generated from coop-cloud/example
Use a secret for ADMIN_PASSWORD
This commit is contained in:
parent
1ba7e69878
commit
928dc24cb3
|
@ -4,3 +4,5 @@ DOMAIN=filestash.example.com
|
||||||
## Domain aliases
|
## Domain aliases
|
||||||
#EXTRA_DOMAINS=', `www.filestash.example.com`'
|
#EXTRA_DOMAINS=', `www.filestash.example.com`'
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
|
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||||
|
|
21
compose.yml
21
compose.yml
|
@ -6,6 +6,7 @@ services:
|
||||||
- proxy
|
- proxy
|
||||||
environment:
|
environment:
|
||||||
- APPLICATION_URL=$DOMAIN
|
- APPLICATION_URL=$DOMAIN
|
||||||
|
- ADMIN_PASSWORD_FILE=/run/secrets/admin_password
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
|
@ -19,8 +20,26 @@ services:
|
||||||
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
|
|
||||||
- coop-cloud.${STACK_NAME}.app.version=e02267d-07d7189c
|
- coop-cloud.${STACK_NAME}.app.version=e02267d-07d7189c
|
||||||
|
secrets:
|
||||||
|
- admin_password
|
||||||
|
configs:
|
||||||
|
- source: entrypoint_conf
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
entrypoint: ['/docker-entrypoint.sh']
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
admin_password:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
|
|
||||||
|
configs:
|
||||||
|
entrypoint_conf:
|
||||||
|
name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
|
||||||
|
file: entrypoint.sh.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
file_env() {
|
||||||
|
# 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
|
||||||
|
# https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
|
||||||
|
local var="$1"
|
||||||
|
local fileVar="${var}_FILE"
|
||||||
|
local def="${2:-}"
|
||||||
|
|
||||||
|
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||||
|
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
local val="$def"
|
||||||
|
if [ "${!var:-}" ]; then
|
||||||
|
val="${!var}"
|
||||||
|
elif [ "${!fileVar:-}" ]; then
|
||||||
|
val="$(< "${!fileVar}")"
|
||||||
|
fi
|
||||||
|
export "$var"="$val"
|
||||||
|
unset "$fileVar"
|
||||||
|
}
|
||||||
|
|
||||||
|
load_vars() {
|
||||||
|
file_env "ADMIN_PASSWORD"
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
load_vars
|
||||||
|
}
|
||||||
|
|
||||||
|
main
|
||||||
|
|
||||||
|
# 3wc: `source /docker-entrypoint2.sh -e` to load ADMIN_PASSWORD for CLI scripts
|
||||||
|
if [ ! "${1-}" == "-e" ]; then
|
||||||
|
# 3wc: upstream ENTRYPOINT
|
||||||
|
# https://github.com/hedgedoc/container/blob/master/alpine/Dockerfile
|
||||||
|
/app/filestash
|
||||||
|
fi
|
||||||
|
|
||||||
|
set +eu
|
Loading…
Reference in New Issue