From bb35b39ea99f5c1c3fd742aedc4d9a6aab1b68ea Mon Sep 17 00:00:00 2001 From: 3wc <3wc@doesthisthing.work> Date: Tue, 14 Mar 2023 15:31:55 -0400 Subject: [PATCH] Move Rails secrets into Docker secrets --- .env.sample | 3 +++ abra.sh | 2 +- compose.yml | 23 +++++++++++++++++++++-- entrypoint.sh | 27 +++++++++++++++++++++++++-- 4 files changed, 50 insertions(+), 5 deletions(-) diff --git a/.env.sample b/.env.sample index 2e3239b..f329326 100644 --- a/.env.sample +++ b/.env.sample @@ -37,6 +37,9 @@ FORCE_SSL=1 # Enable rate limiting on group creation, other POST actions USE_RACK_ATTACK=1 +SECRET_DEVISE_SECRET_VERSION=v1 #length=64 +SECRET_SECRET_COOKIE_TOKEN_VERSION=v1 #length=64 + # Send catch up email (missed yesterday) weekly # EMAIL_CATCH_UP_WEEKLY=1 diff --git a/abra.sh b/abra.sh index c06c141..394c061 100644 --- a/abra.sh +++ b/abra.sh @@ -1 +1 @@ -export LOOMIO_ENTRYPOINT_VERSION=v1 +export LOOMIO_ENTRYPOINT_VERSION=v2 diff --git a/compose.yml b/compose.yml index 70ef0d7..7f6a2c5 100644 --- a/compose.yml +++ b/compose.yml @@ -24,8 +24,8 @@ x-environment: &default-env MAX_THREADS: ${MAX_THREADS} FORCE_SSL: ${FORCE_SSL} USE_RACK_ATTACK: ${USE_RACK_ATTACK} - DEVISE_SECRET: uuaYZNGgeKCMqGc5pPd3seNSrvKkVO9+pAu6JvrQI4M6T395m8dLJja5qza8HaHY - SECRET_COOKIE_TOKEN: uuaYZNGgeKCMqGc5pPd3seNSrvKkVO9+pAu6JvrQI4M6T395m8dLJja5qza8HaHY + DEVISE_SECRET_FILE: /run/secrets/devise_secret + SECRET_COOKIE_TOKEN_FILE: /run/secrets/secret_cookie_token SAML_APP_KEY: SAML_IDP_METADATA_URL: SAML_ISSUER: @@ -39,6 +39,9 @@ services: target: /entrypoint.sh mode: 0555 entrypoint: /entrypoint.sh + secrets: + - devise_secret + - secret_cookie_token volumes: - loomio_uploads:/loomio/public/system - loomio_storage:/loomio/storage @@ -64,6 +67,14 @@ services: - "coop-cloud.${STACK_NAME}.version=0.1.0+v2.7.10" worker: image: loomio/loomio:v2.11.13 + configs: + - source: entrypoint + target: /entrypoint.sh + mode: 0555 + entrypoint: /entrypoint.sh + secrets: + - devise_secret + - secret_cookie_token networks: - backend environment: @@ -148,3 +159,11 @@ configs: entrypoint: name: ${STACK_NAME}_entrypoint_${LOOMIO_ENTRYPOINT_VERSION} file: entrypoint.sh + +secrets: + devise_secret: + external: true + name: ${STACK_NAME}_devise_secret_${SECRET_DEVISE_SECRET_VERSION} + secret_cookie_token: + external: true + name: ${STACK_NAME}_secret_cookie_token_${SECRET_SECRET_COOKIE_TOKEN_VERSION} diff --git a/entrypoint.sh b/entrypoint.sh index fab19fa..76f4a89 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,10 +1,33 @@ -#! /bin/sh +#!/usr/bin/env bash + +file_env() { + # 3wc: Load $VAR_FILE into $VAR - useful for secrets. See + # https://medium.com/@adrian.gheorghe.dev/using-docker-secrets-in-your-environment-variables-7a0609659aab + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +file_env "DEVISE_SECRET" +file_env "SECRET_COOKIE_TOKEN" if test ! -f /loomio/storage/migrations_ran; then echo "first deploy, running migrations..." rake db:setup touch /loomio/storage/migrations_ran fi - echo "starting loomio!" /loomio/docker_start.sh