From 9a4d5058f9d13a591c1e9b6ff64979539fa6d8eb Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 31 Oct 2025 11:21:36 -0400 Subject: [PATCH 01/19] Add alias of lasuite-app instead of app to prevent docker DNS name conflict --- .env.sample | 7 +++++++ compose.yml | 4 +++- nginx.conf | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.env.sample b/.env.sample index 20e3ac2..972f822 100644 --- a/.env.sample +++ b/.env.sample @@ -7,6 +7,13 @@ DOMAIN=lasuite-docs.example.com LETS_ENCRYPT_ENV=production +############################################################################## +# SECRETS +############################################################################## +SECRET_DJANGO_SECRET_KEY=v1 +SECRET_OIDC_RP_CLIENT_SECRET=v1 +SECRET_DJANGO_SUPERUSER_PASSWORD=v1 + ############################################################################## # BASIC SETTINGS ############################################################################## diff --git a/compose.yml b/compose.yml index 67b493f..2fe157d 100644 --- a/compose.yml +++ b/compose.yml @@ -86,7 +86,9 @@ services: app: image: lasuite/impress-frontend:v3.4.2 networks: - - backend + backend: + aliases: + - lasuite-app deploy: labels: - "traefik.enable=false" diff --git a/nginx.conf b/nginx.conf index efa1b30..3ae1e1c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -3,7 +3,7 @@ upstream docs_backend { } upstream docs_frontend { - server app:8080 fail_timeout=0; + server lasuite-app:8080 fail_timeout=0; } server { From 51c939dd2cc5e5539009043c9723a58a7cd9794f Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 31 Oct 2025 13:14:12 -0400 Subject: [PATCH 02/19] working on secrets --- .env.sample | 6 +++--- abra.sh | 1 + compose.yml | 30 +++++++++++++++++++++++++++--- entrypoint.sh | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 entrypoint.sh diff --git a/.env.sample b/.env.sample index 972f822..d9f65b4 100644 --- a/.env.sample +++ b/.env.sample @@ -10,9 +10,9 @@ LETS_ENCRYPT_ENV=production ############################################################################## # SECRETS ############################################################################## -SECRET_DJANGO_SECRET_KEY=v1 -SECRET_OIDC_RP_CLIENT_SECRET=v1 -SECRET_DJANGO_SUPERUSER_PASSWORD=v1 +SECRET_DJANGO_SECRET_KEY_VERSION=v1 +SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1 +SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1 ############################################################################## # BASIC SETTINGS diff --git a/abra.sh b/abra.sh index f2314ad..2fbc127 100755 --- a/abra.sh +++ b/abra.sh @@ -2,6 +2,7 @@ # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 +export ENTRYPOINT_VERSION=v1 # environment() { # # TODO: Add file_env here diff --git a/compose.yml b/compose.yml index 2fe157d..5da2887 100644 --- a/compose.yml +++ b/compose.yml @@ -5,9 +5,9 @@ x-common-env: &common-env DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: + XX_DJANGO_SECRET_KEY: DJANGO_SETTINGS_MODULE: impress.settings - DJANGO_SUPERUSER_PASSWORD: + XX_DJANGO_SUPERUSER_PASSWORD: # Logging # Set to DEBUG level for dev only LOGGING_LEVEL_HANDLERS_CONSOLE: @@ -38,7 +38,7 @@ x-common-env: &common-env OIDC_OP_TOKEN_ENDPOINT: OIDC_OP_USER_ENDPOINT: OIDC_RP_CLIENT_ID: - OIDC_RP_CLIENT_SECRET: + XX_OIDC_RP_CLIENT_SECRET: OIDC_RP_SIGN_ALGO: OIDC_RP_SCOPES: LOGIN_REDIRECT_URL: @@ -113,6 +113,11 @@ services: timeout: 30s retries: 20 start_period: 10s + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 celery: image: lasuite/impress-backend:v3.4.2 @@ -121,6 +126,11 @@ services: command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"] environment: <<: [*common-env, *postgres-env, *yprovider-env] + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 y-provider: image: lasuite/impress-y-provider:v3.4.2 @@ -229,3 +239,17 @@ configs: pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh + abra_lasuite_entrypoint: + name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + file: entrypoint.sh + +secrets: + django_secret_key: + external: true + name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION} + oidc_rp_client_secret: + external: true + name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION} + django_superuser_password: + external: true + name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..c302740 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "DJANGO_SECRET_KEY" +file_env "OIDC_RP_CLIENT_SECRET" +file_env "DJANGO_SUPERUSER_PASSWORD" +# file_env "MINIO_ROOT_PASSWORD" +# file_env "COLLABORATION_SERVER_SECRET" +# file_env "POSTGRES_PASSWORD" +# file_env "DB_PASSWORD" +# file_env "AWS_S3_SECRET_ACCESS_KEY" + +# Execute the actual command (from command: in compose.yml) +exec "$@" + From 184255b249bc80e3db843c70cc72abba821dd254 Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 31 Oct 2025 15:36:14 -0400 Subject: [PATCH 03/19] almost working with docker secrets --- .env.sample | 4 ++++ abra.sh | 2 +- compose.yml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++--- entrypoint.sh | 48 +++++++++++++++-------------------------------- 4 files changed, 69 insertions(+), 37 deletions(-) diff --git a/.env.sample b/.env.sample index d9f65b4..710a1f5 100644 --- a/.env.sample +++ b/.env.sample @@ -13,6 +13,10 @@ LETS_ENCRYPT_ENV=production SECRET_DJANGO_SECRET_KEY_VERSION=v1 SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1 SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1 +SECRET_MINIO_ROOT_PASSWORD_VERSION=v1 +SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1 +SECRET_POSTGRES_PASSWORD_VERSION=v1 +SECRET_DB_PASSWORD_VERSION=v1 ############################################################################## # BASIC SETTINGS diff --git a/abra.sh b/abra.sh index 2fbc127..80e73ce 100755 --- a/abra.sh +++ b/abra.sh @@ -1,8 +1,8 @@ # Set any config versions here # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs +export ABRA_LASUITE_ENTRYPOINT_VERSION=v2 export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 -export ENTRYPOINT_VERSION=v1 # environment() { # # TODO: Add file_env here diff --git a/compose.yml b/compose.yml index 5da2887..da55341 100644 --- a/compose.yml +++ b/compose.yml @@ -73,6 +73,7 @@ x-yprovider-env: &yprovider-env Y_PROVIDER_API_KEY: foobar COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} + # FIXME: Move to docker secret COLLABORATION_SERVER_SECRET: my-secret COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN} COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ @@ -113,11 +114,20 @@ services: timeout: 30s retries: 20 start_period: 10s + command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] entrypoint: /abra-lasuite-entrypoint.sh configs: - source: abra_lasuite_entrypoint target: /abra-lasuite-entrypoint.sh mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password celery: image: lasuite/impress-backend:v3.4.2 @@ -131,6 +141,15 @@ services: - source: abra_lasuite_entrypoint target: /abra-lasuite-entrypoint.sh mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password + y-provider: image: lasuite/impress-y-provider:v3.4.2 @@ -186,6 +205,8 @@ services: replicas: 0 restart_policy: condition: none + secrets: + - minio_root_password minio: image: minio/minio:RELEASE.2025-05-24T17-08-30Z @@ -195,7 +216,6 @@ services: interval: 1s timeout: 20s retries: 300 - entrypoint: "" networks: - backend command: minio server /data @@ -204,6 +224,20 @@ services: deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password + web: image: nginx:1.29 @@ -240,7 +274,7 @@ configs: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh abra_lasuite_entrypoint: - name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + name: ${STACK_NAME}_entrypoint_${ABRA_LASUITE_ENTRYPOINT_VERSION} file: entrypoint.sh secrets: @@ -252,4 +286,16 @@ secrets: name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION} django_superuser_password: external: true - name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} \ No newline at end of file + name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} + postgres_password: + external: true + name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION} + db_password: + external: true + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + collaboration_server_secret: + external: true + name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION} + minio_root_password: + external: true + name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index c302740..4fbd33f 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,38 +1,20 @@ -#!/bin/bash +#!/bin/sh -set -e +DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" +OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" +DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" +COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" +POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" +DB_PASSWORD="$(cat /run/secrets/db_password)" +MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" - exit 1 - fi - - local val="$def" - - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - - export "$var"="$val" - unset "$fileVar" -} - -file_env "DJANGO_SECRET_KEY" -file_env "OIDC_RP_CLIENT_SECRET" -file_env "DJANGO_SUPERUSER_PASSWORD" -# file_env "MINIO_ROOT_PASSWORD" -# file_env "COLLABORATION_SERVER_SECRET" -# file_env "POSTGRES_PASSWORD" -# file_env "DB_PASSWORD" -# file_env "AWS_S3_SECRET_ACCESS_KEY" +export DJANGO_SECRET_KEY +export OIDC_RP_CLIENT_SECRET +export DJANGO_SUPERUSER_PASSWORD +export COLLABORATION_SERVER_SECRET +export POSTGRES_PASSWORD +export DB_PASSWORD +export MINIO_ROOT_PASSWORD # Execute the actual command (from command: in compose.yml) exec "$@" - From 664d0df1f6ea71611961f054f2798e1ad36da158 Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 31 Oct 2025 15:43:20 -0400 Subject: [PATCH 04/19] almost working secrets --- compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.yml b/compose.yml index da55341..eabb634 100644 --- a/compose.yml +++ b/compose.yml @@ -28,7 +28,7 @@ x-common-env: &common-env STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage AWS_S3_ENDPOINT_URL: http://minio:9000 AWS_S3_ACCESS_KEY_ID: user - # FIXME: Move to docker secret + # FIXME: Move to docker secret (or remove all together) AWS_S3_SECRET_ACCESS_KEY: password MEDIA_BASE_URL: https://${DOMAIN} AWS_STORAGE_BUCKET_NAME: docs-media-storage From 293dd80e535675e6ac67ca0a6d0d0e9514d513bf Mon Sep 17 00:00:00 2001 From: notplants Date: Sat, 1 Nov 2025 16:26:05 -0400 Subject: [PATCH 05/19] Attempt at universal abra wrapper --- abra.sh | 2 +- compose.yml | 35 ++++++++++++++++++++++++----------- entrypoint.sh | 38 ++++++++++++++++++++++---------------- 3 files changed, 47 insertions(+), 28 deletions(-) diff --git a/abra.sh b/abra.sh index 80e73ce..4dc4af7 100755 --- a/abra.sh +++ b/abra.sh @@ -1,6 +1,6 @@ # Set any config versions here # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs -export ABRA_LASUITE_ENTRYPOINT_VERSION=v2 +export ABRA_ENTRYPOINT_VERSION=v3 export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 diff --git a/compose.yml b/compose.yml index eabb634..87f27da 100644 --- a/compose.yml +++ b/compose.yml @@ -115,10 +115,11 @@ services: retries: 20 start_period: 10s command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] - entrypoint: /abra-lasuite-entrypoint.sh + # entrypoint: "/abra-entrypoint.sh" + entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] configs: - - source: abra_lasuite_entrypoint - target: /abra-lasuite-entrypoint.sh + - source: abra_entrypoint + target: /abra-entrypoint.sh mode: 0555 secrets: - django_secret_key @@ -136,10 +137,10 @@ services: command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"] environment: <<: [*common-env, *postgres-env, *yprovider-env] - entrypoint: /abra-lasuite-entrypoint.sh + entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] configs: - - source: abra_lasuite_entrypoint - target: /abra-lasuite-entrypoint.sh + - source: abra_entrypoint + target: /abra-entrypoint.sh mode: 0555 secrets: - django_secret_key @@ -156,6 +157,12 @@ services: networks: - backend environment: *yprovider-env + command: ["yarn", "start"] + entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] + configs: + - source: abra_entrypoint + target: /abra-entrypoint.sh + mode: 0555 # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403 db: @@ -172,6 +179,8 @@ services: PGDATA: var/lib/postgresql/data/pgdata volumes: - postgres:/var/lib/postgresql/data/pgdata + command: ["postgres"] + entrypoint: ["/abra-entrypoint.sh", "docker-entrypoint.sh"] deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" @@ -182,6 +191,9 @@ services: - source: pg_backup target: /pg_backup.sh mode: 0555 + - source: abra_entrypoint + target: /abra-entrypoint.sh + mode: 0555 redis: image: redis:8 @@ -219,15 +231,16 @@ services: networks: - backend command: minio server /data + entrypoint: ["/abra-entrypoint.sh", "/usr/bin/docker-entrypoint.sh"] volumes: - minio:/data deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" - entrypoint: /abra-lasuite-entrypoint.sh + entrypoint: /abra-entrypoint.sh configs: - - source: abra_lasuite_entrypoint - target: /abra-lasuite-entrypoint.sh + - source: abra_entrypoint + target: /abra-entrypoint.sh mode: 0555 secrets: - django_secret_key @@ -273,8 +286,8 @@ configs: pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh - abra_lasuite_entrypoint: - name: ${STACK_NAME}_entrypoint_${ABRA_LASUITE_ENTRYPOINT_VERSION} + abra_entrypoint: + name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION} file: entrypoint.sh secrets: diff --git a/entrypoint.sh b/entrypoint.sh index 4fbd33f..39ac0c8 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,20 +1,26 @@ #!/bin/sh +set -e -DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" -OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" -DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" -COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" -POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" -DB_PASSWORD="$(cat /run/secrets/db_password)" -MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" +echo "++ running new entrypoint" +ORIGINAL_ENTRYPOINT="$1" +shift -export DJANGO_SECRET_KEY -export OIDC_RP_CLIENT_SECRET -export DJANGO_SUPERUSER_PASSWORD -export COLLABORATION_SERVER_SECRET -export POSTGRES_PASSWORD -export DB_PASSWORD -export MINIO_ROOT_PASSWORD +echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}" -# Execute the actual command (from command: in compose.yml) -exec "$@" +# --- Load secrets into environment variables --- +if [ -d /run/secrets ]; then + for secret_file in /run/secrets/*; do + echo "++ loading secret: ${secret_file}" + var_name=$(basename "$secret_file" | tr '[:lower:]' '[:upper:]') + export "$var_name"="$(cat "$secret_file")" + done +fi + +echo "++ command: ${@}" + +# --- Execute the original entrypoint and command --- +if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then + exec "$ORIGINAL_ENTRYPOINT" "$@" +else + exec "$@" +fi From 3a33573fba29013187ff508f9eb98f0612dbcd98 Mon Sep 17 00:00:00 2001 From: notplants Date: Sun, 2 Nov 2025 14:13:20 -0500 Subject: [PATCH 06/19] no unique db_password secret --- compose.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/compose.yml b/compose.yml index 87f27da..f7962e4 100644 --- a/compose.yml +++ b/compose.yml @@ -128,7 +128,6 @@ services: - collaboration_server_secret - minio_root_password - postgres_password - - db_password celery: image: lasuite/impress-backend:v3.4.2 @@ -149,7 +148,6 @@ services: - collaboration_server_secret - minio_root_password - postgres_password - - db_password y-provider: @@ -249,8 +247,6 @@ services: - collaboration_server_secret - minio_root_password - postgres_password - - db_password - web: image: nginx:1.29 @@ -303,9 +299,6 @@ secrets: postgres_password: external: true name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION} - db_password: - external: true - name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} collaboration_server_secret: external: true name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION} From 3e4cf6659458103da083a705a7a29da83b0c6044 Mon Sep 17 00:00:00 2001 From: notplants Date: Sun, 2 Nov 2025 14:19:06 -0500 Subject: [PATCH 07/19] still working --- entrypoint.sh => abra-entrypoint.sh | 0 compose.yml | 32 +++++++++++++++++++++-------- 2 files changed, 23 insertions(+), 9 deletions(-) rename entrypoint.sh => abra-entrypoint.sh (100%) diff --git a/entrypoint.sh b/abra-entrypoint.sh similarity index 100% rename from entrypoint.sh rename to abra-entrypoint.sh diff --git a/compose.yml b/compose.yml index f7962e4..af88f00 100644 --- a/compose.yml +++ b/compose.yml @@ -74,14 +74,16 @@ x-yprovider-env: &yprovider-env COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} # FIXME: Move to docker secret - COLLABORATION_SERVER_SECRET: my-secret + XX_COLLABORATION_SERVER_SECRET: my-secret COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN} COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ x-minio-env: &minio-env MINIO_ROOT_USER: user # FIXME: Move to docker secret - MINIO_ROOT_PASSWORD: password + XX_MINIO_ROOT_PASSWORD: password + MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_root_password + services: app: @@ -162,6 +164,13 @@ services: target: /abra-entrypoint.sh mode: 0555 # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password db: image: postgres:16 @@ -204,19 +213,24 @@ services: environment: *minio-env networks: - backend - entrypoint: > - sh -c " - /usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && \ - /usr/bin/mc mb --ignore-existing docs/docs-media-storage && \ - /usr/bin/mc version enable docs/docs-media-storage && \ - exit 0;" + entrypoint: ["/abra-entrypoint.sh"] + command: > + sh -c "/usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && + /usr/bin/mc mb --ignore-existing docs/docs-media-storage && + /usr/bin/mc version enable docs/docs-media-storage && + exit 0" deploy: mode: replicated replicas: 0 restart_policy: condition: none secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret - minio_root_password + - postgres_password minio: image: minio/minio:RELEASE.2025-05-24T17-08-30Z @@ -284,7 +298,7 @@ configs: file: pg_backup.sh abra_entrypoint: name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION} - file: entrypoint.sh + file: abra-entrypoint.sh secrets: django_secret_key: From d863bdbe81127bc79d90c280133f3038eaa2f4ac Mon Sep 17 00:00:00 2001 From: notplants Date: Sun, 2 Nov 2025 14:36:44 -0500 Subject: [PATCH 08/19] db password stops working with secret --- abra-entrypoint.sh | 15 +++++++-------- compose.yml | 12 ++++++++++-- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 39ac0c8..46b689f 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -7,16 +7,15 @@ shift echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}" -# --- Load secrets into environment variables --- -if [ -d /run/secrets ]; then - for secret_file in /run/secrets/*; do - echo "++ loading secret: ${secret_file}" - var_name=$(basename "$secret_file" | tr '[:lower:]' '[:upper:]') - export "$var_name"="$(cat "$secret_file")" - done -fi +[ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" +[ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" +[ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" +[ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" +[ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" echo "++ command: ${@}" +echo "++ env: " +printenv # --- Execute the original entrypoint and command --- if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then diff --git a/compose.yml b/compose.yml index af88f00..6bbef30 100644 --- a/compose.yml +++ b/compose.yml @@ -59,13 +59,14 @@ x-postgres-env: &postgres-env POSTGRES_DB: docs POSTGRES_USER: docs # FIXME: Move to docker secret - POSTGRES_PASSWORD: password + XX_POSTGRES_PASSWORD: password + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password # App database configuration DB_HOST: db DB_NAME: docs DB_USER: docs # FIXME: Move to docker secret - DB_PASSWORD: password + XX_DB_PASSWORD: password DB_PORT: 5432 x-yprovider-env: &yprovider-env @@ -201,6 +202,13 @@ services: - source: abra_entrypoint target: /abra-entrypoint.sh mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password redis: image: redis:8 From 6a0ebbd641f210853d1a2d855fbabca782e8849b Mon Sep 17 00:00:00 2001 From: notplants Date: Tue, 4 Nov 2025 12:37:37 -0500 Subject: [PATCH 09/19] Database working with secrets --- compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/compose.yml b/compose.yml index 6bbef30..328c240 100644 --- a/compose.yml +++ b/compose.yml @@ -118,7 +118,6 @@ services: retries: 20 start_period: 10s command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] - # entrypoint: "/abra-entrypoint.sh" entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] configs: - source: abra_entrypoint From 8bda1893f3c6e3580202dbc3d2ad5f92f3d78a63 Mon Sep 17 00:00:00 2001 From: notplants Date: Tue, 4 Nov 2025 14:15:59 -0500 Subject: [PATCH 10/19] working with secrets --- abra-entrypoint.sh | 3 +++ abra.sh | 15 +++++++++++---- compose.yml | 45 +++++++++++++++++++-------------------------- 3 files changed, 33 insertions(+), 30 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 46b689f..9cb0bf4 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -8,7 +8,10 @@ shift echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}" [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" +[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" +[ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" +[ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)" [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" diff --git a/abra.sh b/abra.sh index 4dc4af7..0c22e4b 100755 --- a/abra.sh +++ b/abra.sh @@ -1,13 +1,20 @@ # Set any config versions here # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs -export ABRA_ENTRYPOINT_VERSION=v3 +export ABRA_ENTRYPOINT_VERSION=v4 export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 -# environment() { -# # TODO: Add file_env here -# } +environment() { + [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" + [ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" + [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" + [ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" + [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" + [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" + [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" +} migrate() { + environment python manage.py migrate --noinput } diff --git a/compose.yml b/compose.yml index 328c240..a94c968 100644 --- a/compose.yml +++ b/compose.yml @@ -5,9 +5,9 @@ x-common-env: &common-env DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - XX_DJANGO_SECRET_KEY: + # DJANGO_SECRET_KEY supplied via secrets DJANGO_SETTINGS_MODULE: impress.settings - XX_DJANGO_SUPERUSER_PASSWORD: + # DJANGO_SUPERUSER_PASSWORD supplied via secrets # Logging # Set to DEBUG level for dev only LOGGING_LEVEL_HANDLERS_CONSOLE: @@ -28,8 +28,7 @@ x-common-env: &common-env STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage AWS_S3_ENDPOINT_URL: http://minio:9000 AWS_S3_ACCESS_KEY_ID: user - # FIXME: Move to docker secret (or remove all together) - AWS_S3_SECRET_ACCESS_KEY: password + # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD) MEDIA_BASE_URL: https://${DOMAIN} AWS_STORAGE_BUCKET_NAME: docs-media-storage # OIDC - settings from .env, see .env.sample @@ -38,7 +37,7 @@ x-common-env: &common-env OIDC_OP_TOKEN_ENDPOINT: OIDC_OP_USER_ENDPOINT: OIDC_RP_CLIENT_ID: - XX_OIDC_RP_CLIENT_SECRET: + # OIDC_RP_CLIENT_SECRET supplied via secrets OIDC_RP_SIGN_ALGO: OIDC_RP_SCOPES: LOGIN_REDIRECT_URL: @@ -46,7 +45,7 @@ x-common-env: &common-env LOGOUT_REDIRECT_URL: OIDC_REDIRECT_ALLOWED_HOSTS: OIDC_AUTH_REQUEST_EXTRA_PARAMS: - # AI + # AI (Fixme: remove?) AI_FEATURE_ENABLED: "false" AI_BASE_URL: https://openaiendpoint.com AI_API_KEY: password @@ -58,33 +57,26 @@ x-postgres-env: &postgres-env # Postgresql db container configuration POSTGRES_DB: docs POSTGRES_USER: docs - # FIXME: Move to docker secret - XX_POSTGRES_PASSWORD: password - POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password # App database configuration DB_HOST: db DB_NAME: docs DB_USER: docs - # FIXME: Move to docker secret - XX_DB_PASSWORD: password DB_PORT: 5432 + # DB_PASSWORD supplied via secrets (this is same as POSTGRES_PASSWORD) x-yprovider-env: &yprovider-env COLLABORATION_LOGGING: "true" + # FIXME: Move to docker secret Y_PROVIDER_API_KEY: foobar COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} - # FIXME: Move to docker secret - XX_COLLABORATION_SERVER_SECRET: my-secret + # COLLABORATION_SERVER_SECRET supplied via secrets COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN} COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ x-minio-env: &minio-env MINIO_ROOT_USER: user - # FIXME: Move to docker secret - XX_MINIO_ROOT_PASSWORD: password - MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_root_password - + # MINIO_ROOT_PASSWORD supplied via secrets services: app: @@ -111,12 +103,12 @@ services: - backend environment: <<: [*common-env, *postgres-env, *yprovider-env] - healthcheck: - test: ["CMD", "python", "manage.py", "check"] - interval: 15s - timeout: 30s - retries: 20 - start_period: 10s +# healthcheck: +# test: ["CMD", "python", "manage.py", "check"] +# interval: 15s +# timeout: 30s +# retries: 20 +# start_period: 10s command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] configs: @@ -220,9 +212,10 @@ services: environment: *minio-env networks: - backend - entrypoint: ["/abra-entrypoint.sh"] - command: > - sh -c "/usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && +# entrypoint: ["/abra-entrypoint.sh"] + entrypoint: > + sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_root_password)\" && + /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && /usr/bin/mc mb --ignore-existing docs/docs-media-storage && /usr/bin/mc version enable docs/docs-media-storage && exit 0" From 761320788bb7d90ca26de2b28fae4c713f1da895 Mon Sep 17 00:00:00 2001 From: notplants Date: Tue, 4 Nov 2025 14:20:01 -0500 Subject: [PATCH 11/19] working with secrets --- abra-entrypoint.sh | 7 ------- abra.sh | 1 + compose.yml | 12 ++++++------ 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 9cb0bf4..552b18b 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -1,12 +1,9 @@ #!/bin/sh set -e -echo "++ running new entrypoint" ORIGINAL_ENTRYPOINT="$1" shift -echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}" - [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" [ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" @@ -16,10 +13,6 @@ echo "++ original entrypoint: ${ORIGINAL_ENTRYPOINT}" [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" -echo "++ command: ${@}" -echo "++ env: " -printenv - # --- Execute the original entrypoint and command --- if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then exec "$ORIGINAL_ENTRYPOINT" "$@" diff --git a/abra.sh b/abra.sh index 0c22e4b..08f3f3c 100755 --- a/abra.sh +++ b/abra.sh @@ -9,6 +9,7 @@ environment() { [ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" [ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" + [ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)" [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" diff --git a/compose.yml b/compose.yml index a94c968..6497189 100644 --- a/compose.yml +++ b/compose.yml @@ -103,12 +103,12 @@ services: - backend environment: <<: [*common-env, *postgres-env, *yprovider-env] -# healthcheck: -# test: ["CMD", "python", "manage.py", "check"] -# interval: 15s -# timeout: 30s -# retries: 20 -# start_period: 10s + healthcheck: + test: ["CMD", "/abra-entrypoint.sh", "python", "manage.py", "check"] + interval: 15s + timeout: 30s + retries: 20 + start_period: 10s command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] configs: From 82ca119cdb57ad28fcd53c91a75c7f85f83d6b68 Mon Sep 17 00:00:00 2001 From: notplants Date: Wed, 5 Nov 2025 11:29:51 -0500 Subject: [PATCH 12/19] working on nginx.conf.tmpl --- .env.sample | 19 +++++-------------- abra-entrypoint.sh | 21 +++++++++++---------- abra.sh | 12 +++--------- compose.yml | 8 ++++---- nginx.conf => nginx.conf.tmpl | 4 ++-- 5 files changed, 25 insertions(+), 39 deletions(-) rename nginx.conf => nginx.conf.tmpl (96%) diff --git a/.env.sample b/.env.sample index 710a1f5..fa58e45 100644 --- a/.env.sample +++ b/.env.sample @@ -18,13 +18,6 @@ SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1 SECRET_POSTGRES_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1 -############################################################################## -# BASIC SETTINGS -############################################################################## -# FIXME: Move to Docker secret -DJANGO_SECRET_KEY=ThisIsAnExampleKeyForDevPurposeOnly -# FIXME: Move to docker secret -DJANGO_SUPERUSER_PASSWORD=admin ############################################################################## # EMAIL @@ -38,13 +31,11 @@ DJANGO_EMAIL_PORT=1025 # SINGLE SIGN ON ############################################################################## # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README -OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs -OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth -OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token -OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo -OIDC_RP_CLIENT_ID=impress -# FIXME: Move to docker secret -OIDC_RP_CLIENT_SECRET=example +OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/certs +OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/auth +OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/token +OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/userinfo +OIDC_RP_CLIENT_ID=${DOMAIN} OIDC_RP_SIGN_ALGO=RS256 OIDC_RP_SCOPES="openid email" LOGIN_REDIRECT_URL=https://${DOMAIN} diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 552b18b..6dcd2ba 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -1,11 +1,8 @@ #!/bin/sh set -e -ORIGINAL_ENTRYPOINT="$1" -shift - [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" -[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" +#[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" [ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" [ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)" @@ -13,9 +10,13 @@ shift [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" -# --- Execute the original entrypoint and command --- -if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then - exec "$ORIGINAL_ENTRYPOINT" "$@" -else - exec "$@" -fi +# if not in "env" mode, then execute the original entrypoint and command +if [ ! "$1" = "-e" ]; then + ORIGINAL_ENTRYPOINT="$1" + shift + if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then + exec "$ORIGINAL_ENTRYPOINT" "$@" + else + exec "$@" + fi +fi \ No newline at end of file diff --git a/abra.sh b/abra.sh index 08f3f3c..7880bff 100755 --- a/abra.sh +++ b/abra.sh @@ -1,18 +1,12 @@ # Set any config versions here # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs export ABRA_ENTRYPOINT_VERSION=v4 -export NGINX_CONF_VERSION=v2 +export NGINX_CONF_VERSION=v3 export PG_BACKUP_VERSION=v3 environment() { - [ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" - [ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" - [ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" - [ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" - [ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)" - [ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" - [ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" - [ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" + # this exports all the secrets as environment variables + source /abra-entrypoint.sh -e } migrate() { diff --git a/compose.yml b/compose.yml index 6497189..21bf2a4 100644 --- a/compose.yml +++ b/compose.yml @@ -57,6 +57,7 @@ x-postgres-env: &postgres-env # Postgresql db container configuration POSTGRES_DB: docs POSTGRES_USER: docs + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password # App database configuration DB_HOST: db DB_NAME: docs @@ -82,9 +83,7 @@ services: app: image: lasuite/impress-frontend:v3.4.2 networks: - backend: - aliases: - - lasuite-app + - backend deploy: labels: - "traefik.enable=false" @@ -292,7 +291,8 @@ volumes: configs: nginx_conf: name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} - file: nginx.conf + file: nginx.conf.tmpl + template_driver: golang pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh diff --git a/nginx.conf b/nginx.conf.tmpl similarity index 96% rename from nginx.conf rename to nginx.conf.tmpl index 3ae1e1c..07d5d07 100644 --- a/nginx.conf +++ b/nginx.conf.tmpl @@ -1,9 +1,9 @@ upstream docs_backend { - server backend:8000 fail_timeout=0; + server {{ env "STACK_NAME" }}_backend:8000 fail_timeout=0; } upstream docs_frontend { - server lasuite-app:8080 fail_timeout=0; + server {{ env "STACK_NAME" }}_app:8080 fail_timeout=0; } server { From 54acd65edd5f539ce10e88eb68c29805175bee04 Mon Sep 17 00:00:00 2001 From: notplants Date: Thu, 6 Nov 2025 12:46:06 -0500 Subject: [PATCH 13/19] working before secret shortening --- .env.sample | 13 ++++++++----- compose.yml | 2 ++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.env.sample b/.env.sample index fa58e45..d99ff47 100644 --- a/.env.sample +++ b/.env.sample @@ -18,6 +18,8 @@ SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1 SECRET_POSTGRES_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1 +MINIO_ROOT_PASSWORD_FILE="/run/secrets/minio_pass" +POSTGRES_PASSWORD_FILE="/run/secrets/postgres_pass" ############################################################################## # EMAIL @@ -31,11 +33,12 @@ DJANGO_EMAIL_PORT=1025 # SINGLE SIGN ON ############################################################################## # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README -OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/certs -OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/auth -OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/token -OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${DOMAIN}/protocol/openid-connect/userinfo -OIDC_RP_CLIENT_ID=${DOMAIN} +OIDC_REALM=yourkeycloakrealm +OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs +OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth +OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token +OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo +OIDC_RP_CLIENT_ID=yourkeycloakclientid OIDC_RP_SIGN_ALGO=RS256 OIDC_RP_SCOPES="openid email" LOGIN_REDIRECT_URL=https://${DOMAIN} diff --git a/compose.yml b/compose.yml index 21bf2a4..cff3f02 100644 --- a/compose.yml +++ b/compose.yml @@ -269,6 +269,8 @@ services: networks: proxy: backend: + environment: + - STACK_NAME deploy: labels: - "traefik.enable=true" From 9c6bb70b7a2cb1af37b0eef42aa1f3a3bea152f0 Mon Sep 17 00:00:00 2001 From: notplants Date: Thu, 6 Nov 2025 14:06:33 -0500 Subject: [PATCH 14/19] working with abra recipe lint --- .env.sample | 25 ++++++----- abra-entrypoint.sh | 16 +++---- compose.yml | 101 +++++++++++++++++++++------------------------ 3 files changed, 71 insertions(+), 71 deletions(-) diff --git a/.env.sample b/.env.sample index d99ff47..c01fe08 100644 --- a/.env.sample +++ b/.env.sample @@ -10,16 +10,21 @@ LETS_ENCRYPT_ENV=production ############################################################################## # SECRETS ############################################################################## -SECRET_DJANGO_SECRET_KEY_VERSION=v1 -SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1 -SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1 -SECRET_MINIO_ROOT_PASSWORD_VERSION=v1 -SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1 -SECRET_POSTGRES_PASSWORD_VERSION=v1 -SECRET_DB_PASSWORD_VERSION=v1 - -MINIO_ROOT_PASSWORD_FILE="/run/secrets/minio_pass" -POSTGRES_PASSWORD_FILE="/run/secrets/postgres_pass" +# abbreviations are to fit abra 12 char secret recommendation +# DJANGO_SECRET_KEY +SECRET_DJANGO_SK_VERSION=v1 +# ODIC_RP_CLIENT_SECRET +SECRET_OIDC_RPCS_VERSION=v1 +# DJANGO_SUPERUSER_PASSWORD +SECRET_DJANGO_SP_VERSION=v1 +# MINIO_ROOT_PASSWORD +SECRET_MINIO_RP_VERSION=v1 +# COLLABORATION_SERVER_SECRET +SECRET_COLLAB_SS_VERSION=v1 +# POSTGRES_PASSWORD +SECRET_POSTGRES_P_VERSION=v1 +# Y_PROVIDER_API_KEY +SECRET_Y_API_KEY_VERSION=v1 ############################################################################## # EMAIL diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 6dcd2ba..6eb3500 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -1,14 +1,14 @@ #!/bin/sh set -e -[ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)" -#[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" -[ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" -[ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" -[ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)" -[ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" -[ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" -[ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" +[ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)" +[ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)" +[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)" +[ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)" +[ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)" +[ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)" +[ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)" +[ -f /run/secrets/y_api_key ] && export Y_PROVIDER_API_KEY="$(cat /run/secrets/y_api_key)" # if not in "env" mode, then execute the original entrypoint and command if [ ! "$1" = "-e" ]; then diff --git a/compose.yml b/compose.yml index cff3f02..540227a 100644 --- a/compose.yml +++ b/compose.yml @@ -57,7 +57,7 @@ x-postgres-env: &postgres-env # Postgresql db container configuration POSTGRES_DB: docs POSTGRES_USER: docs - POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_p # App database configuration DB_HOST: db DB_NAME: docs @@ -67,8 +67,7 @@ x-postgres-env: &postgres-env x-yprovider-env: &yprovider-env COLLABORATION_LOGGING: "true" - # FIXME: Move to docker secret - Y_PROVIDER_API_KEY: foobar + # Y_PROVIDER_API_KEY supplied via secrets COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} # COLLABORATION_SERVER_SECRET supplied via secrets @@ -77,7 +76,7 @@ x-yprovider-env: &yprovider-env x-minio-env: &minio-env MINIO_ROOT_USER: user - # MINIO_ROOT_PASSWORD supplied via secrets + MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp services: app: @@ -115,12 +114,13 @@ services: target: /abra-entrypoint.sh mode: 0555 secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - django_sk + - django_sp + - oidc_rpcs + - collab_ss + - minio_rp + - postgres_p + - y_api_key celery: image: lasuite/impress-backend:v3.4.2 @@ -135,12 +135,13 @@ services: target: /abra-entrypoint.sh mode: 0555 secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - django_sk + - django_sp + - oidc_rpcs + - collab_ss + - minio_rp + - postgres_p + - y_api_key y-provider: @@ -156,12 +157,13 @@ services: mode: 0555 # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403 secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - django_sk + - django_sp + - oidc_rpcs + - collab_ss + - minio_rp + - postgres_p + - y_api_key db: image: postgres:16 @@ -193,12 +195,12 @@ services: target: /abra-entrypoint.sh mode: 0555 secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - django_sk + - django_sp + - oidc_rpcs + - collab_ss + - minio_rp + - postgres_p redis: image: redis:8 @@ -213,7 +215,7 @@ services: - backend # entrypoint: ["/abra-entrypoint.sh"] entrypoint: > - sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_root_password)\" && + sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" && /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && /usr/bin/mc mb --ignore-existing docs/docs-media-storage && /usr/bin/mc version enable docs/docs-media-storage && @@ -224,12 +226,7 @@ services: restart_policy: condition: none secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - minio_rp minio: image: minio/minio:RELEASE.2025-05-24T17-08-30Z @@ -254,12 +251,7 @@ services: target: /abra-entrypoint.sh mode: 0555 secrets: - - django_secret_key - - oidc_rp_client_secret - - django_superuser_password - - collaboration_server_secret - - minio_root_password - - postgres_password + - minio_rp web: image: nginx:1.29 @@ -303,21 +295,24 @@ configs: file: abra-entrypoint.sh secrets: - django_secret_key: + django_sk: external: true - name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION} - oidc_rp_client_secret: + name: ${STACK_NAME}_django_sk_${SECRET_DJANGO_SK_VERSION} + oidc_rpcs: external: true - name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION} - django_superuser_password: + name: ${STACK_NAME}_oidc_rpcs_${SECRET_OIDC_RPCS_VERSION} + django_sp: external: true - name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} - postgres_password: + name: ${STACK_NAME}_django_sp_${SECRET_DJANGO_SP_VERSION} + postgres_p: external: true - name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION} - collaboration_server_secret: + name: ${STACK_NAME}_postgres_p_${SECRET_POSTGRES_P_VERSION} + collab_ss: external: true - name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION} - minio_root_password: + name: ${STACK_NAME}_collab_ss_${SECRET_COLLAB_SS_VERSION} + minio_rp: external: true - name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION} \ No newline at end of file + name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION} + y_api_key: + external: true + name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION} \ No newline at end of file From 7846746050122cbfce7d7553e08dc50fa91b4d9e Mon Sep 17 00:00:00 2001 From: notplants Date: Thu, 6 Nov 2025 14:25:27 -0500 Subject: [PATCH 15/19] working other than minio_root_password_file --- compose.yml | 17 ++++------------- pg_backup.sh | 3 +-- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/compose.yml b/compose.yml index 540227a..17900d4 100644 --- a/compose.yml +++ b/compose.yml @@ -76,7 +76,9 @@ x-yprovider-env: &yprovider-env x-minio-env: &minio-env MINIO_ROOT_USER: user - MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp + # MINIO_ROOT_PASSWORD supplied by secrets + # TODO: switch to using password_file (currently only works with env var) + # MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp services: app: @@ -179,8 +181,6 @@ services: PGDATA: var/lib/postgresql/data/pgdata volumes: - postgres:/var/lib/postgresql/data/pgdata - command: ["postgres"] - entrypoint: ["/abra-entrypoint.sh", "docker-entrypoint.sh"] deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" @@ -191,15 +191,7 @@ services: - source: pg_backup target: /pg_backup.sh mode: 0555 - - source: abra_entrypoint - target: /abra-entrypoint.sh - mode: 0555 secrets: - - django_sk - - django_sp - - oidc_rpcs - - collab_ss - - minio_rp - postgres_p redis: @@ -212,8 +204,7 @@ services: image: minio/mc:RELEASE.2025-05-21T01-59-54Z environment: *minio-env networks: - - backend -# entrypoint: ["/abra-entrypoint.sh"] + - backend entrypoint: > sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" && /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && diff --git a/pg_backup.sh b/pg_backup.sh index 2ab1ea2..1fb7892 100644 --- a/pg_backup.sh +++ b/pg_backup.sh @@ -5,8 +5,7 @@ set -e BACKUP_FILE='/var/lib/postgresql/data/pgdata/backup.sql' function backup { - # export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE) - export PGPASSWORD="$POSTGRES_PASSWORD" + export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE) pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE } From 720d305d6623beff23b57a6ac74c81327ee027e4 Mon Sep 17 00:00:00 2001 From: notplants Date: Thu, 6 Nov 2025 14:38:08 -0500 Subject: [PATCH 16/19] attempt at minio_pass_file --- abra-entrypoint.sh | 3 ++- compose.yml | 15 ++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 6eb3500..cfade45 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -3,8 +3,9 @@ set -e [ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)" [ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)" -[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)" +#[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)" [ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)" +[ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)" [ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)" [ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)" [ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)" diff --git a/compose.yml b/compose.yml index 17900d4..35a2bd3 100644 --- a/compose.yml +++ b/compose.yml @@ -27,7 +27,7 @@ x-common-env: &common-env # Media STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage AWS_S3_ENDPOINT_URL: http://minio:9000 - AWS_S3_ACCESS_KEY_ID: user + # AWS_S3_ACCESS_KEY_ID supplied via secret (this is same MINIO_ROOT_USER) # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD) MEDIA_BASE_URL: https://${DOMAIN} AWS_STORAGE_BUCKET_NAME: docs-media-storage @@ -75,10 +75,12 @@ x-yprovider-env: &yprovider-env COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ x-minio-env: &minio-env - MINIO_ROOT_USER: user + # MINIO_ROOT_USER: user # MINIO_ROOT_PASSWORD supplied by secrets # TODO: switch to using password_file (currently only works with env var) # MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp + MINIO_ROOT_USER_FILE: /run/secrets/minio_ru + MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp services: app: @@ -206,7 +208,9 @@ services: networks: - backend entrypoint: > - sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" && + sh -c " + MINIO_ROOT_USER=$(cat /run/secrets/minio_ru) && + MINIO_ROOT_PASSWORD=$(cat /run/secrets/minio_rp) && /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && /usr/bin/mc mb --ignore-existing docs/docs-media-storage && /usr/bin/mc version enable docs/docs-media-storage && @@ -218,6 +222,7 @@ services: condition: none secrets: - minio_rp + - minio_ru minio: image: minio/minio:RELEASE.2025-05-24T17-08-30Z @@ -243,6 +248,7 @@ services: mode: 0555 secrets: - minio_rp + - minio_ru web: image: nginx:1.29 @@ -304,6 +310,9 @@ secrets: minio_rp: external: true name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION} + minio_ru: + external: true + name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION} y_api_key: external: true name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION} \ No newline at end of file From 41ad58f47dfc7c7afb285cc246ab34855097d66b Mon Sep 17 00:00:00 2001 From: notplants Date: Thu, 6 Nov 2025 14:59:24 -0500 Subject: [PATCH 17/19] trying to use minio_root_pass_file --- .env.sample | 2 ++ compose.yml | 8 ++------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.env.sample b/.env.sample index c01fe08..600c819 100644 --- a/.env.sample +++ b/.env.sample @@ -19,6 +19,8 @@ SECRET_OIDC_RPCS_VERSION=v1 SECRET_DJANGO_SP_VERSION=v1 # MINIO_ROOT_PASSWORD SECRET_MINIO_RP_VERSION=v1 +# MINIO_ROOT_USER +SECRET_MINIO_RU_VERSION=v1 # COLLABORATION_SERVER_SECRET SECRET_COLLAB_SS_VERSION=v1 # POSTGRES_PASSWORD diff --git a/compose.yml b/compose.yml index 35a2bd3..f1613df 100644 --- a/compose.yml +++ b/compose.yml @@ -75,10 +75,6 @@ x-yprovider-env: &yprovider-env COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ x-minio-env: &minio-env - # MINIO_ROOT_USER: user - # MINIO_ROOT_PASSWORD supplied by secrets - # TODO: switch to using password_file (currently only works with env var) - # MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp MINIO_ROOT_USER_FILE: /run/secrets/minio_ru MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp @@ -209,8 +205,8 @@ services: - backend entrypoint: > sh -c " - MINIO_ROOT_USER=$(cat /run/secrets/minio_ru) && - MINIO_ROOT_PASSWORD=$(cat /run/secrets/minio_rp) && + MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" && + MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" && /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && /usr/bin/mc mb --ignore-existing docs/docs-media-storage && /usr/bin/mc version enable docs/docs-media-storage && From b527d802cad3ad0865863f856c79be26e18c5ede Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 7 Nov 2025 09:54:19 -0500 Subject: [PATCH 18/19] minio using files for secrets instead of env vars --- abra-entrypoint.sh | 1 - compose.yml | 6 +++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index cfade45..2f7be8e 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -3,7 +3,6 @@ set -e [ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)" [ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)" -#[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)" [ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)" [ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)" [ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)" diff --git a/compose.yml b/compose.yml index f1613df..4b53095 100644 --- a/compose.yml +++ b/compose.yml @@ -119,6 +119,7 @@ services: - oidc_rpcs - collab_ss - minio_rp + - minio_ru - postgres_p - y_api_key @@ -231,7 +232,7 @@ services: networks: - backend command: minio server /data - entrypoint: ["/abra-entrypoint.sh", "/usr/bin/docker-entrypoint.sh"] + entrypoint: ["/usr/bin/docker-entrypoint.sh"] volumes: - minio:/data deploy: @@ -254,6 +255,9 @@ services: networks: proxy: backend: + depends_on: + - backend + - app environment: - STACK_NAME deploy: From d82844ba59eb1d20c434bf7a2b80493f079fa08f Mon Sep 17 00:00:00 2001 From: notplants Date: Fri, 7 Nov 2025 10:32:42 -0500 Subject: [PATCH 19/19] inline secret export for y-provider --- abra-entrypoint.sh | 8 +------- compose.yml | 13 ++----------- 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh index 2f7be8e..6366227 100644 --- a/abra-entrypoint.sh +++ b/abra-entrypoint.sh @@ -12,11 +12,5 @@ set -e # if not in "env" mode, then execute the original entrypoint and command if [ ! "$1" = "-e" ]; then - ORIGINAL_ENTRYPOINT="$1" - shift - if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then - exec "$ORIGINAL_ENTRYPOINT" "$@" - else - exec "$@" - fi + exec "$@" fi \ No newline at end of file diff --git a/compose.yml b/compose.yml index 4b53095..c65eb69 100644 --- a/compose.yml +++ b/compose.yml @@ -150,20 +150,11 @@ services: networks: - backend environment: *yprovider-env + entrypoint: > + sh -c "export Y_PROVIDER_API_KEY=\"$$(cat /run/secrets/y_api_key)\" && exec /usr/local/bin/entrypoint \"$$@\"" -- command: ["yarn", "start"] - entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"] - configs: - - source: abra_entrypoint - target: /abra-entrypoint.sh - mode: 0555 # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403 secrets: - - django_sk - - django_sp - - oidc_rpcs - - collab_ss - - minio_rp - - postgres_p - y_api_key db: