mirror of
https://github.com/plankanban/planka.git
synced 2025-07-18 20:59:44 +02:00
chore: Prettify env variables, add more secrets
This commit is contained in:
Maksim Eltyshev
parent
63c073e31e
commit
b8c62d2dcc
4 changed files with 79 additions and 34 deletions
|
|
@ -21,22 +21,27 @@ services:
|
|||
# - TOKEN_EXPIRES_IN=365 # In days
|
||||
|
||||
# related: https://github.com/knex/knex/issues/2354
|
||||
# As knex does not pass query parameters from the connection string we
|
||||
# have to use environment variables in order to pass the desired values, e.g.
|
||||
# As knex does not pass query parameters from the connection string,
|
||||
# we have to use environment variables in order to pass the desired values, e.g.
|
||||
# - PGSSLMODE=<value>
|
||||
|
||||
# Configure knex to accept SSL certificates
|
||||
# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
|
||||
|
||||
# - DEFAULT_LANGUAGE=en-US # Used for per-board notifications
|
||||
# Used for per-board notifications
|
||||
# - DEFAULT_LANGUAGE=en-US
|
||||
|
||||
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
|
||||
# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted
|
||||
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo
|
||||
# - DEFAULT_ADMIN_PASSWORD=demo
|
||||
# - DEFAULT_ADMIN_NAME=Demo Demo
|
||||
# - DEFAULT_ADMIN_USERNAME=demo
|
||||
|
||||
# - ACTIVE_USERS_LIMIT=
|
||||
# - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
|
||||
|
||||
# Set to true to show more detailed authentication error messages.
|
||||
# It should not be enabled without a rate limiter for security reasons.
|
||||
# - SHOW_DETAILED_AUTH_ERRORS=false
|
||||
|
||||
# - S3_ENDPOINT=
|
||||
# - S3_REGION=
|
||||
|
|
|
|||
|
|
@ -12,15 +12,17 @@ services:
|
|||
environment:
|
||||
- BASE_URL=http://localhost:3000
|
||||
- DATABASE_URL=postgresql://postgres@postgres/planka
|
||||
|
||||
# Optionally store the database password in secrets:
|
||||
# - DATABASE_URL=postgresql://postgres:$${DATABASE_PASSWORD}@postgres/planka
|
||||
# - DATABASE_PASSWORD__FILE=/run/secrets/planka_database_password
|
||||
# ... and add the following to the service:
|
||||
# secrets:
|
||||
# - planka_database_password
|
||||
# - DATABASE_PASSWORD__FILE=/run/secrets/database_password
|
||||
# And add the following to the service:
|
||||
# secrets:
|
||||
# - database_password
|
||||
|
||||
- SECRET_KEY=notsecretkey
|
||||
# If not set, it is loaded from the file SECRET_KEY__FILE on start.
|
||||
# Optionally store in secrets - then SECRET_KEY should not be set
|
||||
# - SECRET_KEY__FILE=/run/secrets/secret_key
|
||||
|
||||
# - LOG_LEVEL=warn
|
||||
|
||||
|
|
@ -28,33 +30,44 @@ services:
|
|||
# - TOKEN_EXPIRES_IN=365 # In days
|
||||
|
||||
# related: https://github.com/knex/knex/issues/2354
|
||||
# As knex does not pass query parameters from the connection string we
|
||||
# have to use environment variables in order to pass the desired values, e.g.
|
||||
# As knex does not pass query parameters from the connection string,
|
||||
# we have to use environment variables in order to pass the desired values, e.g.
|
||||
# - PGSSLMODE=<value>
|
||||
|
||||
# Configure knex to accept SSL certificates
|
||||
# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
|
||||
|
||||
# - DEFAULT_LANGUAGE=en-US # Used for per-board notifications
|
||||
# Used for per-board notifications
|
||||
# - DEFAULT_LANGUAGE=en-US
|
||||
|
||||
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
|
||||
# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted
|
||||
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo
|
||||
# - DEFAULT_ADMIN_PASSWORD=demo
|
||||
# Optionally store in secrets - then DEFAULT_ADMIN_PASSWORD should not be set
|
||||
# - DEFAULT_ADMIN_PASSWORD__FILE=/run/secrets/default_admin_password
|
||||
# - DEFAULT_ADMIN_NAME=Demo Demo
|
||||
# - DEFAULT_ADMIN_USERNAME=demo
|
||||
|
||||
# - ACTIVE_USERS_LIMIT=
|
||||
# - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
|
||||
|
||||
# Set to true to show more detailed authentication error messages.
|
||||
# It should not be enabled without a rate limiter for security reasons.
|
||||
# - SHOW_DETAILED_AUTH_ERRORS=false
|
||||
|
||||
# - S3_ENDPOINT=
|
||||
# - S3_REGION=
|
||||
# - S3_ACCESS_KEY_ID=
|
||||
# - S3_SECRET_ACCESS_KEY=
|
||||
# Optionally store in secrets - then S3_SECRET_ACCESS_KEY should not be set
|
||||
# - S3_SECRET_ACCESS_KEY__FILE=/run/secrets/s3_secret_access_key
|
||||
# - S3_BUCKET=
|
||||
# - S3_FORCE_PATH_STYLE=true
|
||||
|
||||
# - OIDC_ISSUER=
|
||||
# - OIDC_CLIENT_ID=
|
||||
# - OIDC_CLIENT_SECRET=
|
||||
# Optionally store in secrets - then OIDC_CLIENT_SECRET should not be set
|
||||
# - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret
|
||||
# - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
|
||||
# - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
|
||||
# - OIDC_SCOPES=openid email profile
|
||||
|
|
@ -77,7 +90,8 @@ services:
|
|||
# - SMTP_SECURE=true
|
||||
# - SMTP_USER=
|
||||
# - SMTP_PASSWORD=
|
||||
# If not set, SMTP_PASSWORD is loaded from the file SMTP_PASSWORD__FILE on start.
|
||||
# Optionally store in secrets - then SMTP_PASSWORD should not be set
|
||||
# - SMTP_PASSWORD__FILE=/run/secrets/smtp_password
|
||||
# - SMTP_FROM="Demo Demo" <demo@demo.demo>
|
||||
# - SMTP_TLS_REJECT_UNAUTHORIZED=false
|
||||
|
||||
|
|
|
|||
|
|
@ -13,22 +13,27 @@ SECRET_KEY=notsecretkey
|
|||
# TOKEN_EXPIRES_IN=365 # In days
|
||||
|
||||
# related: https://github.com/knex/knex/issues/2354
|
||||
# As knex does not pass query parameters from the connection string we
|
||||
# have to use environment variables in order to pass the desired values, e.g.
|
||||
# As knex does not pass query parameters from the connection string,
|
||||
# we have to use environment variables in order to pass the desired values, e.g.
|
||||
# PGSSLMODE=<value>
|
||||
|
||||
# Configure knex to accept SSL certificates
|
||||
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
|
||||
|
||||
# DEFAULT_LANGUAGE=en-US # Used for per-board notifications
|
||||
# Used for per-board notifications
|
||||
# DEFAULT_LANGUAGE=en-US
|
||||
|
||||
# DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
|
||||
# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted
|
||||
# DEFAULT_ADMIN_EMAIL=demo@demo.demo
|
||||
# DEFAULT_ADMIN_PASSWORD=demo
|
||||
# DEFAULT_ADMIN_NAME=Demo Demo
|
||||
# DEFAULT_ADMIN_USERNAME=demo
|
||||
|
||||
# ACTIVE_USERS_LIMIT=
|
||||
# SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
|
||||
|
||||
# Set to true to show more detailed authentication error messages.
|
||||
# It should not be enabled without a rate limiter for security reasons.
|
||||
# SHOW_DETAILED_AUTH_ERRORS=false
|
||||
|
||||
# S3_ENDPOINT=
|
||||
# S3_REGION=
|
||||
|
|
|
|||
|
|
@ -2,25 +2,46 @@
|
|||
|
||||
set -eu
|
||||
|
||||
# Load secrets from files if needed. Only the first line, not including the \n,
|
||||
# is loaded.
|
||||
# Load secrets from files if *__FILE variables are provided.
|
||||
# Only the first line of each file is read (newline excluded).
|
||||
|
||||
# DATABASE_PASSWORD (used to dynamically inject into DATABASE_URL)
|
||||
if [[ -n "${DATABASE_URL}" ]]; then
|
||||
if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then
|
||||
read DATABASE_PASSWORD < "${DATABASE_PASSWORD__FILE}"
|
||||
export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# SECRET_KEY
|
||||
if [[ -z "${SECRET_KEY:-}" && -e "${SECRET_KEY__FILE:-}" ]]; then
|
||||
read SECRET_KEY <"${SECRET_KEY__FILE}"
|
||||
read SECRET_KEY < "${SECRET_KEY__FILE}"
|
||||
export SECRET_KEY
|
||||
fi
|
||||
|
||||
# DEFAULT_ADMIN_PASSWORD
|
||||
if [[ -z "${DEFAULT_ADMIN_PASSWORD:-}" && -e "${DEFAULT_ADMIN_PASSWORD__FILE:-}" ]]; then
|
||||
read DEFAULT_ADMIN_PASSWORD < "${DEFAULT_ADMIN_PASSWORD__FILE}"
|
||||
export DEFAULT_ADMIN_PASSWORD
|
||||
fi
|
||||
|
||||
# S3_SECRET_ACCESS_KEY
|
||||
if [[ -z "${S3_SECRET_ACCESS_KEY:-}" && -e "${S3_SECRET_ACCESS_KEY__FILE:-}" ]]; then
|
||||
read S3_SECRET_ACCESS_KEY < "${S3_SECRET_ACCESS_KEY__FILE}"
|
||||
export S3_SECRET_ACCESS_KEY
|
||||
fi
|
||||
|
||||
# OIDC_CLIENT_SECRET
|
||||
if [[ -z "${OIDC_CLIENT_SECRET:-}" && -e "${OIDC_CLIENT_SECRET__FILE:-}" ]]; then
|
||||
read OIDC_CLIENT_SECRET < "${OIDC_CLIENT_SECRET__FILE}"
|
||||
export OIDC_CLIENT_SECRET
|
||||
fi
|
||||
|
||||
# SMTP_PASSWORD
|
||||
if [[ -z "${SMTP_PASSWORD:-}" && -e "${SMTP_PASSWORD__FILE:-}" ]]; then
|
||||
read SMTP_PASSWORD <"${SMTP_PASSWORD__FILE}"
|
||||
read SMTP_PASSWORD < "${SMTP_PASSWORD__FILE}"
|
||||
export SMTP_PASSWORD
|
||||
fi
|
||||
if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then
|
||||
read DATABASE_PASSWORD <"${DATABASE_PASSWORD__FILE}"
|
||||
# No need to export DATABASE_PASSWORD, it is only used below.
|
||||
fi
|
||||
# Replace the exact "${DATABASE_PASSWORD}" string in the DATABASE_URL
|
||||
# environment variable with the contents of DATABASE_PASSWORD.
|
||||
if [[ -n "${DATABASE_PASSWORD:-}" && -n "${DATABASE_URL}" ]]; then
|
||||
export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}"
|
||||
fi
|
||||
|
||||
export NODE_ENV=production
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue