broken commit for testing purposes

.env.sample

@@ -10,23 +10,18 @@ LETS_ENCRYPT_ENV=production
 ##############################################################################
 # SECRETS
 ##############################################################################
-# abbreviations are to fit abra 12 char secret recommendation
+SECRET_MINIO_ROOT_PASSWORD_VERSION=v1
-# DJANGO_SECRET_KEY
+SECRET_COLLABORATION_SERVER_SECRET_VERSION=v1
-SECRET_DJANGO_SK_VERSION=v1
+SECRET_POSTGRES_PASSWORD_VERSION=v1
-# ODIC_RP_CLIENT_SECRET
+SECRET_AWS_S3_SECRET_ACCESS_KEY_VERSION=v1
-SECRET_OIDC_RPCS_VERSION=v1
+SECRET_OIDC_RP_CLIENT_SECRET_VERSION=v1
-# DJANGO_SUPERUSER_PASSWORD
+SECRET_DJANGO_SECRET_KEY_VERSION=v1
-SECRET_DJANGO_SP_VERSION=v1
+SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION=v1
-# MINIO_ROOT_PASSWORD
+SECRET_DJANGO_EMAIL_HOST_PASSWORD_VERSION=v1
-SECRET_MINIO_RP_VERSION=v1
+
-# MINIO_ROOT_USER
+##############################################################################
-SECRET_MINIO_RU_VERSION=v1
+# BASIC SETTINGS 
-# COLLABORATION_SERVER_SECRET
+##############################################################################
-SECRET_COLLAB_SS_VERSION=v1
-# POSTGRES_PASSWORD
-SECRET_POSTGRES_P_VERSION=v1
-# Y_PROVIDER_API_KEY
-SECRET_Y_API_KEY_VERSION=v1
 
 ##############################################################################
 # EMAIL
@@ -40,19 +35,23 @@ DJANGO_EMAIL_PORT=1025
 # SINGLE SIGN ON
 ##############################################################################
 # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
-OIDC_REALM=yourkeycloakrealm
+## Set those according to your needs
-OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
+OIDC_RP_CLIENT_ID=docs
-OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
+REALM_NAME=
-OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
+SSO_DOMAIN=
-OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
+
-OIDC_RP_CLIENT_ID=yourkeycloakclientid
+## These can probably be left as-is
+OIDC_OP_JWKS_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/certs
+OIDC_OP_AUTHORIZATION_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/auth
+OIDC_OP_TOKEN_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/token
+OIDC_OP_USER_ENDPOINT=https://${SSO_DOMAIN}/realms/${REALM_NAME}/protocol/openid-connect/userinfo
 OIDC_RP_SIGN_ALGO=RS256
 OIDC_RP_SCOPES="openid email"
 LOGIN_REDIRECT_URL=https://${DOMAIN}
 LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN}
 LOGOUT_REDIRECT_URL=https://${DOMAIN}
-OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
+OIDC_REDIRECT_ALLOWED_HOSTS='["https://id.docs.coop", "https://${DOMAIN}"]'
-OIDC_AUTH_REQUEST_EXTRA_PARAMS='{"acr_values": "eidas1"}'
+#OIDC_AUTH_REQUEST_EXTRA_PARAMS="{'acr_values'='eidas1'}"
 
 ##############################################################################
 # LOGGING

abra-entrypoint.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-set -e
-
-[ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)"
-[ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)"
-#[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
-[ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)"
-[ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)"
-[ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)"
-[ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)"
-[ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)"
-[ -f /run/secrets/y_api_key ] && export Y_PROVIDER_API_KEY="$(cat /run/secrets/y_api_key)"
-
-# if not in "env" mode, then execute the original entrypoint and command
-if [ ! "$1" = "-e" ]; then
-  ORIGINAL_ENTRYPOINT="$1"
-  shift
-  if [ -n "$ORIGINAL_ENTRYPOINT" ] && [ "$ORIGINAL_ENTRYPOINT" != "null" ]; then
-    exec "$ORIGINAL_ENTRYPOINT" "$@"
-  else
-    exec "$@"
-  fi
-fi

abra.sh

@@ -1,15 +1,18 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export ABRA_ENTRYPOINT_VERSION=v4
+export NGINX_CONF_VERSION=v2
-export NGINX_CONF_VERSION=v3
 export PG_BACKUP_VERSION=v3
 
-environment() {
+export MINIO_ENTRYPOINT_VERSION=v1
-  # this exports all the secrets as environment variables
+export MINIO_BOOTSTRAP_ENTRYPOINT_VERSION=v8
-  source /abra-entrypoint.sh -e
+export YPROVIDER_ENTRYPOINT_VERSION=v1
-}
+export BACKEND_ENTRYPOINT_VERSION=v1
+export CELERY_ENTRYPOINT_VERSION=v1
+
+# environment() {
+#   # TODO: Add file_env here
+# }
 
 migrate() {
-  environment
   python manage.py migrate --noinput
 }

compose.yml

@@ -5,9 +5,9 @@
 x-common-env: &common-env
   DJANGO_CONFIGURATION: Production
   DJANGO_ALLOWED_HOSTS: "*"
-  # DJANGO_SECRET_KEY supplied via secrets
+  DJANGO_SECRET_KEY_FILE: /run/secrets/django_secret_key
   DJANGO_SETTINGS_MODULE: impress.settings
-  # DJANGO_SUPERUSER_PASSWORD supplied via secrets
+  DJANGO_SUPERUSER_PASSWORD_FILE: /run/secrets/django_superuser_password
   # Logging
   # Set to DEBUG level for dev only
   LOGGING_LEVEL_HANDLERS_CONSOLE:
@@ -21,14 +21,14 @@ x-common-env: &common-env
   DJANGO_EMAIL_LOGO_IMG:
   DJANGO_EMAIL_PORT:
   DJANGO_EMAIL_HOST_USER:
-  DJANGO_EMAIL_HOST_PASSWORD:
+  DJANGO_EMAIL_HOST_PASSWORD_FILE: /run/secrets/django_email_host_password
   # Backend url
   IMPRESS_BASE_URL: "https://${DOMAIN}"
   # Media
   STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
   AWS_S3_ENDPOINT_URL: http://minio:9000
-  # AWS_S3_ACCESS_KEY_ID supplied via secret (this is same MINIO_ROOT_USER)
+  AWS_S3_ACCESS_KEY_ID: user
-  # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD)
+  AWS_S3_SECRET_ACCESS_KEY_FILE: /run/secrets/aws_s3_secret_access_key
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
   # OIDC - settings from .env, see .env.sample
@@ -37,7 +37,7 @@ x-common-env: &common-env
   OIDC_OP_TOKEN_ENDPOINT:
   OIDC_OP_USER_ENDPOINT:
   OIDC_RP_CLIENT_ID:
-  # OIDC_RP_CLIENT_SECRET supplied via secrets
+  OIDC_RP_CLIENT_SECRET_FILE: /run/secrets/oidc_rp_client_secret
   OIDC_RP_SIGN_ALGO:
   OIDC_RP_SCOPES:
   LOGIN_REDIRECT_URL:
@@ -45,7 +45,7 @@ x-common-env: &common-env
   LOGOUT_REDIRECT_URL:
   OIDC_REDIRECT_ALLOWED_HOSTS:
   OIDC_AUTH_REQUEST_EXTRA_PARAMS:
-  # AI (Fixme: remove?)
+  # AI
   AI_FEATURE_ENABLED: "false"
   AI_BASE_URL: https://openaiendpoint.com
   AI_API_KEY: password
@@ -57,37 +57,33 @@ x-postgres-env: &postgres-env
   # Postgresql db container configuration
   POSTGRES_DB: docs
   POSTGRES_USER: docs
-  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_p
+  POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
   # App database configuration
   DB_HOST: db
   DB_NAME: docs
   DB_USER: docs
+  DB_PASSWORD_FILE: /run/secrets/postgres_password
   DB_PORT: 5432
-  # DB_PASSWORD supplied via secrets (this is same as POSTGRES_PASSWORD)
 
 x-yprovider-env: &yprovider-env
   COLLABORATION_LOGGING: "true"
-  # Y_PROVIDER_API_KEY supplied via secrets
+  Y_PROVIDER_API_KEY: foobar
   COLLABORATION_API_URL: http://y-provider:4444/api/
   COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
-  # COLLABORATION_SERVER_SECRET supplied via secrets
+  COLLABORATION_SERVER_SECRET_FILE: /run/secrets/collaboration_server_secret
   COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN}
   COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
 
-x-minio-env: &minio-env
-  MINIO_ROOT_USER_FILE: /run/secrets/minio_ru
-  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
-
 services:
   app:
-    image: lasuite/impress-frontend:v3.4.2
+    image: lasuite/impress-frontend:v3.6.0
     networks:
       - backend 
     deploy:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.1+v3.4.2"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+v3.6.0"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
       interval: 15s
@@ -96,74 +92,50 @@ services:
       start_period: 10s
 
   backend:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v3.6.0
     networks:
       - backend 
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
+    secrets:
+      - collaboration_server_secret
+      - postgres_password
+      - aws_s3_secret_access_key
+      - oidc_rp_client_secret
+      - django_secret_key
+      - django_superuser_password
+      - django_email_host_password
     healthcheck:
-      test: ["CMD", "/abra-entrypoint.sh", "python", "manage.py", "check"]
+      test: ["CMD", "python", "manage.py", "check"]
       interval: 15s
       timeout: 30s
       retries: 20
       start_period: 10s
-    command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
-    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
-    configs:
-      - source: abra_entrypoint
-        target: /abra-entrypoint.sh
-        mode: 0555
-    secrets:
-      - django_sk
-      - django_sp
-      - oidc_rpcs
-      - collab_ss
-      - minio_rp
-      - postgres_p
-      - y_api_key
 
   celery:
-    image: lasuite/impress-backend:v3.4.2
+    image: lasuite/impress-backend:v3.6.0
     networks:
       - backend 
     command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"]
     environment:
       <<: [*common-env, *postgres-env, *yprovider-env]
-    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
-    configs:
-      - source: abra_entrypoint
-        target: /abra-entrypoint.sh
-        mode: 0555
     secrets:
-      - django_sk
+      - collaboration_server_secret
-      - django_sp
+      - django_superuser_password
-      - oidc_rpcs
+      - postgres_password
-      - collab_ss
+      - aws_s3_secret_access_key
-      - minio_rp
+      - oidc_rp_client_secret
-      - postgres_p
+      - django_secret_key
-      - y_api_key
+      - django_email_host_password
-
       
   y-provider:
-    image: lasuite/impress-y-provider:v3.4.2
+    image: lasuite/impress-y-provider:v3.6.0
     networks:
       - backend 
-    environment: *yprovider-env
-    command: ["yarn", "start"]
-    entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
-    configs:
-      - source: abra_entrypoint
-        target: /abra-entrypoint.sh
-        mode: 0555
-    # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
     secrets:
-      - django_sk
+      - collaboration_server_secret
-      - django_sp
+    environment: *yprovider-env
-      - oidc_rpcs
+    # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
-      - collab_ss
-      - minio_rp
-      - postgres_p
-      - y_api_key
 
   db:
     image: postgres:16
@@ -179,6 +151,8 @@ services:
       PGDATA: var/lib/postgresql/data/pgdata
     volumes:
       - postgres:/var/lib/postgresql/data/pgdata
+    secrets:
+      - postgres_password
     deploy:
       labels:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
@@ -189,8 +163,6 @@ services:
         - source: pg_backup
           target: /pg_backup.sh
           mode: 0555
-    secrets:
-      - postgres_p
 
   redis:
     image: redis:8
@@ -199,52 +171,41 @@ services:
 
   minio-bootstrap:
     # NOTE: Not started by default, only run with a manual `abra app restart` / `docker service scale`
-    image: minio/mc:RELEASE.2025-05-21T01-59-54Z
+    image: minio/mc:RELEASE.2025-08-13T08-35-41Z
-    environment: *minio-env
+    environment: 
+      - MINIO_ROOT_USER=minio
+      - MINIO_ROOT_PASSWORD_FILE=/run/secrets/minio_root_password
     networks:
       - backend 
-    entrypoint: >
+    secrets:
-      sh -c "
+      - minio_root_password
-      MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" &&   
-      MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&   
-      /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
-      /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
-      /usr/bin/mc version enable docs/docs-media-storage &&
-      exit 0"
     deploy:
       mode: replicated
       replicas: 0
       restart_policy:
         condition: none
-    secrets:
-      - minio_rp
-      - minio_ru
 
   minio:
-    image: minio/minio:RELEASE.2025-05-24T17-08-30Z
+    image: minio/minio:RELEASE.2025-09-07T16-13-09Z
-    environment: *minio-env
+    environment:
+      - MINIO_ROOT_USER=minio
+      - MINIO_ROOT_PASSWORD_FILE=/run/secrets/minio_root_password
+    secrets:
+      - minio_root_password
     healthcheck:
       test: ["CMD", "mc", "ready", "local"]
       interval: 1s
       timeout: 20s
       retries: 300
+    entrypoint: ""
     networks:
       - backend 
     command: minio server /data
-    entrypoint: ["/abra-entrypoint.sh", "/usr/bin/docker-entrypoint.sh"]
     volumes:
       - minio:/data
     deploy:
       labels:
         backupbot.backup: "${ENABLE_BACKUPS:-true}"
-        entrypoint: /abra-entrypoint.sh
-    configs:
-      - source: abra_entrypoint
-        target: /abra-entrypoint.sh
-        mode: 0555
-    secrets:
-      - minio_rp
-      - minio_ru
 
   web:
     image: nginx:1.29
@@ -254,8 +215,6 @@ services:
     networks:
       proxy:
       backend:
-    environment:
-      - STACK_NAME
     deploy:
       labels:
         - "traefik.enable=true"
@@ -278,37 +237,55 @@ volumes:
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
-    file: nginx.conf.tmpl
+    file: nginx.conf
-    template_driver: golang
   pg_backup:
     name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
     file: pg_backup.sh
-  abra_entrypoint:
+  minio_entrypoint:
-    name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION}
+    name: ${STACK_NAME}_minio_entrypoint_${MINIO_ENTRYPOINT_VERSION}
-    file: abra-entrypoint.sh
+    file: entrypoint-minio.sh.tmpl
+    template_driver: golang
+  minio_bootstrap_entrypoint:
+    name: ${STACK_NAME}_minio_bootstrap_entrypoint_${MINIO_BOOTSTRAP_ENTRYPOINT_VERSION}
+    file: entrypoint-minio-bootstrap.sh.tmpl
+    template_driver: golang
+  yprovider_entrypoint:
+    name: ${STACK_NAME}_yprovider_entrypoint_${YPROVIDER_ENTRYPOINT_VERSION}
+    file: entrypoint-yprovider.sh.tmpl
+    template_driver: golang
+  backend_entrypoint:
+    name: ${STACK_NAME}_backend_entrypoint_${BACKEND_ENTRYPOINT_VERSION}
+    file: entrypoint-backend.sh.tmpl
+    template_driver: golang
+  celery_entrypoint:
+    name: ${STACK_NAME}_celery_entrypoint_${CELERY_ENTRYPOINT_VERSION}
+    file: entrypoint-celery.sh.tmpl
+    template_driver: golang
+
+
 
 secrets:
-  django_sk:
+  minio_root_password:
+    name: ${STACK_NAME}_minio_root_password_${SECRET_MINIO_ROOT_PASSWORD_VERSION}
     external: true 
-    name: ${STACK_NAME}_django_sk_${SECRET_DJANGO_SK_VERSION}
+  collaboration_server_secret:
-  oidc_rpcs:
+    name: ${STACK_NAME}_collaboration_server_secret_${SECRET_COLLABORATION_SERVER_SECRET_VERSION}
     external: true 
-    name: ${STACK_NAME}_oidc_rpcs_${SECRET_OIDC_RPCS_VERSION}
+  postgres_password:
-  django_sp:
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
     external: true 
-    name: ${STACK_NAME}_django_sp_${SECRET_DJANGO_SP_VERSION}
+  aws_s3_secret_access_key:
-  postgres_p:
+    name: ${STACK_NAME}_aws_s3_secret_access_key_${SECRET_AWS_S3_SECRET_ACCESS_KEY_VERSION}
     external: true 
-    name: ${STACK_NAME}_postgres_p_${SECRET_POSTGRES_P_VERSION}
+  oidc_rp_client_secret:
-  collab_ss:
+    name: ${STACK_NAME}_oidc_rp_client_secret_${SECRET_OIDC_RP_CLIENT_SECRET_VERSION}
     external: true 
-    name: ${STACK_NAME}_collab_ss_${SECRET_COLLAB_SS_VERSION}
+  django_secret_key:
-  minio_rp:
+    name: ${STACK_NAME}_django_secret_key_${SECRET_DJANGO_SECRET_KEY_VERSION}
     external: true 
-    name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
+  django_superuser_password:
-  minio_ru:
+    name: ${STACK_NAME}_django_superuser_password_${SECRET_DJANGO_SUPERUSER_PASSWORD_VERSION}
     external: true 
-    name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION}
+  django_email_host_password:
-  y_api_key:
+    name: ${STACK_NAME}_django_email_host_passsword_${SECRET_DJANGO_EMAIL_HOST_PASSWORD_VERSION}
     external: true 
-    name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION}

entrypoint-backend.sh.tmpl

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+file_env() {
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+load_vars() {
+  file_env "COLLABORATION_SERVER_SECRET"
+  file_env "POSTGRES_PASSWORD"
+  file_env "AWS_S3_SECRET_ACCESS_KEY"
+  file_env "OIDC_RP_CLIENT_SECRET"
+  file_env "DJANGO_SECRET_KEY"
+  file_env "DJANGO_EMAIL_HOST_PASSWORD"
+  file_env "DJANGO_SUPERUSER_PASSWORD"
+}
+
+set -eu
+load_vars
+
+set +eu
+
+/usr/local/bin/entrypoint
+

entrypoint-celery.sh.tmpl

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+file_env() {
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+load_vars() {
+  file_env "COLLABORATION_SERVER_SECRET"
+  file_env "POSTGRES_PASSWORD"
+  file_env "AWS_S3_SECRET_ACCESS_KEY"
+  file_env "OIDC_RP_CLIENT_SECRET"
+  file_env "DJANGO_SECRET_KEY"
+  file_env "DJANGO_EMAIL_HOST_PASSWORD"
+  file_env "DJANGO_SUPERUSER_PASSWORD"
+}
+
+set -eu
+load_vars
+
+set +eu
+
+celery -A impress.celery_app worker -l INFO

entrypoint-minio-bootstrap.sh.tmpl

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+file_env() {
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+load_vars() {
+  file_env "MINIO_ROOT_PASSWORD"
+}
+
+set -eu
+
+load_vars
+
+set +eu
+set -x
+
+/usr/bin/mc alias set docs http://minio:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD --api S3v4
+/usr/bin/mc mb --ignore-existing docs/docs-media-storage
+/usr/bin/mc mb version enable docs/docs-media-storage
+
+exit 0

entrypoint-minio.sh.tmpl

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+file_env() {
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+load_vars() {
+  file_env "MINIO_ROOT_PASSWORD"
+}
+
+set -eu
+
+load_vars
+
+set +eu
+
+minio server data

entrypoint-yprovider.sh.tmpl

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+file_env() {
+  # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See
+  #   https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+load_vars() {
+  file_env "COLLABORATION_SERVER_SECRET"
+}
+
+set -eu
+load_vars
+
+set +eu
+
+/usr/local/bin/entrypoint

nginx.conf

@@ -1,9 +1,9 @@
 upstream docs_backend {
-    server {{ env "STACK_NAME" }}_backend:8000 fail_timeout=0;
+    server backend:8000 fail_timeout=0;
 }
 
 upstream docs_frontend {
-    server {{ env "STACK_NAME" }}_app:8080 fail_timeout=0;
+    server app:8080 fail_timeout=0;
 }
 
 server {

pg_backup.sh

@@ -5,7 +5,8 @@ set -e
 BACKUP_FILE='/var/lib/postgresql/data/pgdata/backup.sql'
 
 function backup {
-  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  # export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  export PGPASSWORD="$POSTGRES_PASSWORD"
   pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }