coop-cloud/lasuite-docs
2
0
Fork 1
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Recipe And Properly Use Secrets #8

Merged
notplants merged 19 commits from secrets into main 2025-11-07 15:38:10 +00:00
Conversation 14 Commits 19 Files Changed 6 +155 -45
6 changed files with 155 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.env.sample
View File

@ -8,12 +8,25 @@ DOMAIN=lasuite-docs.example.com
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
############################################################################## ##############################################################################
# BASIC SETTINGS # SECRETS
############################################################################## ##############################################################################
# FIXME: Move to Docker secret # abbreviations are to fit abra 12 char secret recommendation
DJANGO_SECRET_KEY=ThisIsAnExampleKeyForDevPurposeOnly # DJANGO_SECRET_KEY
# FIXME: Move to docker secret SECRET_DJANGO_SK_VERSION=v1
DJANGO_SUPERUSER_PASSWORD=admin # ODIC_RP_CLIENT_SECRET
SECRET_OIDC_RPCS_VERSION=v1
# DJANGO_SUPERUSER_PASSWORD
SECRET_DJANGO_SP_VERSION=v1
# MINIO_ROOT_PASSWORD
SECRET_MINIO_RP_VERSION=v1
# MINIO_ROOT_USER
SECRET_MINIO_RU_VERSION=v1
# COLLABORATION_SERVER_SECRET
SECRET_COLLAB_SS_VERSION=v1
# POSTGRES_PASSWORD
SECRET_POSTGRES_P_VERSION=v1
# Y_PROVIDER_API_KEY
SECRET_Y_API_KEY_VERSION=v1
############################################################################## ##############################################################################
# EMAIL # EMAIL
@ -27,13 +40,12 @@ DJANGO_EMAIL_PORT=1025
# SINGLE SIGN ON # SINGLE SIGN ON
############################################################################## ##############################################################################
# NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README # NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/certs OIDC_REALM=yourkeycloakrealm
OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/auth OIDC_OP_JWKS_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/token OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/impress/protocol/openid-connect/userinfo OIDC_OP_TOKEN_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
OIDC_RP_CLIENT_ID=impress OIDC_OP_USER_ENDPOINT=https://auth.${DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
# FIXME: Move to docker secret OIDC_RP_CLIENT_ID=yourkeycloakclientid
OIDC_RP_CLIENT_SECRET=example
OIDC_RP_SIGN_ALGO=RS256 OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_SCOPES="openid email" OIDC_RP_SCOPES="openid email"
LOGIN_REDIRECT_URL=https://${DOMAIN} LOGIN_REDIRECT_URL=https://${DOMAIN}

16
abra-entrypoint.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/sh
set -e
[ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)"
[ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)"
[ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)"
[ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)"
3wordchant commented 2025-11-04 20:38:18 +00:00
Outdated
Review
Copy Link

Ah another thing would be handy, which I think file_env does, is bail if neither DB_PASSWORD nor DB_PASSWORD_FILE is set.

Ah another thing would be handy, which I think `file_env` does, is bail if neither `DB_PASSWORD` nor `DB_PASSWORD_FILE` is set.
[ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)"
3wordchant commented 2025-11-04 20:39:39 +00:00
Outdated
Review
Copy Link

And, related to above, I think loading the secret path from e.g. POSTGRES_PASSWORD_FILE is preferable to hard-coding the path here, for 2 reasons:

  1. It prefigures the utopian future where all apps add _FILE variants of their environment variables
  2. It's more consistent with the other services in the stack
And, related to above, I think loading the secret path from e.g. `POSTGRES_PASSWORD_FILE` is preferable to hard-coding the path here, for 2 reasons: 1. It prefigures the utopian future where all apps add `_FILE` variants of their environment variables 2. It's more consistent with the other services in the stack
[ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)"
[ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)"
[ -f /run/secrets/y_api_key ] && export Y_PROVIDER_API_KEY="$(cat /run/secrets/y_api_key)"
# if not in "env" mode, then execute the original entrypoint and command
if [ ! "$1" = "-e" ]; then
exec "$@"
fi

11
abra.sh
View File

@ -1,12 +1,15 @@
# Set any config versions here # Set any config versions here
# Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
export NGINX_CONF_VERSION=v2 export ABRA_ENTRYPOINT_VERSION=v4
export NGINX_CONF_VERSION=v3
export PG_BACKUP_VERSION=v3 export PG_BACKUP_VERSION=v3
# environment() { environment() {
# # TODO: Add file_env here # this exports all the secrets as environment variables
# } source /abra-entrypoint.sh -e
}
migrate() { migrate() {
environment
python manage.py migrate --noinput python manage.py migrate --noinput
} }

130
compose.yml
View File

@ -5,9 +5,9 @@
x-common-env: &common-env x-common-env: &common-env
DJANGO_CONFIGURATION: Production DJANGO_CONFIGURATION: Production
DJANGO_ALLOWED_HOSTS: "*" DJANGO_ALLOWED_HOSTS: "*"
DJANGO_SECRET_KEY: # DJANGO_SECRET_KEY supplied via secrets
DJANGO_SETTINGS_MODULE: impress.settings DJANGO_SETTINGS_MODULE: impress.settings
DJANGO_SUPERUSER_PASSWORD: # DJANGO_SUPERUSER_PASSWORD supplied via secrets
# Logging # Logging
# Set to DEBUG level for dev only # Set to DEBUG level for dev only
LOGGING_LEVEL_HANDLERS_CONSOLE: LOGGING_LEVEL_HANDLERS_CONSOLE:
@ -27,9 +27,8 @@ x-common-env: &common-env
# Media # Media
STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
AWS_S3_ENDPOINT_URL: http://minio:9000 AWS_S3_ENDPOINT_URL: http://minio:9000
AWS_S3_ACCESS_KEY_ID: user # AWS_S3_ACCESS_KEY_ID supplied via secret (this is same MINIO_ROOT_USER)
# FIXME: Move to docker secret # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD)
AWS_S3_SECRET_ACCESS_KEY: password
MEDIA_BASE_URL: https://${DOMAIN} MEDIA_BASE_URL: https://${DOMAIN}
AWS_STORAGE_BUCKET_NAME: docs-media-storage AWS_STORAGE_BUCKET_NAME: docs-media-storage
# OIDC - settings from .env, see .env.sample # OIDC - settings from .env, see .env.sample
@ -38,7 +37,7 @@ x-common-env: &common-env
OIDC_OP_TOKEN_ENDPOINT: OIDC_OP_TOKEN_ENDPOINT:
OIDC_OP_USER_ENDPOINT: OIDC_OP_USER_ENDPOINT:
OIDC_RP_CLIENT_ID: OIDC_RP_CLIENT_ID:
OIDC_RP_CLIENT_SECRET: # OIDC_RP_CLIENT_SECRET supplied via secrets
OIDC_RP_SIGN_ALGO: OIDC_RP_SIGN_ALGO:
OIDC_RP_SCOPES: OIDC_RP_SCOPES:
LOGIN_REDIRECT_URL: LOGIN_REDIRECT_URL:
@ -46,7 +45,7 @@ x-common-env: &common-env
LOGOUT_REDIRECT_URL: LOGOUT_REDIRECT_URL:
OIDC_REDIRECT_ALLOWED_HOSTS: OIDC_REDIRECT_ALLOWED_HOSTS:
OIDC_AUTH_REQUEST_EXTRA_PARAMS: OIDC_AUTH_REQUEST_EXTRA_PARAMS:
# AI # AI (Fixme: remove?)
AI_FEATURE_ENABLED: "false" AI_FEATURE_ENABLED: "false"
AI_BASE_URL: https://openaiendpoint.com AI_BASE_URL: https://openaiendpoint.com
AI_API_KEY: password AI_API_KEY: password
@ -58,35 +57,32 @@ x-postgres-env: &postgres-env
# Postgresql db container configuration # Postgresql db container configuration
POSTGRES_DB: docs POSTGRES_DB: docs
POSTGRES_USER: docs POSTGRES_USER: docs
# FIXME: Move to docker secret POSTGRES_PASSWORD_FILE: /run/secrets/postgres_p
POSTGRES_PASSWORD: password
# App database configuration # App database configuration
DB_HOST: db DB_HOST: db
DB_NAME: docs DB_NAME: docs
DB_USER: docs DB_USER: docs
# FIXME: Move to docker secret
DB_PASSWORD: password
DB_PORT: 5432 DB_PORT: 5432
# DB_PASSWORD supplied via secrets (this is same as POSTGRES_PASSWORD)
x-yprovider-env: &yprovider-env x-yprovider-env: &yprovider-env
COLLABORATION_LOGGING: "true" COLLABORATION_LOGGING: "true"
Y_PROVIDER_API_KEY: foobar # Y_PROVIDER_API_KEY supplied via secrets
COLLABORATION_API_URL: http://y-provider:4444/api/ COLLABORATION_API_URL: http://y-provider:4444/api/
COLLABORATION_SERVER_ORIGIN: https://${DOMAIN} COLLABORATION_SERVER_ORIGIN: https://${DOMAIN}
COLLABORATION_SERVER_SECRET: my-secret # COLLABORATION_SERVER_SECRET supplied via secrets
COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN} COLLABORATION_BACKEND_BASE_URL: https://${DOMAIN}
COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/ COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
x-minio-env: &minio-env x-minio-env: &minio-env
MINIO_ROOT_USER: user MINIO_ROOT_USER_FILE: /run/secrets/minio_ru
# FIXME: Move to docker secret MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
MINIO_ROOT_PASSWORD: password
services: services:
app: app:
image: lasuite/impress-frontend:v3.4.2 image: lasuite/impress-frontend:v3.4.2
networks: networks:
- backend - backend
deploy: deploy:
labels: labels:
3wordchant commented 2025-11-04 20:28:21 +00:00
Outdated
Review
Copy Link

If the problem is that the web container isn't resolving app consistently – which has definitely happened to me before, because it's on the proxy network so it has access to several containers named app – then I think using $(STACK_NAME}_app in the Nginx config would be a better solution; less complexity in the compose file, and less chance of problems if there are >1 lasuite-docs instances in the same swarm.

If the problem is that the `web` container isn't resolving `app` consistently – which has definitely happened to me before, because it's on the `proxy` network so it has access to several containers named `app` – then I think using `$(STACK_NAME}_app` in the Nginx config would be a better solution; less complexity in the compose file, and less chance of problems if there are >1 lasuite-docs instances in the same swarm.
- "traefik.enable=false" - "traefik.enable=false"
@ -106,11 +102,26 @@ services:
environment: environment:
<<: [*common-env, *postgres-env, *yprovider-env] <<: [*common-env, *postgres-env, *yprovider-env]
healthcheck: healthcheck:
test: ["CMD", "python", "manage.py", "check"] test: ["CMD", "/abra-entrypoint.sh", "python", "manage.py", "check"]
interval: 15s interval: 15s
timeout: 30s timeout: 30s
retries: 20 retries: 20
start_period: 10s start_period: 10s
command: ["gunicorn", "-c", "/usr/local/etc/gunicorn/impress.py", "impress.wsgi:application"]
entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
configs:
- source: abra_entrypoint
target: /abra-entrypoint.sh
mode: 0555
secrets:
- django_sk
- django_sp
- oidc_rpcs
- collab_ss
- minio_rp
- minio_ru
- postgres_p
- y_api_key
celery: celery:
image: lasuite/impress-backend:v3.4.2 image: lasuite/impress-backend:v3.4.2
@ -119,13 +130,32 @@ services:
command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"] command: ["celery", "-A", "impress.celery_app", "worker", "-l", "INFO"]
environment: environment:
<<: [*common-env, *postgres-env, *yprovider-env] <<: [*common-env, *postgres-env, *yprovider-env]
entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
configs:
- source: abra_entrypoint
target: /abra-entrypoint.sh
mode: 0555
secrets:
- django_sk
- django_sp
- oidc_rpcs
- collab_ss
- minio_rp
- postgres_p
- y_api_key
y-provider: y-provider:
image: lasuite/impress-y-provider:v3.4.2 image: lasuite/impress-y-provider:v3.4.2
networks: networks:
- backend - backend
environment: *yprovider-env environment: *yprovider-env
entrypoint: >
sh -c "export Y_PROVIDER_API_KEY=\"$$(cat /run/secrets/y_api_key)\" && exec /usr/local/bin/entrypoint \"$$@\"" --
command: ["yarn", "start"]
# NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403 # NOTE: healthcheck - `wget` is available in the container, but `wget http://localhost:4444` gives a 403
secrets:
- y_api_key
db: db:
image: postgres:16 image: postgres:16
@ -151,6 +181,8 @@ services:
- source: pg_backup - source: pg_backup
target: /pg_backup.sh target: /pg_backup.sh
3wordchant commented 2025-11-04 20:31:30 +00:00
Outdated
Review
Copy Link

It seems a bit unusual to have the same entrypoint used for services with different image; these situations are usually handled with a separate entrypoint file. But are you sure this is necessary? The postgresql image handles _FILE variables itself: https://hub.docker.com/_/postgres#docker-secrets

It seems a bit unusual to have the same entrypoint used for services with different `image`; these situations are usually handled with a separate entrypoint file. But are you sure this is necessary? The `postgresql` image handles `_FILE` variables itself: https://hub.docker.com/_/postgres#docker-secrets
mode: 0555 mode: 0555
secrets:
- postgres_p
redis: redis:
image: redis:8 image: redis:8
@ -162,18 +194,23 @@ services:
image: minio/mc:RELEASE.2025-05-21T01-59-54Z image: minio/mc:RELEASE.2025-05-21T01-59-54Z
environment: *minio-env environment: *minio-env
networks: networks:
- backend - backend
entrypoint: > entrypoint: >
sh -c " sh -c "
/usr/bin/mc alias set docs http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && \ MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" &&
/usr/bin/mc mb --ignore-existing docs/docs-media-storage && \ MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&
/usr/bin/mc version enable docs/docs-media-storage && \ /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
exit 0;" /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
/usr/bin/mc version enable docs/docs-media-storage &&
exit 0"
deploy: deploy:
mode: replicated mode: replicated
replicas: 0 replicas: 0
restart_policy: restart_policy:
condition: none condition: none
secrets:
- minio_rp
- minio_ru
minio: minio:
image: minio/minio:RELEASE.2025-05-24T17-08-30Z image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@ -183,15 +220,23 @@ services:
interval: 1s interval: 1s
timeout: 20s timeout: 20s
retries: 300 retries: 300
entrypoint: ""
networks: networks:
- backend - backend
command: minio server /data command: minio server /data
entrypoint: ["/usr/bin/docker-entrypoint.sh"]
volumes: volumes:
- minio:/data - minio:/data
deploy: deploy:
labels: labels:
backupbot.backup: "${ENABLE_BACKUPS:-true}" backupbot.backup: "${ENABLE_BACKUPS:-true}"
entrypoint: /abra-entrypoint.sh
configs:
- source: abra_entrypoint
target: /abra-entrypoint.sh
mode: 0555
secrets:
- minio_rp
- minio_ru
web: web:
image: nginx:1.29 image: nginx:1.29
@ -201,6 +246,11 @@ services:
networks: networks:
3wordchant commented 2025-11-04 20:34:49 +00:00
Outdated
Review
Copy Link

Same comment about entrypoint as from Postgres; Minio also natively supports Docker Secrets (the dream): https://github.com/minio/minio/blob/master/docs/docker/README.md#minio-custom-access-and-secret-keys-using-docker-secrets

Same comment about entrypoint as from Postgres; Minio also natively supports Docker Secrets (the dream): https://github.com/minio/minio/blob/master/docs/docker/README.md#minio-custom-access-and-secret-keys-using-docker-secrets
proxy: proxy:
backend: backend:
depends_on:
- backend
- app
environment:
- STACK_NAME
deploy: deploy:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
@ -223,7 +273,37 @@ volumes:
configs: configs:
nginx_conf: nginx_conf:
name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
file: nginx.conf file: nginx.conf.tmpl
template_driver: golang
pg_backup: pg_backup:
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
file: pg_backup.sh file: pg_backup.sh
abra_entrypoint:
name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION}
file: abra-entrypoint.sh
secrets:
django_sk:
external: true
name: ${STACK_NAME}_django_sk_${SECRET_DJANGO_SK_VERSION}
oidc_rpcs:
external: true
name: ${STACK_NAME}_oidc_rpcs_${SECRET_OIDC_RPCS_VERSION}
django_sp:
external: true
name: ${STACK_NAME}_django_sp_${SECRET_DJANGO_SP_VERSION}
postgres_p:
external: true
name: ${STACK_NAME}_postgres_p_${SECRET_POSTGRES_P_VERSION}
collab_ss:
external: true
name: ${STACK_NAME}_collab_ss_${SECRET_COLLAB_SS_VERSION}
minio_rp:
external: true
name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
minio_ru:
external: true
name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION}
y_api_key:
external: true
name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION}

4
nginx.conf → nginx.conf.tmpl
View File

@ -1,9 +1,9 @@
upstream docs_backend { upstream docs_backend {
server backend:8000 fail_timeout=0; server {{ env "STACK_NAME" }}_backend:8000 fail_timeout=0;
} }
upstream docs_frontend { upstream docs_frontend {
server app:8080 fail_timeout=0; server {{ env "STACK_NAME" }}_app:8080 fail_timeout=0;
} }
server { server {

3
pg_backup.sh
View File

@ -5,8 +5,7 @@ set -e
BACKUP_FILE='/var/lib/postgresql/data/pgdata/backup.sql' BACKUP_FILE='/var/lib/postgresql/data/pgdata/backup.sql'
function backup { function backup {
# export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE) export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
export PGPASSWORD="$POSTGRES_PASSWORD"
pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
} }