From 9c6bb70b7a2cb1af37b0eef42aa1f3a3bea152f0 Mon Sep 17 00:00:00 2001
From: notplants <mfowler.email@protonmail.com>
Date: Thu, 6 Nov 2025 14:06:33 -0500
Subject: [PATCH] working with abra recipe lint

---
 .env.sample        |  25 ++++++-----
 abra-entrypoint.sh |  16 +++----
 compose.yml        | 101 +++++++++++++++++++++------------------------
 3 files changed, 71 insertions(+), 71 deletions(-)

diff --git a/.env.sample b/.env.sample
index d99ff47..c01fe08 100644
--- a/.env.sample
+++ b/.env.sample
@@ -10,16 +10,21 @@ LETS_ENCRYPT_ENV=production
 ##############################################################################
 # SECRETS
 ##############################################################################
-SECRET_DJANGO_SECRET_KEY_VERSION=v1
-SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1
-SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1
-SECRET_MINIO_ROOT_PASSWORD_VERSION=v1
-SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1
-SECRET_POSTGRES_PASSWORD_VERSION=v1
-SECRET_DB_PASSWORD_VERSION=v1
-
-MINIO_ROOT_PASSWORD_FILE="/run/secrets/minio_pass"
-POSTGRES_PASSWORD_FILE="/run/secrets/postgres_pass"
+# abbreviations are to fit abra 12 char secret recommendation
+# DJANGO_SECRET_KEY
+SECRET_DJANGO_SK_VERSION=v1
+# ODIC_RP_CLIENT_SECRET
+SECRET_OIDC_RPCS_VERSION=v1
+# DJANGO_SUPERUSER_PASSWORD
+SECRET_DJANGO_SP_VERSION=v1
+# MINIO_ROOT_PASSWORD
+SECRET_MINIO_RP_VERSION=v1
+# COLLABORATION_SERVER_SECRET
+SECRET_COLLAB_SS_VERSION=v1
+# POSTGRES_PASSWORD
+SECRET_POSTGRES_P_VERSION=v1
+# Y_PROVIDER_API_KEY
+SECRET_Y_API_KEY_VERSION=v1
 
 ##############################################################################
 # EMAIL
diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh
index 6dcd2ba..6eb3500 100644
--- a/abra-entrypoint.sh
+++ b/abra-entrypoint.sh
@@ -1,14 +1,14 @@
 #!/bin/sh
 set -e
 
-[ -f /run/secrets/postgres_password ] && export DB_PASSWORD="$(cat /run/secrets/postgres_password)"
-#[ -f /run/secrets/postgres_password ] && export POSTGRES_PASSWORD="$(cat /run/secrets/postgres_password)"
-[ -f /run/secrets/django_secret_key ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_secret_key)"
-[ -f /run/secrets/minio_root_password ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_root_password)"
-[ -f /run/secrets/minio_root_password ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_root_password)"
-[ -f /run/secrets/django_superuser_password ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_superuser_password)"
-[ -f /run/secrets/oidc_rp_client_secret ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rp_client_secret)"
-[ -f /run/secrets/collaboration_server_secret ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collaboration_server_secret)"
+[ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)"
+[ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)"
+[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
+[ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)"
+[ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)"
+[ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)"
+[ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)"
+[ -f /run/secrets/y_api_key ] && export Y_PROVIDER_API_KEY="$(cat /run/secrets/y_api_key)"
 
 # if not in "env" mode, then execute the original entrypoint and command
 if [ ! "$1" = "-e" ]; then
diff --git a/compose.yml b/compose.yml
index cff3f02..540227a 100644
--- a/compose.yml
+++ b/compose.yml
@@ -57,7 +57,7 @@ x-postgres-env: &postgres-env
   # Postgresql db container configuration
   POSTGRES_DB: docs
   POSTGRES_USER: docs
-  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_p
   # App database configuration
   DB_HOST: db
   DB_NAME: docs
@@ -67,8 +67,7 @@ x-postgres-env: &postgres-env
 
 x-yprovider-env: &yprovider-env
   COLLABORATION_LOGGING: "true"
-  # FIXME: Move to docker secret
-  Y_PROVIDER_API_KEY: foobar
+  # Y_PROVIDER_API_KEY supplied via secrets
   COLLABORATION_API_URL: http://y-provider:4444/api/
   COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
   # COLLABORATION_SERVER_SECRET supplied via secrets
@@ -77,7 +76,7 @@ x-yprovider-env: &yprovider-env
 
 x-minio-env: &minio-env
   MINIO_ROOT_USER: user
-  # MINIO_ROOT_PASSWORD supplied via secrets
+  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
 
 services:
   app:
@@ -115,12 +114,13 @@ services:
         target: /abra-entrypoint.sh
         mode: 0555
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - postgres_p
+      - y_api_key
 
   celery:
     image: lasuite/impress-backend:v3.4.2
@@ -135,12 +135,13 @@ services:
         target: /abra-entrypoint.sh
         mode: 0555
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - postgres_p
+      - y_api_key
 
 
   y-provider:
@@ -156,12 +157,13 @@ services:
         mode: 0555
     # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - postgres_p
+      - y_api_key
 
   db:
     image: postgres:16
@@ -193,12 +195,12 @@ services:
           target: /abra-entrypoint.sh
           mode: 0555
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - django_sk
+      - django_sp
+      - oidc_rpcs
+      - collab_ss
+      - minio_rp
+      - postgres_p
 
   redis:
     image: redis:8
@@ -213,7 +215,7 @@ services:
       - backend 
 #    entrypoint: ["/abra-entrypoint.sh"]
     entrypoint: >
-      sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_root_password)\" &&
+      sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&
       /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
       /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
       /usr/bin/mc version enable docs/docs-media-storage &&
@@ -224,12 +226,7 @@ services:
       restart_policy:
         condition: none
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - minio_rp
 
   minio:
     image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@@ -254,12 +251,7 @@ services:
         target: /abra-entrypoint.sh
         mode: 0555
     secrets:
-      - django_secret_key
-      - oidc_rp_client_secret
-      - django_superuser_password
-      - collaboration_server_secret
-      - minio_root_password
-      - postgres_password
+      - minio_rp
 
   web:
     image: nginx:1.29
@@ -303,21 +295,24 @@ configs:
     file: abra-entrypoint.sh
 
 secrets:
-  django_secret_key:
+  django_sk:
     external: true
-    name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION}
-  oidc_rp_client_secret:
+    name: ${STACK_NAME}_django_sk_${SECRET_DJANGO_SK_VERSION}
+  oidc_rpcs:
     external: true
-    name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION}
-  django_superuser_password:
+    name: ${STACK_NAME}_oidc_rpcs_${SECRET_OIDC_RPCS_VERSION}
+  django_sp:
     external: true
-    name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION}
-  postgres_password:
+    name: ${STACK_NAME}_django_sp_${SECRET_DJANGO_SP_VERSION}
+  postgres_p:
     external: true
-    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
-  collaboration_server_secret:
+    name: ${STACK_NAME}_postgres_p_${SECRET_POSTGRES_P_VERSION}
+  collab_ss:
     external: true
-    name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION}
-  minio_root_password:
+    name: ${STACK_NAME}_collab_ss_${SECRET_COLLAB_SS_VERSION}
+  minio_rp:
     external: true
-    name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION}
\ No newline at end of file
+    name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
+  y_api_key:
+    external: true
+    name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION}
\ No newline at end of file