Improve secret handling:

- Use `file_env` for db_password
- Add missing `PEERTUBE_SECRET`
- Add `generate_secret` local abra command

.env.sample

@@ -11,6 +11,7 @@ PEERTUBE_TRANSCODING_ENABLED=true
 PEERTUBE_CONTACT_FORM_ENABLED=false
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_PEERTUBE_SECRET_VERSION=v1
 
 ## Webseed backend
 #

README.md

@@ -20,12 +20,13 @@ An ActivityPub-federated video streaming platform using P2P directly in your web
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new peertube --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
+3. `abra app new peertube`
+4. `abra app cmd -l YOURAPPDOMAIN generate_secret`
+5. `abra app secret generate YOURAPPDOMAIN -a`
+6. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
-6. Open the configured domain in your browser to finish set-up
+7. `abra app deploy YOURAPPDOMAIN`
+8. Open the configured domain in your browser to finish set-up
 
 ## Host-mode networking
 

abra.sh

@@ -1,8 +1,12 @@
 # shellcheck disable=SC2034,SC2145
 
 export NGINX_CONFIG_VERSION=v4
-export APP_ENTRYPOINT_VERSION=v6
-export DB_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v7
+export DB_ENTRYPOINT_VERSION=v1
+
+generate_secret() {
+  abra app secret insert "$APP_NAME" peertube_secret v1 "$(openssl rand -hex 32)" --chaos
+}
 
 sub_npm() {
   abra__service_="app"

compose.yml

@@ -54,6 +54,7 @@ services:
       - PEERTUBE_DB_HOSTNAME=db
       - PEERTUBE_DB_PORT=5432
       - PEERTUBE_DB_USERNAME=peertube
+      - PEERTUBE_DB_PASSWORD_FILE=/run/secrets/db_password
       - PEERTUBE_LIVE_CHAT_ENABLED
       - PEERTUBE_LOG_PING_REQUESTS
       - PEERTUBE_REDIS_HOSTNAME=cache
@@ -64,12 +65,14 @@ services:
       - PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN}
       - PEERTUBE_WEBSERVER_HTTPS
       - PEERTUBE_WEBSERVER_PORT
+      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
     volumes:
       - app-data:/data
       - app-config:/config
       - app-assets:/srv/client/dist
     secrets:
       - db_password
+      - peertube_secret
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
@@ -153,3 +156,6 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  peertube_secret:
+    external: true
+    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}

entrypoint.sh.tmpl

@@ -24,7 +24,8 @@ file_env() {
    unset "$fileVar"
 }
 
-export PEERTUBE_DB_PASSWORD=$(cat /run/secrets/db_password)
+file_env "PEERTUBE_DB_PASSWORD"
+file_env "PEERTUBE_SECRET"
 
 {{ if eq (env "PEERTUBE_SMTP_ENABLED") "1" }}
 file_env "PEERTUBE_SMTP_PASSWORD"