Keep default secret-in-config file for backwards compat.

2025-02-06 18:11:06 -05:00 · 2025-02-06 18:11:06 -05:00 · 02081b0309
commit 02081b0309
parent 13a3fd9253
4 changed files with 27 additions and 6 deletions
--- a/.env.sample
+++ b/.env.sample
@ -2,6 +2,7 @@ TYPE=peertube

 DOMAIN=peertube.example.com              # <= EDIT THIS
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE=compose.yml

 PEERTUBE_WEBSERVER_PORT=443
 PEERTUBE_WEBSERVER_HTTPS=true
@ -11,6 +12,9 @@ PEERTUBE_TRANSCODING_ENABLED=true
 PEERTUBE_CONTACT_FORM_ENABLED=false

 SECRET_DB_PASSWORD_VERSION=v1
+
+# Comment out these lines if you want to store the peertube secret in a config file instead of a docker secret
+COMPOSE_FILE="$COMPOSE_FILE:compose.peertube-secret.yml"
 SECRET_PEERTUBE_SECRET_VERSION=v1

 ## Webseed backend
--- a/compose.peertube-secret.yml
+++ b/compose.peertube-secret.yml
@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
+    secrets:
+      - peertube_secret
+
+secrets:
+  peertube_secret:
+    external: true
+    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -58,14 +58,12 @@ services:
      - PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN}
      - PEERTUBE_WEBSERVER_HTTPS
      - PEERTUBE_WEBSERVER_PORT
-      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
    volumes:
      - app-data:/data
      - app-config:/config
      - app-assets:/srv/client/dist
    secrets:
      - db_password
-      - peertube_secret
    configs:
      - source: app_entrypoint
        target: /docker-entrypoint.sh
@ -141,6 +139,3 @@ secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  peertube_secret:
-    external: true
-    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}
--- a/release/5.0.0+v5.2.1-bullseye
+++ b/release/5.0.0+v5.2.1-bullseye
@ -1 +1,9 @@
-WARNING! ⚠️ This release includes several major Postgres version updates, please make even more sure to take a database backup than usual
+WARNING! ⚠️ 
+
+This release includes several major Postgres version updates, please make even more sure to take a database backup than usual
+
+Also, `PEERTUBE_SECRET `can now be stored in Docker, instead of just in a config file. To enable this behaviour:
+
+1. Extract the secret from the config file using `abra app run $STACK_NAME app grep peertube: /config/production.yaml | cut -d'"' -f2`
+2. Run `abra app secret insert $STACK_NAME peertube_secret v1`
+3. Run `abra app config $STACK_NAME`, and set `COMPOSE_FILE=compose.yml:compose.peertube-secret.yml`