From f1513f7c3556114c5c1ef26b8197d7fe809784a2 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Sun, 16 Aug 2020 20:03:53 +0200
Subject: [PATCH] [Lufi] Inject all secrets with environment variables
---
pica-lufi/docker-compose.yml | 6 ++++--
pica-lufi/entrypoint.sh | 25 +++++++++++++++++++++++-
pica-lufi/lufi.conf | 10 +++++-----
pica-lufi/secrets/lufi.secrets.example | 4 +---
pica-lufi/secrets/lufidb.secrets.example | 3 +++
5 files changed, 37 insertions(+), 11 deletions(-)
create mode 100644 pica-lufi/secrets/lufidb.secrets.example
diff --git a/pica-lufi/docker-compose.yml b/pica-lufi/docker-compose.yml
index e63904ba..6f50d31c 100644
--- a/pica-lufi/docker-compose.yml
+++ b/pica-lufi/docker-compose.yml
@@ -28,13 +28,15 @@ services:
traefik.frontend.rule: Host:drop.picasoft.net
traefik.port: 8081
traefik.enable: true
- env_file: ./secrets/lufi.secrets
+ env_file:
+ - ./secrets/lufi.secrets
+ - ./secrets/lufidb.secrets
restart: unless-stopped
lufidb:
image: postgres:12
container_name: lufidb
- env_file: ./secrets/lufi.secrets
+ env_file: ./secrets/lufidb.secrets
volumes:
- lufidb-data:/var/lib/postgresql/data
networks:
diff --git a/pica-lufi/entrypoint.sh b/pica-lufi/entrypoint.sh
index 6242d64e..3a7149c6 100644
--- a/pica-lufi/entrypoint.sh
+++ b/pica-lufi/entrypoint.sh
@@ -1,5 +1,28 @@
#!/bin/sh
+if [ -z "${EMAIL_PASSWORD}" ]; then
+ echo "EMAIL_PASSWORD not set, exiting!"
+ exit 1
+fi
+
+if [ -z "${POSTGRES_DB}" ]; then
+ echo "POSTGRES_DB not set, exiting!"
+ exit 1
+fi
+
+if [ -z "${POSTGRES_USER}" ]; then
+ echo "POSTGRES_USER not set, exiting!"
+ exit 1
+fi
+
+if [ -z "${POSTGRES_PASSWORD}" ]; then
+ echo "POSTGRES_PASSWORD not set, exiting!"
+ exit 1
+fi
+
+echo "Generate secret key for cookies..."
+key=`tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1`
+
echo "Create crontab for cleaning tasks..."
# See https://framagit.org/fiat-tux/hat-softwares/lufi/-/wikis/cron-jobs
@@ -10,7 +33,7 @@ echo "0 0 * * * carton exec $APP_HOME/script/lufi cron cleanfiles --mode product
echo "Start Lufi..."
-$@ &
+KEY_COOKIE=${key} $@ &
echo "Start supercronic..."
supercronic /crontab.conf
diff --git a/pica-lufi/lufi.conf b/pica-lufi/lufi.conf
index 2ac18b71..95b2492b 100644
--- a/pica-lufi/lufi.conf
+++ b/pica-lufi/lufi.conf
@@ -30,7 +30,7 @@
# Array of random strings used to encrypt cookies
# optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT
- secrets => ['gizjvnkzahmpob'],
+ secrets => [$ENV{'KEY_COOKIE'}],
# Name of the instance, displayed next to the logo
# optional, default is Lufi
@@ -139,7 +139,7 @@
mail => {
# Valid values are 'sendmail' and 'smtp'
how => 'smtp',
- howargs => ['mail.picasoft.net:587', AuthUser => 'drop@picasoft.net', AuthPass => 'example']
+ howargs => ['mail.picasoft.net:587', AuthUser => 'drop@picasoft.net', AuthPass => $ENV{'EMAIL_PASSWORD'}]
},
# Email sender address
@@ -166,12 +166,12 @@
# These are the credentials to access the PostgreSQL database
# mandatory if you choosed postgresql as dbtype
pgdb => {
- database => 'lufi',
+ database => $ENV{'POSTGRES_DB'},
host => 'lufidb',
# optional, default is 5432
port => 5432,
- user => 'lufidb',
- pwd => 'passwd',
+ user => $ENV{'POSTGRES_USER'},
+ pwd => $ENV{'POSTGRES_PASSWORD'},
# https://mojolicious.org/perldoc/Mojo/Pg#max_connections
# optional, default is 1
#max_connections => 1,
diff --git a/pica-lufi/secrets/lufi.secrets.example b/pica-lufi/secrets/lufi.secrets.example
index fd7dc90c..4616ce95 100644
--- a/pica-lufi/secrets/lufi.secrets.example
+++ b/pica-lufi/secrets/lufi.secrets.example
@@ -1,3 +1 @@
-POSTGRES_USER=lufidb
-POSTGRES_PASSWORD=passwd
-POSTGRES_DB=lufi
+EMAIL_PASSWORD=password
diff --git a/pica-lufi/secrets/lufidb.secrets.example b/pica-lufi/secrets/lufidb.secrets.example
new file mode 100644
index 00000000..fd7dc90c
--- /dev/null
+++ b/pica-lufi/secrets/lufidb.secrets.example
@@ -0,0 +1,3 @@
+POSTGRES_USER=lufidb
+POSTGRES_PASSWORD=passwd
+POSTGRES_DB=lufi
--
GitLab