use custom entrypoint

handles docker secrets and calls initial migration
2022-11-12 12:20:07 +01:00 · 2022-11-12 12:20:07 +01:00 · db880748e2
parent 37e8738260
commit db880748e2
4 changed files with 69 additions and 11 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,12 +1,17 @@
 TYPE=wallabag

-DOMAIN=wallabag.example.com
+DOMAIN={{ .Domain }}
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.wallabag.example.com`'
 LETS_ENCRYPT_ENV=production

 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
+SECRET_APP_SECRET_VERSION=v1
+SECRET_SMTP_PASSWORD=v1

 # Wallabag options, see https://github.com/wallabag/docker
-SYMFONY__ENV__FOSUSER_REGISTRATION=false
+SYMFONY__ENV__FOSUSER_REGISTRATION=true
+SYMFONY__ENV__MAILER_HOST=127.0.0.1
+SYMFONY__ENV__MAILER_USER=~
+SYMFONY__ENV__FROM_EMAIL=
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -12,16 +12,15 @@ services:
      - SYMFONY__ENV__DATABASE_USER=wallabag
      # FIXME: use Docker secrets, see
      # https://github.com/wallabag/docker/issues/186
-      - SYMFONY__ENV__DATABASE_PASSWORD=$DB_PASSWORD
+      - SYMFONY__ENV__DATABASE_PASSWORD_FILE=/run/secrets/db_password
      - SYMFONY__ENV__DATABASE_CHARSET=utf8mb4
-      - SYMFONY__ENV__MAILER_HOST=127.0.0.1
-      - SYMFONY__ENV__MAILER_USER=~
-      - SYMFONY__ENV__MAILER_PASSWORD=~
-      - SYMFONY__ENV__FROM_EMAIL=${FROM_EMAIL}
+      - SYMFONY__ENV__MAILER_HOST
+      - SYMFONY__ENV__MAILER_USER
+      - SYMFONY__ENV__MAILER_PASSWORD=/run/secrets/smtp_password
+      - SYMFONY__ENV__FROM_EMAIL
      - SYMFONY__ENV__DOMAIN_NAME=https://${DOMAIN}
      - SYMFONY__ENV__FOSUSER_REGISTRATION
-    ports:
-      - "80"
+      - SYMFONY__ENV__SECRET_FILE=/run/secrets/app_secret
    volumes:
      - images:/var/www/wallabag/web/assets/images
    networks:
@ -30,6 +29,13 @@ services:
    secrets:
      - db_password
      #- admin_password
+      - app_secret
+      - smtp_password
+    entrypoint: /custom-entrypoint.sh
+    configs:
+      - source: entrypoint 
+        target: /custom-entrypoint.sh
+        mode: 0555
    deploy:
      restart_policy:
        condition: on-failure
@ -65,14 +71,28 @@ services:
 volumes:
  images:
  mariadb:
+
 networks:
  proxy:
    external: true
  internal:
+
 secrets:
  db_password:
    external: true
-    name: ${STACK_NAME}_db_password_${DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  db_root_password:
    external: true
-    name: ${STACK_NAME}_db_root_password_${DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  app_secret:
+    external: true
+    name: ${STACK_NAME}_app_secret_${SECRET_APP_SECRET_VERSION}
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD}
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "SYMFONY__ENV__DATABASE_PASSWORD"
+file_env "SYMFONY__ENV__SECRET"
+
+# https://github.com/wallabag/docker/blob/master/root/entrypoint.sh
+sh -c "/entrypoint.sh migrate"
+sh -c "/entrypoint.sh wallabag"