diff --git a/.env.sample b/.env.sample index d9f65b4..710a1f5 100644 --- a/.env.sample +++ b/.env.sample @@ -13,6 +13,10 @@ LETS_ENCRYPT_ENV=production SECRET_DJANGO_SECRET_KEY_VERSION=v1 SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1 SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1 +SECRET_MINIO_ROOT_PASSWORD_VERSION=v1 +SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1 +SECRET_POSTGRES_PASSWORD_VERSION=v1 +SECRET_DB_PASSWORD_VERSION=v1 ############################################################################## # BASIC SETTINGS diff --git a/abra.sh b/abra.sh index 2fbc127..80e73ce 100755 --- a/abra.sh +++ b/abra.sh @@ -1,8 +1,8 @@ # Set any config versions here # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs +export ABRA_LASUITE_ENTRYPOINT_VERSION=v2 export NGINX_CONF_VERSION=v2 export PG_BACKUP_VERSION=v3 -export ENTRYPOINT_VERSION=v1 # environment() { # # TODO: Add file_env here diff --git a/compose.yml b/compose.yml index 5da2887..da55341 100644 --- a/compose.yml +++ b/compose.yml @@ -73,6 +73,7 @@ x-yprovider-env: &yprovider-env Y_PROVIDER_API_KEY: foobar COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} + # FIXME: Move to docker secret COLLABORATION_SERVER_SECRET: my-secret COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN} COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ @@ -113,11 +114,20 @@ services: timeout: 30s retries: 20 start_period: 10s + command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"] entrypoint: /abra-lasuite-entrypoint.sh configs: - source: abra_lasuite_entrypoint target: /abra-lasuite-entrypoint.sh mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password celery: image: lasuite/impress-backend:v3.4.2 @@ -131,6 +141,15 @@ services: - source: abra_lasuite_entrypoint target: /abra-lasuite-entrypoint.sh mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password + y-provider: image: lasuite/impress-y-provider:v3.4.2 @@ -186,6 +205,8 @@ services: replicas: 0 restart_policy: condition: none + secrets: + - minio_root_password minio: image: minio/minio:RELEASE.2025-05-24T17-08-30Z @@ -195,7 +216,6 @@ services: interval: 1s timeout: 20s retries: 300 - entrypoint: "" networks: - backend command: minio server /data @@ -204,6 +224,20 @@ services: deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" + entrypoint: /abra-lasuite-entrypoint.sh + configs: + - source: abra_lasuite_entrypoint + target: /abra-lasuite-entrypoint.sh + mode: 0555 + secrets: + - django_secret_key + - oidc_rp_client_secret + - django_superuser_password + - collaboration_server_secret + - minio_root_password + - postgres_password + - db_password + web: image: nginx:1.29 @@ -240,7 +274,7 @@ configs: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh abra_lasuite_entrypoint: - name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} + name: ${STACK_NAME}_entrypoint_${ABRA_LASUITE_ENTRYPOINT_VERSION} file: entrypoint.sh secrets: @@ -252,4 +286,16 @@ secrets: name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION} django_superuser_password: external: true - name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} \ No newline at end of file + name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION} + postgres_password: + external: true + name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION} + db_password: + external: true + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} + collaboration_server_secret: + external: true + name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION} + minio_root_password: + external: true + name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION} \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index c302740..4fbd33f 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,38 +1,20 @@ -#!/bin/bash +#!/bin/sh -set -e +DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)" +OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)" +DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)" +COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)" +POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)" +DB_PASSWORD="$(cat /run/secrets/db_password)" +MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)" -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" - exit 1 - fi - - local val="$def" - - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - - export "$var"="$val" - unset "$fileVar" -} - -file_env "DJANGO_SECRET_KEY" -file_env "OIDC_RP_CLIENT_SECRET" -file_env "DJANGO_SUPERUSER_PASSWORD" -# file_env "MINIO_ROOT_PASSWORD" -# file_env "COLLABORATION_SERVER_SECRET" -# file_env "POSTGRES_PASSWORD" -# file_env "DB_PASSWORD" -# file_env "AWS_S3_SECRET_ACCESS_KEY" +export DJANGO_SECRET_KEY +export OIDC_RP_CLIENT_SECRET +export DJANGO_SUPERUSER_PASSWORD +export COLLABORATION_SERVER_SECRET +export POSTGRES_PASSWORD +export DB_PASSWORD +export MINIO_ROOT_PASSWORD # Execute the actual command (from command: in compose.yml) exec "$@" -