From 8b64973146a33f243b49dcbeee89aca5f79785de Mon Sep 17 00:00:00 2001
From: Luke Murphy <lukewm@riseup.net>
Date: Wed, 17 Jun 2020 23:13:11 +0200
Subject: [PATCH] Move towards a pluggable deployment

---
 .envrc.sample                     |  8 +++++
 .gitignore                        |  1 +
 docker-compose.yml => compose.yml | 52 ++++++++++++++++++++-----------
 helpers.sh                        |  8 +++++
 4 files changed, 50 insertions(+), 19 deletions(-)
 create mode 100644 .envrc.sample
 create mode 100644 .gitignore
 rename docker-compose.yml => compose.yml (57%)
 create mode 100755 helpers.sh

diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..a6ce2ea
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,8 @@
+export API_SECRET_VERSION=v1
+export APP_KEY_VERSION=v1
+export DB_PASSWD_VERSION=v1
+export DB_ROOT_PASSWD_VERSION=v1
+export DOMAIN=invoiceninja.swarm.autonomic.zone
+export LETS_ENCRYPT_ENV=production
+export STACK_NAME=invoiceninja
+export NGINX_CONF_VERSION=v1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7a6353d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.envrc
diff --git a/docker-compose.yml b/compose.yml
similarity index 57%
rename from docker-compose.yml
rename to compose.yml
index 221b474..396297a 100644
--- a/docker-compose.yml
+++ b/compose.yml
@@ -5,13 +5,13 @@ services:
   nginx:
     image: "nginx:stable"
     configs:
-      - source: nginx-conf-v1
+      - source: nginx-conf
         target: /etc/nginx/nginx.conf
     volumes:
       - "public:/var/www/app/public"
     networks:
       - proxy
-      - backchannelnet
+      - internal
     depends_on:
       - invoiceninja
     deploy:
@@ -25,26 +25,31 @@ services:
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.invoiceninja.loadbalancer.server.port=80"
-        - "traefik.http.routers.invoiceninja.rule=Host(`invoices.zzp.decentral1.se`)"
+        - "traefik.http.routers.invoiceninja.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.invoiceninja.entrypoints=web-secure"
-        - "traefik.http.routers.invoiceninja.tls.certresolver=production"
+        - "traefik.http.routers.invoiceninja.tls.certresolver=${LETS_ENCRYPT_ENV}"
 
   invoiceninja:
-    image: "invoiceninja/invoiceninja:4.6.0"
+    image: "invoiceninja/invoiceninja:5.0.4"
     volumes:
       - "public:/var/www/app/public"
       - "storage:/var/www/app/storage"
+    secrets:
+      - api_secret
+      - app_key
+      - db_root_passwd
+      - db_user_passwd
     environment:
-      - API_SECRET=Z3kLyTUlwgd7mIybDNXEec9RGxFtrDNE
+      - API_SECRET_FILE=/run/secrets/api_secret
       - APP_CIPHER=AES-256-CBC
       - APP_DEBUG=false
       - APP_ENV=production
-      - APP_KEY=8nIPbC6HiSp1hyA5KfANWTJQfcHzLWyp
+      - APP_KEY_FILE=/run/secrets/app_key
       - APP_LOCALE=en
-      - APP_URL=https://invoices.zzp.decentral1.se
+      - APP_URL=${DOMAIN}
       - DB_DATABASE=ninja
       - DB_HOST=mariadb
-      - DB_PASSWORD=6KIc1aZdylJQfXxCE3fTj49I2KVwsqYp
+      - DB_PASSWORD_FILE=/run/secrets/db_user_passwd
       - DB_STRICT=false
       - DB_TYPE=mysql
       - DB_USERNAME=ninja
@@ -56,22 +61,22 @@ services:
     depends_on:
       - mariadb
     networks:
-      - backchannelnet
+      - internal
 
   mariadb:
     image: "mariadb:10.5"
     environment:
       - MYSQL_DATABASE=ninja
       - MYSQL_USER=ninja
-      - MYSQL_PASSWORD_FILE=/run/secrets/mariadb-user-passwd-v1
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mariadb-root-passwd-v1
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_user_passwd
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_passwd
     secrets:
-      - mariadb-root-passwd-v1
-      - mariadb-user-passwd-v1
+      - db-root-passwd
+      - db-user-passwd
     volumes:
       - "mariadb:/var/lib/mariadb"
     networks:
-      - backchannelnet
+      - internal
 
 volumes:
   mariadb:
@@ -81,14 +86,23 @@ volumes:
 networks:
   proxy:
     external: true
-  backchannelnet:
+  internal:
 
 secrets:
-  mariadb-root-passwd-v1:
+  db_root_passwd:
+    name: ${STACK_NAME}_db_root_passwd_${DB_ROOT_PASSWD_VERSION}
     external: true
-  mariadb-user-passwd-v1:
+  db_user_passwd:
+    name: ${STACK_NAME}_db_passwd_${DB_PASSWD_VERSION}
+    external: true
+  app_key:
+    name: ${STACK_NAME}_app_key_${APP_KEY_VERSION}
+    external: true
+  api_secret:
+    name: ${STACK_NAME}_api_secret_${API_SECRET_VERSION}
     external: true
 
 configs:
-  nginx-conf-v1:
+  nginx-conf:
+    name: ${STACK_NAME}-nginx-conf-${NGINX_CONF_VERSION}
     file: nginx.conf
diff --git a/helpers.sh b/helpers.sh
new file mode 100755
index 0000000..f851a55
--- /dev/null
+++ b/helpers.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+create-secrets () {
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_db_root_passwd_${DB_ROOT_PASSWD_VERSION}" -
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_db_passwd_${DB_PASSWD_VERSION}" -
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_app_key_${APP_KEY_VERSION}" -
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_api_secret_${API_SECRET_VERSION}" -
+}