coop-cloud/peertube
coop-cloud/peertube
1
0
Fork 1
generated from coop-cloud/example
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Improve secret handling:

Browse Source 
- Use `file_env` for db_password
- Add missing `PEERTUBE_SECRET`
- Add `generate_secret` local abra command
This commit is contained in:
3wc 2025-02-06 14:58:39 -05:00
parent 8ee85f529b
commit 768cc4aead
5 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.env.sample
View File

@ -11,6 +11,7 @@ PEERTUBE_TRANSCODING_ENABLED=true
PEERTUBE_CONTACT_FORM_ENABLED=false PEERTUBE_CONTACT_FORM_ENABLED=false
SECRET_DB_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1
SECRET_PEERTUBE_SECRET_VERSION=v1
## Webseed backend ## Webseed backend
# #

11
README.md
View File

@ -20,12 +20,13 @@ An ActivityPub-federated video streaming platform using P2P directly in your web
1. Set up Docker Swarm and [`abra`] 1. Set up Docker Swarm and [`abra`]
2. Deploy [`coop-cloud/traefik`] 2. Deploy [`coop-cloud/traefik`]
3. `abra app new peertube --secrets` (optionally with `--pass` if you'd like 3. `abra app new peertube`
to save secrets in `pass`) 4. `abra app cmd -l YOURAPPDOMAIN generate_secret`
4. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to 5. `abra app secret generate YOURAPPDOMAIN -a`
6. `abra app config YOURAPPDOMAIN` - be sure to change `DOMAIN` to something that resolves to
your Docker swarm box your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN` 7. `abra app deploy YOURAPPDOMAIN`
6. Open the configured domain in your browser to finish set-up 8. Open the configured domain in your browser to finish set-up
## Host-mode networking ## Host-mode networking

8
abra.sh
View File

@ -1,8 +1,12 @@
# shellcheck disable=SC2034,SC2145 # shellcheck disable=SC2034,SC2145
export NGINX_CONFIG_VERSION=v4 export NGINX_CONFIG_VERSION=v4
export APP_ENTRYPOINT_VERSION=v6 export APP_ENTRYPOINT_VERSION=v7
export DB_ENTRYPOINT_VERSION=v2 export DB_ENTRYPOINT_VERSION=v1
generate_secret() {
abra app secret insert "$APP_NAME" peertube_secret v1 "$(openssl rand -hex 32)" --chaos
}
sub_npm() { sub_npm() {
abra__service_="app" abra__service_="app"

6
compose.yml
View File

@ -54,6 +54,7 @@ services:
- PEERTUBE_DB_HOSTNAME=db - PEERTUBE_DB_HOSTNAME=db
- PEERTUBE_DB_PORT=5432 - PEERTUBE_DB_PORT=5432
- PEERTUBE_DB_USERNAME=peertube - PEERTUBE_DB_USERNAME=peertube
- PEERTUBE_DB_PASSWORD_FILE=/run/secrets/db_password
- PEERTUBE_LIVE_CHAT_ENABLED - PEERTUBE_LIVE_CHAT_ENABLED
- PEERTUBE_LOG_PING_REQUESTS - PEERTUBE_LOG_PING_REQUESTS
- PEERTUBE_REDIS_HOSTNAME=cache - PEERTUBE_REDIS_HOSTNAME=cache
@ -64,12 +65,14 @@ services:
- PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN} - PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN}
- PEERTUBE_WEBSERVER_HTTPS - PEERTUBE_WEBSERVER_HTTPS
- PEERTUBE_WEBSERVER_PORT - PEERTUBE_WEBSERVER_PORT
- PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
volumes: volumes:
- app-data:/data - app-data:/data
- app-config:/config - app-config:/config
- app-assets:/srv/client/dist - app-assets:/srv/client/dist
secrets: secrets:
- db_password - db_password
- peertube_secret
configs: configs:
- source: app_entrypoint - source: app_entrypoint
target: /docker-entrypoint.sh target: /docker-entrypoint.sh
@ -153,3 +156,6 @@ secrets:
db_password: db_password:
external: true external: true
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
peertube_secret:
external: true
name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}

3
entrypoint.sh.tmpl
View File

@ -24,7 +24,8 @@ file_env() {
unset "$fileVar" unset "$fileVar"
} }
export PEERTUBE_DB_PASSWORD=$(cat /run/secrets/db_password) file_env "PEERTUBE_DB_PASSWORD"
file_env "PEERTUBE_SECRET"
{{ if eq (env "PEERTUBE_SMTP_ENABLED") "1" }} {{ if eq (env "PEERTUBE_SMTP_ENABLED") "1" }}
file_env "PEERTUBE_SMTP_PASSWORD" file_env "PEERTUBE_SMTP_PASSWORD"