adds more recipe stuff

* secrets * extract admin_name and admin_email * unset BASE_URL env for me the it broke the url path actually, this setting (https://github.com/martialblog/docker-limesurvey/blob/master/5.0/apache/entrypoint.sh#L112) is not documented (https://manual.limesurvey.org/Optional_settings), so not sure what it actually does * backupbot labels
add secrets
2022-06-07 21:43:21 +02:00 · 2022-06-07 17:25:19 +02:00
4 changed files with 89 additions and 6 deletions
--- a/.env.sample
+++ b/.env.sample
@ -6,3 +6,10 @@ DOMAIN=limesurvey.example.com
 #EXTRA_DOMAINS=', `www.limesurvey.example.com`'

 LETS_ENCRYPT_ENV=production
+
+ADMIN_EMAIL=admin@example.com
+ADMIN_NAME=admin
+
+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: martialblog/limesurvey:5.2.9-220110-apache
+    image: martialblog/limesurvey:5.3.18-220530-apache
    depends_on:
      - db
    networks:
@ -11,10 +11,22 @@ services:
      - internal
    environment:
      - "DB_HOST=${STACK_NAME}_db"
-      - "DB_PASSWORD=secret"
-      - "ADMIN_PASSWORD=foobar"
+      - "DB_PASSWORD_FILE=/run/secrets/db_password"
+      - ADMIN_EMAIL
+      - ADMIN_NAME
+      - "ADMIN_PASSWORD_FILE=/run/secrets/limesurvey_admin_password"
      - "PUBLIC_URL=https://${DOMAIN}"
-      - "BASE_URL=https://${DOMAIN}"
+      - "BASE_URL"
+    configs:
+      - source: entrypoint
+        target: /usr/local/bin/custom-entrypoint.sh
+        mode: 0555
+    secrets:
+      - db_password
+      - limesurvey_admin_password
+    entrypoint: /usr/local/bin/custom-entrypoint.sh
+    volumes:
+      - app:/var/www/html/upload/surveys
    deploy:
      labels:
        - "traefik.enable=true"
@ -27,6 +39,14 @@ services:
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "coop-cloud.${STACK_NAME}.version="
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/upload/surveys"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
  db:
    image: mysql:5.7
    networks:
@ -34,15 +54,41 @@ services:
    environment:
      - "MYSQL_USER=limesurvey"
      - "MYSQL_DATABASE=limesurvey"
-      - "MYSQL_PASSWORD=secret"
-      - "MYSQL_ROOT_PASSWORD=secret"
+      - "MYSQL_PASSWORD_FILE=/run/secrets/db_password"
+      - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password"
    volumes:
      - mariadb:/var/lib/mysql
+    secrets:
+      - db_password
+      - db_root_password
+    deploy:
+      labels:
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" limesurvey > /tmp/backup/backup.sql'
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"

 volumes:
+  app:
  mariadb:

 networks:
  proxy:
    external: true
  internal:
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  limesurvey_admin_password:
+    external: true
+    name: ${STACK_NAME}_limesurvey_admin_password_${SECRET_LIMESURVEY_ADMIN_PASSWORD_VERSION}
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "ADMIN_PASSWORD"
+file_env "DB_PASSWORD"
+bash -c "/usr/local/bin/entrypoint.sh apache2-foreground"