add secrets
This commit is contained in:
parent
f1d76714be
commit
04df81ea8f
|
@ -6,3 +6,7 @@ DOMAIN=limesurvey.example.com
|
||||||
#EXTRA_DOMAINS=', `www.limesurvey.example.com`'
|
#EXTRA_DOMAINS=', `www.limesurvey.example.com`'
|
||||||
|
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
|
SECRET_DB_PASSWORD_VERSION=v1
|
||||||
|
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||||
|
SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION=v1
|
44
compose.yml
44
compose.yml
|
@ -11,10 +11,20 @@ services:
|
||||||
- internal
|
- internal
|
||||||
environment:
|
environment:
|
||||||
- "DB_HOST=${STACK_NAME}_db"
|
- "DB_HOST=${STACK_NAME}_db"
|
||||||
- "DB_PASSWORD=secret"
|
- "DB_PASSWORD_FILE=/run/secrets/db_password"
|
||||||
- "ADMIN_PASSWORD=foobar"
|
- "ADMIN_PASSWORD_FILE=/run/secrets/limesurvey_admin_password"
|
||||||
- "PUBLIC_URL=https://${DOMAIN}"
|
- "PUBLIC_URL=https://${DOMAIN}"
|
||||||
- "BASE_URL=https://${DOMAIN}"
|
- "BASE_URL=https://${DOMAIN}"
|
||||||
|
configs:
|
||||||
|
- source: entrypoint
|
||||||
|
target: /usr/local/bin/custom-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
secrets:
|
||||||
|
- db_password
|
||||||
|
- limesurvey_admin_password
|
||||||
|
entrypoint: /usr/local/bin/custom-entrypoint.sh
|
||||||
|
volumes:
|
||||||
|
- app:/var/www/html/upload/surveys
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
|
@ -27,6 +37,12 @@ services:
|
||||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
- "coop-cloud.${STACK_NAME}.version="
|
- "coop-cloud.${STACK_NAME}.version="
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "curl", "-f", "http://localhost:8080"]
|
||||||
|
interval: 30s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 10
|
||||||
|
start_period: 1m
|
||||||
db:
|
db:
|
||||||
image: mysql:5.7
|
image: mysql:5.7
|
||||||
networks:
|
networks:
|
||||||
|
@ -34,15 +50,35 @@ services:
|
||||||
environment:
|
environment:
|
||||||
- "MYSQL_USER=limesurvey"
|
- "MYSQL_USER=limesurvey"
|
||||||
- "MYSQL_DATABASE=limesurvey"
|
- "MYSQL_DATABASE=limesurvey"
|
||||||
- "MYSQL_PASSWORD=secret"
|
- "MYSQL_PASSWORD_FILE=/run/secrets/db_password"
|
||||||
- "MYSQL_ROOT_PASSWORD=secret"
|
- "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password"
|
||||||
volumes:
|
volumes:
|
||||||
- mariadb:/var/lib/mysql
|
- mariadb:/var/lib/mysql
|
||||||
|
secrets:
|
||||||
|
- db_password
|
||||||
|
- db_root_password
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
|
app:
|
||||||
mariadb:
|
mariadb:
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
internal:
|
internal:
|
||||||
|
|
||||||
|
configs:
|
||||||
|
entrypoint:
|
||||||
|
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
|
||||||
|
file: entrypoint.sh
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
db_root_password:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
|
||||||
|
db_password:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||||
|
limesurvey_admin_password:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_limesurvey_admin_password_${SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION}
|
|
@ -0,0 +1,29 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
file_env() {
|
||||||
|
local var="$1"
|
||||||
|
local fileVar="${var}_FILE"
|
||||||
|
local def="${2:-}"
|
||||||
|
|
||||||
|
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||||
|
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
local val="$def"
|
||||||
|
|
||||||
|
if [ "${!var:-}" ]; then
|
||||||
|
val="${!var}"
|
||||||
|
elif [ "${!fileVar:-}" ]; then
|
||||||
|
val="$(< "${!fileVar}")"
|
||||||
|
fi
|
||||||
|
|
||||||
|
export "$var"="$val"
|
||||||
|
unset "$fileVar"
|
||||||
|
}
|
||||||
|
|
||||||
|
file_env "ADMIN_PASSWORD"
|
||||||
|
file_env "DB_PASSWORD"
|
||||||
|
bash -c "/usr/local/bin/entrypoint.sh apache2-foreground"
|
Loading…
Reference in New Issue