diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index e971d974..3beb5685 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -21,22 +21,27 @@ services: # - TOKEN_EXPIRES_IN=365 # In days # related: https://github.com/knex/knex/issues/2354 - # As knex does not pass query parameters from the connection string we - # have to use environment variables in order to pass the desired values, e.g. + # As knex does not pass query parameters from the connection string, + # we have to use environment variables in order to pass the desired values, e.g. # - PGSSLMODE= # Configure knex to accept SSL certificates # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false - # - DEFAULT_LANGUAGE=en-US # Used for per-board notifications + # Used for per-board notifications + # - DEFAULT_LANGUAGE=en-US - # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted + # Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted + # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # - DEFAULT_ADMIN_PASSWORD=demo # - DEFAULT_ADMIN_NAME=Demo Demo # - DEFAULT_ADMIN_USERNAME=demo # - ACTIVE_USERS_LIMIT= - # - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons. + + # Set to true to show more detailed authentication error messages. + # It should not be enabled without a rate limiter for security reasons. + # - SHOW_DETAILED_AUTH_ERRORS=false # - S3_ENDPOINT= # - S3_REGION= diff --git a/docker-compose.yml b/docker-compose.yml index 038ee4f1..bd8f8e9c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,7 +12,17 @@ services: environment: - BASE_URL=http://localhost:3000 - DATABASE_URL=postgresql://postgres@postgres/planka + + # Optionally store the database password in secrets: + # - DATABASE_URL=postgresql://postgres:$${DATABASE_PASSWORD}@postgres/planka + # - DATABASE_PASSWORD__FILE=/run/secrets/database_password + # And add the following to the service: + # secrets: + # - database_password + - SECRET_KEY=notsecretkey + # Optionally store in secrets - then SECRET_KEY should not be set + # - SECRET_KEY__FILE=/run/secrets/secret_key # - LOG_LEVEL=warn @@ -20,33 +30,44 @@ services: # - TOKEN_EXPIRES_IN=365 # In days # related: https://github.com/knex/knex/issues/2354 - # As knex does not pass query parameters from the connection string we - # have to use environment variables in order to pass the desired values, e.g. + # As knex does not pass query parameters from the connection string, + # we have to use environment variables in order to pass the desired values, e.g. # - PGSSLMODE= # Configure knex to accept SSL certificates # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false - # - DEFAULT_LANGUAGE=en-US # Used for per-board notifications + # Used for per-board notifications + # - DEFAULT_LANGUAGE=en-US - # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted + # Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted + # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # - DEFAULT_ADMIN_PASSWORD=demo + # Optionally store in secrets - then DEFAULT_ADMIN_PASSWORD should not be set + # - DEFAULT_ADMIN_PASSWORD__FILE=/run/secrets/default_admin_password # - DEFAULT_ADMIN_NAME=Demo Demo # - DEFAULT_ADMIN_USERNAME=demo # - ACTIVE_USERS_LIMIT= - # - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons. + + # Set to true to show more detailed authentication error messages. + # It should not be enabled without a rate limiter for security reasons. + # - SHOW_DETAILED_AUTH_ERRORS=false # - S3_ENDPOINT= # - S3_REGION= # - S3_ACCESS_KEY_ID= # - S3_SECRET_ACCESS_KEY= + # Optionally store in secrets - then S3_SECRET_ACCESS_KEY should not be set + # - S3_SECRET_ACCESS_KEY__FILE=/run/secrets/s3_secret_access_key # - S3_BUCKET= # - S3_FORCE_PATH_STYLE=true # - OIDC_ISSUER= # - OIDC_CLIENT_ID= # - OIDC_CLIENT_SECRET= + # Optionally store in secrets - then OIDC_CLIENT_SECRET should not be set + # - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG= # - OIDC_USERINFO_SIGNED_RESPONSE_ALG= # - OIDC_SCOPES=openid email profile @@ -69,6 +90,8 @@ services: # - SMTP_SECURE=true # - SMTP_USER= # - SMTP_PASSWORD= + # Optionally store in secrets - then SMTP_PASSWORD should not be set + # - SMTP_PASSWORD__FILE=/run/secrets/smtp_password # - SMTP_FROM="Demo Demo" # - SMTP_TLS_REJECT_UNAUTHORIZED=false diff --git a/server/.env.sample b/server/.env.sample index 6420a09d..8817bb76 100644 --- a/server/.env.sample +++ b/server/.env.sample @@ -13,22 +13,27 @@ SECRET_KEY=notsecretkey # TOKEN_EXPIRES_IN=365 # In days # related: https://github.com/knex/knex/issues/2354 -# As knex does not pass query parameters from the connection string we -# have to use environment variables in order to pass the desired values, e.g. +# As knex does not pass query parameters from the connection string, +# we have to use environment variables in order to pass the desired values, e.g. # PGSSLMODE= # Configure knex to accept SSL certificates # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false -# DEFAULT_LANGUAGE=en-US # Used for per-board notifications +# Used for per-board notifications +# DEFAULT_LANGUAGE=en-US -# DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted +# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted +# DEFAULT_ADMIN_EMAIL=demo@demo.demo # DEFAULT_ADMIN_PASSWORD=demo # DEFAULT_ADMIN_NAME=Demo Demo # DEFAULT_ADMIN_USERNAME=demo # ACTIVE_USERS_LIMIT= -# SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons. + +# Set to true to show more detailed authentication error messages. +# It should not be enabled without a rate limiter for security reasons. +# SHOW_DETAILED_AUTH_ERRORS=false # S3_ENDPOINT= # S3_REGION= diff --git a/server/start.sh b/server/start.sh index 440950cc..0f41de93 100755 --- a/server/start.sh +++ b/server/start.sh @@ -1,2 +1,49 @@ #!/bin/bash -export NODE_ENV=production && set -e && node db/init.js && node app.js --prod + +set -eu + +# Load secrets from files if *__FILE variables are provided. +# Only the first line of each file is read (newline excluded). + +# DATABASE_PASSWORD (used to dynamically inject into DATABASE_URL) +if [[ -n "${DATABASE_URL}" ]]; then + if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then + read DATABASE_PASSWORD < "${DATABASE_PASSWORD__FILE}" + export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}" + fi +fi + +# SECRET_KEY +if [[ -z "${SECRET_KEY:-}" && -e "${SECRET_KEY__FILE:-}" ]]; then + read SECRET_KEY < "${SECRET_KEY__FILE}" + export SECRET_KEY +fi + +# DEFAULT_ADMIN_PASSWORD +if [[ -z "${DEFAULT_ADMIN_PASSWORD:-}" && -e "${DEFAULT_ADMIN_PASSWORD__FILE:-}" ]]; then + read DEFAULT_ADMIN_PASSWORD < "${DEFAULT_ADMIN_PASSWORD__FILE}" + export DEFAULT_ADMIN_PASSWORD +fi + +# S3_SECRET_ACCESS_KEY +if [[ -z "${S3_SECRET_ACCESS_KEY:-}" && -e "${S3_SECRET_ACCESS_KEY__FILE:-}" ]]; then + read S3_SECRET_ACCESS_KEY < "${S3_SECRET_ACCESS_KEY__FILE}" + export S3_SECRET_ACCESS_KEY +fi + +# OIDC_CLIENT_SECRET +if [[ -z "${OIDC_CLIENT_SECRET:-}" && -e "${OIDC_CLIENT_SECRET__FILE:-}" ]]; then + read OIDC_CLIENT_SECRET < "${OIDC_CLIENT_SECRET__FILE}" + export OIDC_CLIENT_SECRET +fi + +# SMTP_PASSWORD +if [[ -z "${SMTP_PASSWORD:-}" && -e "${SMTP_PASSWORD__FILE:-}" ]]; then + read SMTP_PASSWORD < "${SMTP_PASSWORD__FILE}" + export SMTP_PASSWORD +fi + +export NODE_ENV=production + +node db/init.js +exec node app.js --prod