From d31b5ba1154c8bb6ef6504ddef707da4975dbf59 Mon Sep 17 00:00:00 2001
From: kimbl <kim@local-it.org>
Date: Mon, 2 Sep 2024 18:10:44 +0200
Subject: [PATCH] Update env vars to use docker secrets

---
 compose.yml | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/compose.yml b/compose.yml
index d48db59..62721c0 100644
--- a/compose.yml
+++ b/compose.yml
@@ -46,7 +46,7 @@ services:
       DEV_MODE: ${DEV_MODE:-}
       DOMAIN: ${DOMAIN}
       ENABLE_RECORDING: ${ENABLE_RECORDING:-false}
-      SHARED_SECRET: ${SHARED_SECRET}
+      SHARED_SECRET: /run/secret/shared_secret
       WELCOME_MESSAGE: ${WELCOME_MESSAGE:-}
       WELCOME_FOOTER: ${WELCOME_FOOTER}
       STUN_SERVER: stun:${STUN_IP}:${STUN_PORT}
@@ -160,7 +160,7 @@ services:
     depends_on:
       - redis
     environment:
-      ETHERPAD_API_KEY: ${ETHERPAD_API_KEY}
+      ETHERPAD_API_KEY: /run/secret/etherpad_api_key
     networks:
       bbb-net:
         ipv4_address: 10.7.7.4
@@ -172,7 +172,7 @@ services:
       - redis
       - etherpad
     environment:
-      ETHERPAD_API_KEY: ${ETHERPAD_API_KEY}
+      ETHERPAD_API_KEY: /run/secret/etherpad_api_key
     networks:
       bbb-net:
         ipv4_address: 10.7.7.18
@@ -229,7 +229,7 @@ services:
       MCS_HOST: 0.0.0.0
       MCS_ADDRESS: 127.0.0.1
       ESL_IP: 10.7.7.1
-      ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon}
+      ESL_PASSWORD: /run/secret/fsesl_password
       # TODO: add mediasoup IPv6
       # TODO: can listen to 0.0.0.0 for nat support? https://github.com/versatica/mediasoup/issues/487
     
@@ -261,7 +261,7 @@ services:
       - redis
     environment:
       DOMAIN: ${DOMAIN}
-      SHARED_SECRET: ${SHARED_SECRET}
+      SHARED_SECRET: /run/secret/shared_secret
     volumes:
       - vol-freeswitch:/var/freeswitch/meetings
     networks:
@@ -337,8 +337,8 @@ services:
       
       BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api
       
-      BIGBLUEBUTTON_SECRET: ${SHARED_SECRET}
-      SECRET_KEY_BASE: ${RAILS_SECRET}
+      BIGBLUEBUTTON_SECRET: /run/secret/shared_secret # can this use docker secrets?
+      SECRET_KEY_BASE: /run/secret/rails_secret # can this use docker secrets?
       RELATIVE_URL_ROOT: /
     volumes:
        - ./greenlight-data:/usr/src/app/storage
@@ -352,12 +352,12 @@ services:
     environment:
       POSTGRES_DB: greenlight-v3
       POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password}
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U postgres"]
       interval: 10s
       timeout: 5s
       retries: 5
+      POSTGRES_PASSWORD_FILE: /run/secret/postgresql_secret
     volumes:
       - ./postgres-data:/var/lib/postgresql/data
     networks:
@@ -370,6 +370,22 @@ volumes:
   vol-kurento:
   vol-mediasoup:
   html5-static:
+secrets:
+  shared_secret:
+    external: true
+    name: ${STACK_NAME}_shared_secret_${SHARED_SECRET_VERSION}
+  etherpad_api_key:
+    external: true
+    name: ${STACK_NAME}_etherpad_api_key_${ETHERPAD_API_KEY_VERSION}
+  rails_secret:
+    external: true
+    name: ${STACK_NAME}_rails_secret_${RAILS_SECRET_VERSION}
+  postgresql_secret:
+    external: true
+    name: ${STACK_NAME}_postgresql_secret_${POSTGRESQL_SECRET_VERSION}
+  fsesl_password:
+    external: true
+    name: ${STACK_NAME}_fsesl_password_${FSESL_PASSWORD_VERSION}
 
 networks:
   bbb-net: