mirror of
https://github.com/plankanban/planka.git
synced 2025-07-19 05:09:43 +02:00
63c073e31e
Docker secrets are exposed as files in `/run/secrets/` inside the
container instead of as environment variables. To support deployments
where the passwords are stored in secrets, this patch adds support for
loading the `SMTP_PASSWORD`, `SECRET_KEY` and the database password from
files, using the `__FILE` suffix convention found in many docker images.
The database password is part of the `DATABASE_URL` environment
variable, if a password is used at all. To support injecting the
password into the DATABASE_URL without having to use the whole URL as
the secret, the `start.sh` replaces the string `${DATABASE_PASSWORD}` in
the `DATABASE_URL` environment variable by the contents of the
`DATABASE_PASSWORD` variable, which can now also be loaded from the
corresponding file passed in `DATABASE_PASSWORD__FILE`.
These changes are backwards compatible since they only load the `__FILE`
suffix version if the original variable was not set the `__FILE` one
is set.
Added comments in docker-compose.yml with examples for discoverability
of the feature. Tested this on top of 2.0.0-rc.2.
115 lines
3.7 KiB
YAML
115 lines
3.7 KiB
YAML
services:
|
|
planka:
|
|
image: ghcr.io/plankanban/planka:2.0.0-rc.2
|
|
restart: on-failure
|
|
volumes:
|
|
- favicons:/app/public/favicons
|
|
- user-avatars:/app/public/user-avatars
|
|
- background-images:/app/public/background-images
|
|
- attachments:/app/private/attachments
|
|
ports:
|
|
- 3000:1337
|
|
environment:
|
|
- BASE_URL=http://localhost:3000
|
|
- DATABASE_URL=postgresql://postgres@postgres/planka
|
|
# Optionally store the database password in secrets:
|
|
# - DATABASE_URL=postgresql://postgres:$${DATABASE_PASSWORD}@postgres/planka
|
|
# - DATABASE_PASSWORD__FILE=/run/secrets/planka_database_password
|
|
# ... and add the following to the service:
|
|
# secrets:
|
|
# - planka_database_password
|
|
|
|
- SECRET_KEY=notsecretkey
|
|
# If not set, it is loaded from the file SECRET_KEY__FILE on start.
|
|
|
|
# - LOG_LEVEL=warn
|
|
|
|
# - TRUST_PROXY=true
|
|
# - TOKEN_EXPIRES_IN=365 # In days
|
|
|
|
# related: https://github.com/knex/knex/issues/2354
|
|
# As knex does not pass query parameters from the connection string we
|
|
# have to use environment variables in order to pass the desired values, e.g.
|
|
# - PGSSLMODE=<value>
|
|
|
|
# Configure knex to accept SSL certificates
|
|
# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
|
|
|
|
# - DEFAULT_LANGUAGE=en-US # Used for per-board notifications
|
|
|
|
# - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
|
|
# - DEFAULT_ADMIN_PASSWORD=demo
|
|
# - DEFAULT_ADMIN_NAME=Demo Demo
|
|
# - DEFAULT_ADMIN_USERNAME=demo
|
|
|
|
# - ACTIVE_USERS_LIMIT=
|
|
# - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
|
|
|
|
# - S3_ENDPOINT=
|
|
# - S3_REGION=
|
|
# - S3_ACCESS_KEY_ID=
|
|
# - S3_SECRET_ACCESS_KEY=
|
|
# - S3_BUCKET=
|
|
# - S3_FORCE_PATH_STYLE=true
|
|
|
|
# - OIDC_ISSUER=
|
|
# - OIDC_CLIENT_ID=
|
|
# - OIDC_CLIENT_SECRET=
|
|
# - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
|
|
# - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
|
|
# - OIDC_SCOPES=openid email profile
|
|
# - OIDC_RESPONSE_MODE=fragment
|
|
# - OIDC_USE_DEFAULT_RESPONSE_MODE=true
|
|
# - OIDC_ADMIN_ROLES=admin
|
|
# - OIDC_CLAIMS_SOURCE=userinfo
|
|
# - OIDC_EMAIL_ATTRIBUTE=email
|
|
# - OIDC_NAME_ATTRIBUTE=name
|
|
# - OIDC_USERNAME_ATTRIBUTE=preferred_username
|
|
# - OIDC_ROLES_ATTRIBUTE=groups
|
|
# - OIDC_IGNORE_USERNAME=true
|
|
# - OIDC_IGNORE_ROLES=true
|
|
# - OIDC_ENFORCED=true
|
|
|
|
# Email Notifications (https://nodemailer.com/smtp/)
|
|
# - SMTP_HOST=
|
|
# - SMTP_PORT=587
|
|
# - SMTP_NAME=
|
|
# - SMTP_SECURE=true
|
|
# - SMTP_USER=
|
|
# - SMTP_PASSWORD=
|
|
# If not set, SMTP_PASSWORD is loaded from the file SMTP_PASSWORD__FILE on start.
|
|
# - SMTP_FROM="Demo Demo" <demo@demo.demo>
|
|
# - SMTP_TLS_REJECT_UNAUTHORIZED=false
|
|
|
|
# Optional fields: accessToken, events, excludedEvents
|
|
# - |
|
|
# WEBHOOKS=[{
|
|
# "url": "http://localhost:3001",
|
|
# "accessToken": "notaccesstoken",
|
|
# "events": ["cardCreate", "cardUpdate", "cardDelete"],
|
|
# "excludedEvents": ["notificationCreate", "notificationUpdate"]
|
|
# }]
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
restart: on-failure
|
|
volumes:
|
|
- db-data:/var/lib/postgresql/data
|
|
environment:
|
|
- POSTGRES_DB=planka
|
|
- POSTGRES_HOST_AUTH_METHOD=trust
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
volumes:
|
|
favicons:
|
|
user-avatars:
|
|
background-images:
|
|
attachments:
|
|
db-data:
|