generate and manage CRYPTO_KEY outside of abra

.env.sample

@@ -7,7 +7,7 @@ LETS_ENCRYPT_ENV=production
 #==============================================================================
 SECRET_SECRET_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
-SECRET_CRYPTO_KEY_VERSION=v1
+CRYPTO_KEY_VERSION=v1 # This secret is managed in the entrypoint, not as a docker secret
 
 #==============================================================================
 # ADMINISTRATION

abra.sh

@@ -40,13 +40,4 @@ setup_db() {
     fi
 
     echo "Database setup complete. <3"
-}
-
-gen_key() {
-    file_env "DB_PASSWORD"
-    file_env "CRYPTO_KEY"
-    file_env "SECRET_KEY"
-    file_env "LDAP_BIND_PASSWORD"
-
-    flask cryptokey create
 }

compose.yml

@@ -59,7 +59,6 @@ services:
       - ROOT_USER=${ADMIN_USER}
       - TMP_DIR=/tmp
       - SECRET_KEY_FILE=/run/secrets/secret_key
-      - CRYPTO_KEY_FILE=/run/secrets/crypto_key
       - SESSION_TYPE=filesystem
       - LOG_LEVEL=INFO
       - LOG_DIR=/app/logs
@@ -96,6 +95,7 @@ services:
       - uploads:/app/uploads
       - log:/app/logs
       - static:/app/liberaforms/static
+      - cryptokey:/cryptokey
     secrets:
       - db_password
       - secret_key
@@ -137,15 +137,13 @@ secrets:
   secret_key:
     external: true
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
-  crypto_key:
-    external: true
-    name: ${STACK_NAME}_crypto_key_${SECRET_CRYPTO_KEY_VERSION}
 
 volumes:
   uploads:
   static:
   log:
   db:
+  cryptokey:
 
 
 networks:

entrypoint.sh.tmpl

@@ -25,8 +25,12 @@ file_env() {
 }
 
 file_env "DB_PASSWORD"
-file_env "CRYPTO_KEY"
 file_env "SECRET_KEY"
 file_env "LDAP_BIND_PASSWORD"
 
+if [ ! -f "/cryptokey/$CRYPTO_KEY_VERSION" ]; then
+   flask cryptokey create > /cryptokey/$CRYPTO_KEY_VERSION
+fi
+export CRYPTO_KEY=`cat /cryptokey/$CRYPTO_KEY_VERSION`
+
 /usr/bin/supervisord -n