almost working with docker secrets

.env.sample

@@ -13,6 +13,10 @@ LETS_ENCRYPT_ENV=production
 SECRET_DJANGO_SECRET_KEY_VERSION=v1
 SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1
 SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1
+SECRET_MINIO_ROOT_PASSWORD_VERSION=v1
+SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1
+SECRET_POSTGRES_PASSWORD_VERSION=v1
+SECRET_DB_PASSWORD_VERSION=v1
 
 ##############################################################################
 # BASIC SETTINGS 

abra.sh

@@ -1,8 +1,8 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
+export ABRA_LASUITE_ENTRYPOINT_VERSION=v2
 export NGINX_CONF_VERSION=v2
 export PG_BACKUP_VERSION=v3
-export ENTRYPOINT_VERSION=v1
 
 # environment() {
 #   # TODO: Add file_env here

compose.yml

@@ -73,6 +73,7 @@ x-yprovider-env: &yprovider-env
   Y_PROVIDER_API_KEY: foobar
   COLLABORATION_API_URL: http://y-provider:4444/api/
   COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
+  # FIXME: Move to docker secret
   COLLABORATION_SERVER_SECRET: my-secret
   COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN}
   COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
@@ -113,11 +114,20 @@ services:
       timeout: 30s
       retries: 20
       start_period: 10s
+    command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
     entrypoint: /abra-lasuite-entrypoint.sh
     configs:
       - source: abra_lasuite_entrypoint
         target: /abra-lasuite-entrypoint.sh
         mode: 0555
+    secrets:
+      - django_secret_key
+      - oidc_rp_client_secret
+      - django_superuser_password
+      - collaboration_server_secret
+      - minio_root_password
+      - postgres_password
+      - db_password
 
   celery:
     image: lasuite/impress-backend:v3.4.2
@@ -131,6 +141,15 @@ services:
       - source: abra_lasuite_entrypoint
         target: /abra-lasuite-entrypoint.sh
         mode: 0555
+    secrets:
+      - django_secret_key
+      - oidc_rp_client_secret
+      - django_superuser_password
+      - collaboration_server_secret
+      - minio_root_password
+      - postgres_password
+      - db_password
+
 
   y-provider:
     image: lasuite/impress-y-provider:v3.4.2
@@ -186,6 +205,8 @@ services:
       replicas: 0
       restart_policy:
         condition: none
+    secrets:
+      - minio_root_password
 
   minio:
     image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@@ -195,7 +216,6 @@ services:
       interval: 1s
       timeout: 20s
       retries: 300
-    entrypoint: ""
     networks:
       - backend 
     command: minio server /data
@@ -204,6 +224,20 @@ services:
     deploy:
       labels:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        entrypoint: /abra-lasuite-entrypoint.sh
+    configs:
+      - source: abra_lasuite_entrypoint
+        target: /abra-lasuite-entrypoint.sh
+        mode: 0555
+    secrets:
+      - django_secret_key
+      - oidc_rp_client_secret
+      - django_superuser_password
+      - collaboration_server_secret
+      - minio_root_password
+      - postgres_password
+      - db_password
+
 
   web:
     image: nginx:1.29
@@ -240,7 +274,7 @@ configs:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
   abra_lasuite_entrypoint:
-    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    name: ${STACK_NAME}_entrypoint_${ABRA_LASUITE_ENTRYPOINT_VERSION}
     file: entrypoint.sh
 
 secrets:
@@ -253,3 +287,15 @@ secrets:
   django_superuser_password:
     external: true
     name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION}
+  postgres_password:
+    external: true
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  collaboration_server_secret:
+    external: true
+    name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION}
+  minio_root_password:
+    external: true
+    name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION}

entrypoint.sh

@@ -1,38 +1,20 @@
-#!/bin/bash
+#!/bin/sh
 
-set -e
+DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)"
+OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)"
+DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)"
+COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)"
+POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)"
+DB_PASSWORD="$(cat /run/secrets/db_password)"
+MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)"
 
-file_env() {
+export DJANGO_SECRET_KEY
-   local var="$1"
+export OIDC_RP_CLIENT_SECRET
-   local fileVar="${var}_FILE"
+export DJANGO_SUPERUSER_PASSWORD
-   local def="${2:-}"
+export COLLABORATION_SERVER_SECRET
-
+export POSTGRES_PASSWORD
-   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+export DB_PASSWORD
-      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+export MINIO_ROOT_PASSWORD
-      exit 1
-   fi
-
-   local val="$def"
-
-   if [ "${!var:-}" ]; then
-      val="${!var}"
-   elif [ "${!fileVar:-}" ]; then
-      val="$(< "${!fileVar}")"
-   fi
-
-   export "$var"="$val"
-   unset "$fileVar"
-}
-
-file_env "DJANGO_SECRET_KEY"
-file_env "OIDC_RP_CLIENT_SECRET"
-file_env "DJANGO_SUPERUSER_PASSWORD"
-# file_env "MINIO_ROOT_PASSWORD"
-# file_env "COLLABORATION_SERVER_SECRET"
-# file_env "POSTGRES_PASSWORD"
-# file_env "DB_PASSWORD"
-# file_env "AWS_S3_SECRET_ACCESS_KEY"
 
 # Execute the actual command (from command: in compose.yml)
 exec "$@"
-