make oauth2 secret

2022-01-31 16:48:51 +01:00 · 2022-01-31 16:48:51 +01:00 · dae94c307c
parent c1c837678b
commit dae94c307c
5 changed files with 47 additions and 3 deletions
--- a/.env.sample
+++ b/.env.sample
@ -1,6 +1,6 @@
 TYPE=wekan
 LETS_ENCRYPT_ENV=production
-SECRET_SSO_SECRET_VERSION=v1
+SECRET_OAUTH2_SECRET_VERSION=v1

 MONGO_URL=mongodb://db:27017/wekan

@ -16,7 +16,7 @@ OAUTH2_SERVER_URL=https://sso.example.com
 OAUTH2_AUTH_ENDPOINT=/application/o/authorize/
 OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/
 OAUTH2_TOKEN_ENDPOINT=/application/o/token/
-OAUTH2_SECRET=secret
+# should be set in secret OAUTH2_SECRET=
 OAUTH2_REQUEST_PERMISSIONS="openid profile email wekan"
 OAUTH2_ID_MAP=preferred_username
 OAUTH2_USERNAME_MAP=preferred_username
--- a/README.md
+++ b/README.md
@ -1,6 +1,7 @@
 # Wekan

 The Open Source kanban (built with Meteor)
+[Github](https://github.com/wekan/wekan)

 <!-- metadata -->
 * **Category**: Apps
@ -23,5 +24,4 @@ The Open Source kanban (built with Meteor)
 See original [docker-compose.yml](https://github.com/wekan/wekan/blob/master/docker-compose.yml) for all possible env variables


-
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
--- a/abra.sh
+++ b/abra.sh
@ -0,0 +1,2 @@
+export SECRET_OAUTH2_SECRET_VERSION=v1
+export ENTRYPOINT_VERSION=1
--- a/compose.yml
+++ b/compose.yml
@ -61,6 +61,10 @@ services:
      - source: healthcheck_js
        target: /build/healthcheck.js
        mode: 0555
+      - source: entrypoint
+        target: /home/wekan/app/docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /home/wekan/app/docker-entrypoint.sh
    deploy:
      update_config:
        failure_action: rollback
@ -86,3 +90,12 @@ configs:
  healthcheck_js:
    name: ${STACK_NAME}_healthcheck_js
    file: healthcheck.js
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  oauth2_secret:
+    name: ${STACK_NAME}_oauth2_secret_${SECRET_OAUTH2_SECRET_VERSION}
+    external: true
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "OAUTH2_SECRET"
+
+node /build/main.js