add secrets

2022-06-07 17:25:19 +02:00 · 2022-06-07 17:25:19 +02:00 · 04df81ea8f
parent f1d76714be
commit 04df81ea8f
4 changed files with 74 additions and 4 deletions
--- a/.env.sample
+++ b/.env.sample
@ -6,3 +6,7 @@ DOMAIN=limesurvey.example.com
 #EXTRA_DOMAINS=', `www.limesurvey.example.com`'

 LETS_ENCRYPT_ENV=production
+
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -11,10 +11,20 @@ services:
      - internal
    environment:
      - "DB_HOST=${STACK_NAME}_db"
-      - "DB_PASSWORD=secret"
-      - "ADMIN_PASSWORD=foobar"
+      - "DB_PASSWORD_FILE=/run/secrets/db_password"
+      - "ADMIN_PASSWORD_FILE=/run/secrets/limesurvey_admin_password"
      - "PUBLIC_URL=https://${DOMAIN}"
      - "BASE_URL=https://${DOMAIN}"
+    configs:
+      - source: entrypoint
+        target: /usr/local/bin/custom-entrypoint.sh
+        mode: 0555
+    secrets:
+      - db_password
+      - limesurvey_admin_password
+    entrypoint: /usr/local/bin/custom-entrypoint.sh
+    volumes:
+      - app:/var/www/html/upload/surveys
    deploy:
      labels:
        - "traefik.enable=true"
@ -27,6 +37,12 @@ services:
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.version="
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
  db:
    image: mysql:5.7
    networks:
@ -34,15 +50,35 @@ services:
    environment:
      - "MYSQL_USER=limesurvey"
      - "MYSQL_DATABASE=limesurvey"
-      - "MYSQL_PASSWORD=secret"
-      - "MYSQL_ROOT_PASSWORD=secret"
+      - "MYSQL_PASSWORD_FILE=/run/secrets/db_password"
+      - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password"
    volumes:
      - mariadb:/var/lib/mysql
+    secrets:
+      - db_password
+      - db_root_password

 volumes:
+  app:
  mariadb:

 networks:
  proxy:
    external: true
  internal:
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  limesurvey_admin_password:
+    external: true
+    name: ${STACK_NAME}_limesurvey_admin_password_${SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION}
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "ADMIN_PASSWORD"
+file_env "DB_PASSWORD"
+bash -c "/usr/local/bin/entrypoint.sh apache2-foreground"