move env.secrets into data/ subdir

single-dockerfile
Trammell Hudson 3 years ago
parent fcbc47b151
commit 8bab7bf77a
  1. 2
      grafana/docker-compose.yaml
  2. 6
      grafana/setup
  3. 2
      hedgedoc/docker-compose.yaml
  4. 7
      hedgedoc/setup
  5. 2
      keycloak/client-create
  6. 2
      keycloak/client-delete
  7. 2
      keycloak/docker-compose.yaml
  8. 7
      keycloak/setup
  9. 6
      mastodon/docker-compose.yaml
  10. 11
      mastodon/setup
  11. 2
      nextcloud/docker-compose.yaml
  12. 6
      nextcloud/setup

@ -23,4 +23,4 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/grafana/env.secrets

@ -7,8 +7,9 @@ source ../env.production || die "no top level env?"
source env.production || die "no local env?" source env.production || die "no local env?"
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect" BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
SECRETS="../data/grafana/env.secrets"
if [ -r "env.secrets" ]; then if [ -r "$SECRETS" ]; then
docker-compose up -d || die "grafana: unable to start container" docker-compose up -d || die "grafana: unable to start container"
exit 0 exit 0
fi fi
@ -19,7 +20,8 @@ GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)" GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD" echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
cat <<EOF > env.secrets mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# Do not check in! # Do not check in!
GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD
GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/ GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/

@ -15,7 +15,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/hedgedoc/env.secrets
environment: environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_PROTOCOL_USESSL=true - CMD_PROTOCOL_USESSL=true

@ -6,7 +6,9 @@ cd "$DIRNAME"
source ../env.production || die "no top levle env?" source ../env.production || die "no top levle env?"
source env.production || die "no local env?" source env.production || die "no local env?"
if [ -r "./env.secrets" ]; then SECRETS="../data/hedgedoc/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "hedgedoc: unable to start" docker-compose up -d || die "hedgedoc: unable to start"
exit 0 exit 0
fi fi
@ -17,7 +19,8 @@ docker-compose down 2>/dev/null
CLIENT_SECRET="$(openssl rand -hex 20)" CLIENT_SECRET="$(openssl rand -hex 20)"
SESSION_SECRET="$(openssl rand -hex 20)" SESSION_SECRET="$(openssl rand -hex 20)"
cat <<EOF > env.secrets mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN # DO NOT CHECK IN
CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CMD_SESSION_SECRET=$SESSION_SECRET CMD_SESSION_SECRET=$SESSION_SECRET

@ -6,7 +6,7 @@ cd "$DIRNAME"
source ../env.production || die "no top levle env?" source ../env.production || die "no top levle env?"
source env.production || die "no local env?" source env.production || die "no local env?"
source env.secrets || die "no local secrets?" source "../data/keycloak/env.secrets" || die "no local secrets?"
sudo docker-compose exec -T keycloak \ sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \ /opt/keycloak/bin/kcadm.sh \

@ -6,7 +6,7 @@ cd "$DIRNAME"
source ../env.production || die "no top levle env?" source ../env.production || die "no top levle env?"
source env.production || die "no local env?" source env.production || die "no local env?"
source env.secrets || die "no local secrets?" source "../data/keycloak/env.secrets" || die "no local secrets?"
# try to get the clients by name # try to get the clients by name
CLIENT_NAME="$1" CLIENT_NAME="$1"

@ -22,7 +22,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/keycloak/env.secrets
environment: environment:
DB_VENDOR: MYSQL DB_VENDOR: MYSQL
DB_ADDR: mysql DB_ADDR: mysql

@ -7,7 +7,9 @@ cd "$DIRNAME"
source ../env.production source ../env.production
source ./env.production source ./env.production
if [ -r "./env.secrets" ]; then SECRETS="../data/keycloak/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "keycloak: unable to start container" docker-compose up -d || die "keycloak: unable to start container"
exit 0 exit 0
fi fi
@ -17,7 +19,8 @@ docker-compose down 2>/dev/null
KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)" KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD" echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
cat <<EOF > env.secrets mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN # DO NOT CHECK IN
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
EOF EOF

@ -52,7 +52,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/mastodon/env.secrets
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
networks: networks:
- external_network - external_network
@ -75,7 +75,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/mastodon/env.secrets
command: node ./streaming command: node ./streaming
networks: networks:
- external_network - external_network
@ -95,7 +95,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/mastodon/env.secrets
command: bundle exec sidekiq command: bundle exec sidekiq
depends_on: depends_on:
- database - database

@ -10,7 +10,9 @@ source ./env.production
mkdir -p ../data/mastodon/system mkdir -p ../data/mastodon/system
chmod 777 ../data/mastodon/system chmod 777 ../data/mastodon/system
if [ -r "./env.secrets" ]; then SECRETS="../data/mastodon/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "unable to restart mastodon" docker-compose up -d || die "unable to restart mastodon"
exit 0 exit 0
fi fi
@ -22,7 +24,8 @@ OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
# create the secrets file, # create the secrets file,
# along with some parameters that should be in the environment # along with some parameters that should be in the environment
cat <<EOF > env.secrets mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN # DO NOT CHECK IN
LOCAL_DOMAIN=$MASTODON_HOSTNAME LOCAL_DOMAIN=$MASTODON_HOSTNAME
OIDC_DISPLAY_NAME=$REALM OIDC_DISPLAY_NAME=$REALM
@ -36,7 +39,7 @@ EOF
info "mastodon: creating push keys" info "mastodon: creating push keys"
docker-compose run --rm mastodon \ docker-compose run --rm mastodon \
rails mastodon:webpush:generate_vapid_key \ rails mastodon:webpush:generate_vapid_key \
>> env.secrets \ >> "$SECRETS" \
|| die "unable to generate vapid key" || die "unable to generate vapid key"
info "mastodon: setting up database" info "mastodon: setting up database"
@ -44,7 +47,7 @@ docker-compose run --rm mastodon \
rails db:setup \ rails db:setup \
|| die "unable to login" || die "unable to login"
source ./env.secrets source "$SECRETS"
info "mastodon: creating keycloak interface" info "mastodon: creating keycloak interface"
../keycloak/client-delete mastodon ../keycloak/client-delete mastodon

@ -19,7 +19,7 @@ services:
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production
- env.secrets - ../data/nextcloud/env.secrets
environment: environment:
POSTGRES_HOST: database POSTGRES_HOST: database
POSTGRES_DB: nextcloud POSTGRES_DB: nextcloud

@ -6,7 +6,8 @@ cd "$DIRNAME"
source ../env.production || die "no top level env?" source ../env.production || die "no top level env?"
source env.production || die "no local env?" source env.production || die "no local env?"
if [ -r "./env.secrets" ]; then SECRETS="../data/nextcloud/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "nextcloud: unable to start" docker-compose up -d || die "nextcloud: unable to start"
exit 0 exit 0
fi fi
@ -17,7 +18,8 @@ NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)" NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"
echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD" echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
cat <<EOF > env.secrets mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# Do not check in! # Do not check in!
NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME

Loading…
Cancel
Save