Update compose.yaml and add entrypoint.sh
This commit is contained in:
parent
86d5e90fd8
commit
f0f731548b
45
compose.yaml
45
compose.yaml
|
@ -1,15 +1,19 @@
|
|||
services:
|
||||
grist:
|
||||
image: gristlabs/grist:1.1.7
|
||||
image: gristlabs/grist:1.1.12
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
environment:
|
||||
- GRIST_DATABASE_URL=postgresql://${STACK_NAME}_db:5432/grist
|
||||
- TYPEORM_DATABASE=grist
|
||||
- TYPEORM_TYPE=postgres
|
||||
- TYPEORM_USERNAME=grist
|
||||
- TYPEORM_PASSWORD_FILE=/run/secrets/db_password
|
||||
- TYPEORM_HOST=db
|
||||
- GRIST_REDIS_URL=redis://${STACK_NAME}_redis:6379
|
||||
- GRIST_DATA_DIR=/var/grist-data
|
||||
- GRIST_SUPPORT_ANON
|
||||
- GRIST_SESSION_SECRET
|
||||
- GRIST_SESSION_SECRET_FILE=/run/secrets/session_secret
|
||||
- GRIST_SANDBOX_FLAVOR
|
||||
- APP_HOME_URL=https://${DOMAIN}
|
||||
- APP_DOC_URL=https://${DOMAIN}
|
||||
|
@ -17,19 +21,24 @@ services:
|
|||
- GRIST_ORG_IN_PATH
|
||||
- COOKIE_MAX_AGE
|
||||
- GRIST_FORCE_LOGIN
|
||||
- GRIST_SAML_SP_HOST=https://${DOMAIN}
|
||||
- GRIST_SAML_SP_KEY=/keys/private.key
|
||||
- GRIST_SAML_SP_CERT=/keys/certificate.crt
|
||||
- GRIST_SAML_IDP_LOGIN
|
||||
- GRIST_SAML_IDP_LOGOUT
|
||||
- GRIST_SAML_IDP_SKIP_SLO
|
||||
- GRIST_SAML_IDP_CERTS=/keys/idp-cert.pem
|
||||
- GRIST_SAML_IDP_UNENCRYPTED
|
||||
- GRIST_HIDE_UI_ELEMENTS
|
||||
- GRIST_DEFAULT_EMAIL
|
||||
- GRIST_OIDC_SP_HOST
|
||||
- GRIST_OIDC_IDP_ISSUER
|
||||
- GRIST_OIDC_IDP_SCOPES
|
||||
- GRIST_OIDC_IDP_CLIENT_ID
|
||||
- GRIST_OIDC_IDP_CLIENT_SECRET_FILE=/run/secrets/oidc_idp_client_secret
|
||||
secrets:
|
||||
- db_password
|
||||
- session_secret
|
||||
- oidc_idp_client_secret
|
||||
volumes:
|
||||
- grist_keys:/keys
|
||||
- grist_data:/persist
|
||||
configs:
|
||||
- source: entrypoint
|
||||
target: /entrypoint.sh
|
||||
mode: 0555
|
||||
entrypoint: /entrypoint.sh
|
||||
depends_on:
|
||||
- db
|
||||
- redis
|
||||
|
@ -64,17 +73,25 @@ services:
|
|||
volumes:
|
||||
- 'redis_data:/data'
|
||||
|
||||
configs:
|
||||
entrypoint:
|
||||
file: entrypoint.sh
|
||||
|
||||
secrets:
|
||||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password
|
||||
session_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_session_secret
|
||||
oidc_idp_client_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_oidc_idp_client_secret
|
||||
|
||||
volumes:
|
||||
postgresql_data:
|
||||
redis_data:
|
||||
grist_data:
|
||||
grist_keys:
|
||||
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${!var:-}" ]; then
|
||||
export "$var"="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
export "$var"="$(< "${!fileVar}")"
|
||||
else
|
||||
echo >&2 "error: neither $var nor $fileVar is set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
file_env TYPEORM_PASSWORD
|
||||
file_env GRIST_SESSION_SECRET
|
||||
file_env GRIST_OIDC_IDP_CLIENT_SECRET
|
||||
|
||||
exec ./sandbox/run.sh $@
|
|
@ -1,41 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Stack name and volume name
|
||||
VOLUME_NAME="${STACK_NAME}_grist_keys"
|
||||
|
||||
# Temporary container name for key and certificate generation
|
||||
KEY_CERT_GEN_CONTAINER="temp-generate-key-cert"
|
||||
|
||||
# Temporary container name for cert writing
|
||||
CERT_WRITE_CONTAINER="temp-store-cert"
|
||||
|
||||
# Environment variable containing the X509 certificate
|
||||
X509_CERT_CONTENT="${GRIST_SAML_IDP_CERTS_STRING}"
|
||||
|
||||
# Check if the Docker volume exists
|
||||
if ! docker volume inspect $VOLUME_NAME > /dev/null 2>&1; then
|
||||
echo "Creating Docker volume: $VOLUME_NAME"
|
||||
docker volume create $VOLUME_NAME
|
||||
fi
|
||||
|
||||
# Run a temporary Alpine container to generate the key and certificate
|
||||
docker run --name $KEY_CERT_GEN_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
|
||||
apk add openssl; \
|
||||
echo 'Generating RSA private key and self-signed certificate...'; \
|
||||
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout /keys/private.key -out /keys/certificate.crt; \
|
||||
echo 'RSA private key and self-signed certificate generated in the $VOLUME_NAME volume.'
|
||||
"
|
||||
docker rm -f $KEY_CERT_GEN_CONTAINER
|
||||
|
||||
|
||||
# Check if X509 certificate content is provided and not empty
|
||||
if [ -n "$X509_CERT_CONTENT" ]; then
|
||||
docker run --name $CERT_WRITE_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
|
||||
echo 'Writing X509 certificate to PEM file...'; \
|
||||
echo '-----BEGIN CERTIFICATE-----' > /keys/idp-cert.pem; \
|
||||
echo \"$X509_CERT_CONTENT\" >> /keys/idp-cert.pem; \
|
||||
echo '-----END CERTIFICATE-----' >> /keys/idp-cert.pem;
|
||||
echo 'X509 certificate written to /keys/idp-cert.pem.'
|
||||
"
|
||||
docker rm -f $CERT_WRITE_CONTAINER
|
||||
fi
|
Loading…
Reference in New Issue