
SPOKE_MODEL="mock"
# Spoke mode, comment above line and uncomment these:
#SPOKE_MODEL="shell-scripts"
#COMPOSE_FILE="compose.yml:compose.spoke.yml"
#SECRET_SPOKE_HOST_TOKEN_VERSION=v1 # length=64
# Stripe payments, uncomment / merge these lines
#COMPOSE_FILE="compose.yml:compose.stripe.yml"
#STRIPE_PUBLISHABLE_KEY="changeme"
#SECRET_STRIPE_SECRET_KEY_VERSION=v1
# Bitcoin payments with BTCPay; uncomment / merge these lines
#COMPOSE_FILE="compose.yml:compose.btcpay.yml"
#BTCPAY_URL="https://..."
#BTCPAY_URL="https://btcpay.example.com"
#SECRET_BTCPAY_PRIVATE_KEY_VERSION=v1
# Email
#MAIL_SERVER=""
#MAIL_PORT="465"
#MAIL_USE_TLS="yes"
#MAIL_USE_SSL="yes"
#MAIL_USERNAME=""
#MAIL_PASSWORD=""
#MAIL_DEFAULT_SENDER="capsul@example.com"
#ADMIN_EMAIL_ADDRESSES=""
#ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES="admin@example.com"
#
# If your SMTP server requires a password, uncomment/merge these two lines
#COMPOSE_FILE="compose.yml:compose.spoke.yml"
#SECRET_SMTP_PASSWORD_VERSION=v1
#PROMETHEUS_URL="https://prometheus.example.com"
SECRET_HUB_TOKEN_VERSION=v1 # length=64

17
compose.btcpay.yml Normal file
View File

@ -0,0 +1,17 @@
---
version: "3.8"
services:
app:
environment:
- BTCPAY_PRIVATE_KEY=/var/run/secrets/btcpay_private_key
- BTCPAY_CLIENT
- BTCPAY_URL
secrets:
- btcpay_private_key
secrets:
btcpay_private_key:
external: true
name: ${STACK_NAME}_btcpay_private_key_${SECRET_BTCPAY_PRIVATE_KEY_VERSION}

14
compose.smtpauth.yml Normal file
View File

@ -0,0 +1,14 @@
---
version: "3.8"
services:
app:
environment:
- MAIL_PASSWORD_FILE=/var/run/secrets/smtp_password
secrets:
- smtp_password
secrets:
smtp_password:
external: true
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

15
compose.stripe.yml Normal file
View File

@ -0,0 +1,15 @@
---
version: "3.8"
services:
app:
environment:
- STRIPE_SECRET_KEY_FILE=/var/run/secrets/stripe_secret_key
- "STRIPE_PUBLISHABLE_KEY"
secrets:
- stripe_secret_key
secrets:
stripe_secret_key:
external: true
name: ${STACK_NAME}_stripe_secret_key_${SECRET_STRIPE_SECRET_KEY_VERSION}

View File

@ -14,6 +14,21 @@ services:
- "BASE_URL=https://${DOMAIN}"
- "LOG_LEVEL"
- "HUB_URL=http://localhost:5000"
- "MAIL_SERVER"
- "MAIL_PORT"
- "MAIL_USE_TLS"
- "#MAIL_USE_SSL"
- "MAIL_USERNAME"
- "MAIL_PASSWORD"
- "MAIL_DEFAULT_SENDER"
- "ADMIN_EMAIL_ADDRESSES"
- "ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES"
- "HUB_TOKEN_FILE=/var/run/secrets/hub_token"
- "SPOKE_HOST_TOKEN_FILE=/var/run/secrets/hub_token"
# - "SPOKE_HOST_TOKEN_FILE=/var/run/secrets/spoke_host_token"
secrets:
- hub_token
# - spoke_host_token
#entrypoint: ['tail', '-f', '/dev/null']
deploy:
restart_policy:
@ -50,5 +65,14 @@ networks:
proxy:
external: true
internal:
volumes:
postgres:
secrets:
hub_token:
external: true
name: ${STACK_NAME}_hub_token_${SECRET_HUB_TOKEN_VERSION}
# spoke_host_token:
# external: true
# name: ${STACK_NAME}_spoke_host_token_${SECRET_SPOKE_HOST_TOKEN_VERSION}