diff --git a/.env.sample b/.env.sample index 3f26677..c659d90 100644 --- a/.env.sample +++ b/.env.sample @@ -1,3 +1,6 @@ +#SECRET_DB_PASSWORD_VERSION=v1 +#SECRET_SMTP_PASSWORD_VERSION=v1 + TYPE=ghost DOMAIN=ghost.example.com @@ -13,7 +16,6 @@ LETS_ENCRYPT_ENV=production #MAIL_OPTIONS_PORT=587 #MAIL_OPTIONS_SECURE=false #MAIL_OPTIONS_AUTH_USER=smtpuser@example.com -#MAIL_OPTIONS_AUTH_PASS=XXXX ## Matrix-Synapse-Redirection # If you want to use Ghost on a TLD which you want to use as matrix server name as well diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..d6cf678 --- /dev/null +++ b/abra.sh @@ -0,0 +1 @@ +export GHOST_ENTRYPOINT_VERSION=v1 \ No newline at end of file diff --git a/compose.matrix.yml b/compose.matrix.yml index 3f5da8e..187d8e6 100644 --- a/compose.matrix.yml +++ b/compose.matrix.yml @@ -1,4 +1,3 @@ -version: "3.8" services: app: deploy: diff --git a/compose.yml b/compose.yml index a69d687..bb6d161 100644 --- a/compose.yml +++ b/compose.yml @@ -1,4 +1,3 @@ -version: "3.8" services: app: image: ghost:5-alpine @@ -7,8 +6,8 @@ services: database__client: mysql database__connection__host: ${STACK_NAME}_db database__connection__user: root - database__connection__password: ghost database__connection__database: ghost + database__connection__password_FILE: /run/secrets/db_password url: https://$DOMAIN mail__transport: ${MAIL_TRANSPORT} mail__from: ${MAIL_FROM} @@ -16,9 +15,18 @@ services: mail__options__port: ${MAIL_OPTIONS_PORT} mail__options__secure: ${MAIL_OPTIONS_SECURE} #mail__options__auth__user: ${MAIL_OPTIONS_AUTH_USER} - #mail__options__auth__pass: ${MAIL_OPTIONS_AUTH_PASS} + mail__options__auth__pass_FILE: /run/secrets/smtp_password # contrary to the default mentioned in the linked documentation, this image defaults to NODE_ENV=production (so development mode needs to be explicitly specified if desired) #NODE_ENV: development + secrets: + - db_password + - smtp_password + configs: + - source: ghost_entrypoint + target: /abra-entrypoint.sh + mode: 0555 + command: node current/index.js + entrypoint: /abra-entrypoint.sh networks: - proxy - backend @@ -52,7 +60,9 @@ services: networks: - backend environment: - MYSQL_ROOT_PASSWORD: ghost + MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_password + secrets: + - db_password volumes: - "mysql:/var/lib/mysql" deploy: @@ -70,3 +80,16 @@ networks: volumes: mysql: ghost_content: + +secrets: + db_password: + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + external: true + smtp_password: + external: true + name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} + +configs: + ghost_entrypoint: + name: ${STACK_NAME}_ghost_entrypoint_${GHOST_ENTRYPOINT_VERSION} + file: entrypoint.sh \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..b14276d --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + + +file_env "database__connection__password" +file_env "mail__options__auth__pass" + +# upstream entrypoint https://github.com/docker-library/ghost/blob/master/5/alpine/Dockerfile +/usr/local/bin/docker-entrypoint.sh "$@" \ No newline at end of file