getting this thing ship/shape

2022-08-16 13:03:07 +02:00 · 2022-08-16 13:03:07 +02:00 · 7a90ea495a
parent 69921225ae
commit 7a90ea495a
5 changed files with 76 additions and 32 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,7 +1,9 @@
 TYPE=vaultwarden

 DOMAIN=vaultwarden.example.com
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.vaultwarden.example.com`'
 LETS_ENCRYPT_ENV=production
+
+WEBSOCKET_ENABLED=true
+SIGNUPS_ALLOWED=true
+
+SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
--- a/README.md
+++ b/README.md
@ -1,30 +1,27 @@
 # vaultwarden

-TODO
+> Open source password manager

 <!-- metadata -->

 * **Category**: Apps
-* **Status**:
-* **Image**:
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 2, beta
+* **Image**: `vaultwarden/server`, 4, upstream
+* **Healthcheck**: 3
+* **Backups**: No
+* **Email**: No
+* **Tests**: No
+* **SSO**: No

 <!-- endmetadata -->

-## Basic usage
+## Quick start

 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new ${REPO_NAME} --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
+3. `abra app new vaultwarden`
+4. `abra app YOURAPPDOMAIN config`
 5. `abra app YOURAPPDOMAIN deploy`
-6. Open the configured domain in your browser to finish set-up

 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -8,32 +8,34 @@ services:
      - proxy
    environment:
      - "DOMAIN=https://$DOMAIN"
-      - "WEBSOCKET_ENABLED=true"
-      - "ADMIN_TOKEN=test"
-      # - SIGNUPS_ALLOWED: $$cap_register_enabled
-      # - ADMIN_TOKEN: $$cap_admin_token
+      - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
+      - "SIGNUPS_ALLOWED=$SIGNUPS_ALLOWED"
+      - "ADMIN_TOKEN_FILE=/run/secrets/admin_token"
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    command: /start.sh
+    secrets:
+      - admin_token
    volumes:
      - vaultwarden_data:/data
+    healthcheck:
+      test: curl -f http://localhost/alive || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 10
    deploy:
      restart_policy:
        condition: on-failure
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "coop-cloud.${STACK_NAME}.version=0.1.0+1.25.0"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m

 volumes:
  vaultwarden_data:
@ -41,3 +43,14 @@ volumes:
 networks:
  proxy:
    external: true
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  admin_token:
+    external: true
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "ADMIN_TOKEN"
+
+# upstream startup command
+# https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
+/start.sh