From a72001dea5e2e1502219c97dcddd0eb18752dda0 Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 10 Jan 2023 16:58:17 +0100 Subject: [PATCH] [docker] Cleanup environment files By having the environment explicit on each service, we both document the settings and have more control over what each service is allowed to see. This avoids weird things like nginx having access to postgresql's credentials on its environment. As a bonus: we are able to use one single environment file, which is basically dd.conf with some values that are dynamically-calculated and added from dd-ctl. --- dd-apps/docker/postgresql/postgresql.yml | 15 ++++++- dd-apps/docker/wordpress/wordpress.yml | 1 + dd-ctl | 42 ++++++++++++------- dd-sso/docker-compose-parts/admin.yml | 4 +- dd-sso/docker-compose-parts/api.yml | 9 ++-- .../docker-compose-parts/haproxy.no-ports.yml | 8 +++- dd-sso/docker-compose-parts/haproxy.proxy.yml | 8 +++- dd-sso/docker-compose-parts/haproxy.yml | 8 +++- dd-sso/docker-compose-parts/postgresql.yml | 38 ----------------- .../docker-compose-parts/waf-modsecurity.yml | 4 +- dd.conf.sample | 3 +- 11 files changed, 68 insertions(+), 72 deletions(-) delete mode 100644 dd-sso/docker-compose-parts/postgresql.yml diff --git a/dd-apps/docker/postgresql/postgresql.yml b/dd-apps/docker/postgresql/postgresql.yml index 1c510b7..5bca788 100644 --- a/dd-apps/docker/postgresql/postgresql.yml +++ b/dd-apps/docker/postgresql/postgresql.yml @@ -23,10 +23,23 @@ services: image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15} container_name: dd-apps-postgresql restart: unless-stopped - env_file: .env environment: + # Postgres - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_USER=${POSTGRES_USER} + # Etherpad + - ETHERPAD_POSTGRES_USER=${ETHERPAD_POSTGRES_USER:-etherpard} + - ETHERPAD_POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWORD} + # Keycloak + - KEYCLOAK_DB_DATABASE=${KEYCLOAK_DB_DATABASE:-keycloak} + - KEYCLOAK_DB_USER=${KEYCLOAK_DB_USER:-keycloak} + - KEYCLOAK_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD} + # Moodle + - MOODLE_POSTGRES_USER=${MOODLE_POSTGRES_USER:-moodle} + - MOODLE_POSTGRES_PASSWORD=${MOODLE_POSTGRES_PASSWORD} + # Nextcloud + - NEXTCLOUD_POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER:-nextcloud} + - NEXTCLOUD_POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD} volumes: - /etc/localtime:/etc/localtime:ro - ${DB_FOLDER}/postgres:/var/lib/postgresql/data diff --git a/dd-apps/docker/wordpress/wordpress.yml b/dd-apps/docker/wordpress/wordpress.yml index b6a88a0..12acad3 100644 --- a/dd-apps/docker/wordpress/wordpress.yml +++ b/dd-apps/docker/wordpress/wordpress.yml @@ -36,6 +36,7 @@ services: volumes: *wordpress-volumes environment: + DOMAIN: ${DOMAIN} WORDPRESS_DB_HOST: dd-apps-mariadb WORDPRESS_DB_NAME: "wordpress" WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER} diff --git a/dd-ctl b/dd-ctl index d37f512..8aa12c7 100755 --- a/dd-ctl +++ b/dd-ctl @@ -112,9 +112,11 @@ fi REPO_BRANCH="${1:-main}" -cp dd.conf .env CUSTOM_PATH=$(pwd) -. ./.env +if [ -f dd.conf ]; then + cp dd.conf .env + . ./.env +fi prerequisites_docker(){ # Remove uncompatible docker packages @@ -180,9 +182,18 @@ build_compose(){ setconf DD_BUILD "${DD_BUILD}" .env setconf CUSTOM_PATH "$CUSTOM_PATH" .env + setconf BUILD_APPS_ROOT_PATH "$CUSTOM_PATH/dd-apps" .env setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env + # SMTP (needed for e.g. Nextcloud's more granular settings) + SMTP_LOCAL_PART="$(echo "${SMTP_USER:-}" | cut -d '@' -f 1)" + export SMTP_LOCAL_PART + SMTP_DOMAIN="$(echo "${SMTP_USER:-}" | cut -d '@' -f 2)" + export SMTP_DOMAIN + setconf SMTP_LOCAL_PART "${SMTP_LOCAL_PART}" .env + setconf SMTP_DOMAIN "${SMTP_DOMAIN}" .env + # Choose HAProxy configuration flavour if [ "${PROXY_PROTOCOL:-false}" = "true" ]; then HAPROXY_YML="haproxy.proxy.yml" @@ -207,7 +218,7 @@ build_compose(){ setconf HAPROXY_CFG "${HAPROXY_CFG}" setconf HAPROXY_CFG "${HAPROXY_CFG}" .env - # Enable or disable ClamAV + # Enable or disable ClamAV's container if [ "${DISABLE_CLAMAV:-true}" = "true" ]; then # Current default (might change) CLAMAV_YML="clamav.disabled.yml" @@ -215,18 +226,16 @@ build_compose(){ CLAMAV_YML="clamav.yml" fi - ## Prepare apps environment - ln -sf "${CUSTOM_PATH}/.env" dd-apps/.env - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/postgresql && \ - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/mariadb && \ - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/moodle && \ - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/nextcloud && \ - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/wordpress && \ - ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/etherpad - - ## Prepare sso environment - ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env - ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env + # Clean up redundant .env files + for f in dd-apps \ + dd-apps/docker/postgresql dd-apps/docker/mariadb \ + dd-apps/docker/moodle dd-apps/docker/nextcloud \ + dd-apps/docker/wordpress dd-apps/docker/etherpad \ + dd-sso dd-sso/docker-compose-parts; do + if [ -f "${f}/.env" ]; then + rm "${f}/.env" + fi + done # Clean up older custom data rm -rf custom/system/keycloak-themes @@ -234,12 +243,13 @@ build_compose(){ # Build compose ymls docker-compose \ + --env-file "${CUSTOM_PATH}/.env" \ + \ -f "dd-sso/docker-compose-parts/$WAF_YML" \ -f "dd-sso/docker-compose-parts/$HAPROXY_YML"\ -f dd-sso/docker-compose-parts/api.yml \ -f dd-sso/docker-compose-parts/keycloak.yml \ -f dd-sso/docker-compose-parts/avatars.yml \ - -f dd-apps/docker/postgresql/postgresql.yml \ -f dd-sso/docker-compose-parts/admin.yml \ \ -f dd-apps/docker/moodle/moodle.yml \ diff --git a/dd-sso/docker-compose-parts/admin.yml b/dd-sso/docker-compose-parts/admin.yml index 054baf9..2dd9b24 100644 --- a/dd-sso/docker-compose-parts/admin.yml +++ b/dd-sso/docker-compose-parts/admin.yml @@ -39,8 +39,6 @@ services: - ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw - ${DATA_FOLDER}/dd-admin:/data:rw - ${DATA_FOLDER}/nc-mail-queue:/nc-mail-queue:rw - env_file: - - .env environment: - VERIFY="false" # In development do not verify certificates - DOMAIN=${DOMAIN} @@ -53,3 +51,5 @@ services: - AVATARS_SERVER_HOST=dd-sso-avatars:9000 - AVATARS_ACCESS_KEY=${AVATARS_ACCESS_KEY:-AKIAIOSFODNN7EXAMPLE} - AVATARS_SECRET_KEY=${AVATARS_SECRET_KEY:-wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY} + # TODO: Check missing env vars and pass them on the environment + env_file: ${CUSTOM_PATH}/.env diff --git a/dd-sso/docker-compose-parts/api.yml b/dd-sso/docker-compose-parts/api.yml index 94e968e..42a6925 100644 --- a/dd-sso/docker-compose-parts/api.yml +++ b/dd-sso/docker-compose-parts/api.yml @@ -28,6 +28,10 @@ services: DOMAIN: $DOMAIN NGINX_ALPINE_IMG: ${NGINX_ALPINE_IMG-nginx:1.21.6-alpine} container_name: dd-sso-api + environment: + DOMAIN: ${DOMAIN} + KEYCLOAK_USER: ${KEYCLOAK_USER} + KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD} volumes: - /etc/localtime:/etc/localtime:ro - ${CUSTOM_PATH}/custom/menu:/api/menu @@ -37,8 +41,3 @@ services: restart: unless-stopped networks: - dd_net - # ports: - # - published: 7039 - # target: 7039 - env_file: - - .env diff --git a/dd-sso/docker-compose-parts/haproxy.no-ports.yml b/dd-sso/docker-compose-parts/haproxy.no-ports.yml index 2ef11c9..b6a7dc0 100644 --- a/dd-sso/docker-compose-parts/haproxy.no-ports.yml +++ b/dd-sso/docker-compose-parts/haproxy.no-ports.yml @@ -28,6 +28,12 @@ services: dockerfile: Dockerfile target: production container_name: dd-sso-haproxy + environment: + DOMAIN: ${DOMAIN} + HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg} + LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN} + LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT} + LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL} restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro @@ -35,8 +41,6 @@ services: - ${SRC_FOLDER}/haproxy/certs:/certs:rw networks: - dd_net - env_file: - - .env logging: driver: "json-file" options: diff --git a/dd-sso/docker-compose-parts/haproxy.proxy.yml b/dd-sso/docker-compose-parts/haproxy.proxy.yml index d5830c5..3597131 100644 --- a/dd-sso/docker-compose-parts/haproxy.proxy.yml +++ b/dd-sso/docker-compose-parts/haproxy.proxy.yml @@ -28,6 +28,12 @@ services: dockerfile: Dockerfile target: production container_name: dd-sso-haproxy + environment: + DOMAIN: ${DOMAIN} + HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg} + LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN} + LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT} + LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL} restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro @@ -45,8 +51,6 @@ services: target: 8888 - published: 591 target: 591 - env_file: - - .env logging: driver: "json-file" options: diff --git a/dd-sso/docker-compose-parts/haproxy.yml b/dd-sso/docker-compose-parts/haproxy.yml index c373259..2e1be97 100644 --- a/dd-sso/docker-compose-parts/haproxy.yml +++ b/dd-sso/docker-compose-parts/haproxy.yml @@ -28,6 +28,12 @@ services: dockerfile: Dockerfile target: production container_name: dd-sso-haproxy + environment: + DOMAIN: ${DOMAIN} + HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg} + LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN} + LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT} + LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL} restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro @@ -40,8 +46,6 @@ services: target: 80 - published: 443 target: 443 - env_file: - - .env logging: driver: "json-file" options: diff --git a/dd-sso/docker-compose-parts/postgresql.yml b/dd-sso/docker-compose-parts/postgresql.yml deleted file mode 100644 index 60f9585..0000000 --- a/dd-sso/docker-compose-parts/postgresql.yml +++ /dev/null @@ -1,38 +0,0 @@ -# -# Copyright © 2021,2022 IsardVDI S.L. -# -# This file is part of DD -# -# DD is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or (at your -# option) any later version. -# -# DD is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more -# details. -# -# You should have received a copy of the GNU Affero General Public License -# along with DD. If not, see . -# -# SPDX-License-Identifier: AGPL-3.0-or-later -version: '3.7' -services: - dd-sso-postgresql: - image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15} - container_name: dd-sso-postgresql - restart: unless-stopped - env_file: - - .env - volumes: - - /etc/localtime:/etc/localtime:ro - - ${DB_FOLDER}/postgres:/var/lib/postgresql/data - - ${BUILD_SSO_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d - networks: - - dd_net - logging: - driver: "json-file" - options: - max-size: "5m" - max-file: "10" diff --git a/dd-sso/docker-compose-parts/waf-modsecurity.yml b/dd-sso/docker-compose-parts/waf-modsecurity.yml index 1817fb8..31295aa 100644 --- a/dd-sso/docker-compose-parts/waf-modsecurity.yml +++ b/dd-sso/docker-compose-parts/waf-modsecurity.yml @@ -7,8 +7,8 @@ services: dockerfile: Dockerfile target: production container_name: dd-waf-apache - env_file: - - .env + environment: + DISABLE_WAF: ${DISABLE_WAF:-true} restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro diff --git a/dd.conf.sample b/dd.conf.sample index 407b43e..18b6159 100644 --- a/dd.conf.sample +++ b/dd.conf.sample @@ -187,8 +187,7 @@ POSTGRESQL_IMG=postgres:14.1-alpine3.15 #MARIADB_IMG=mariadb:10.6.5 ## NGINX -#NGINX_IMG=nginx:1.21.6 -#NGINX_ALPINE_IMG=nginx:1.21.6-alpine +#NGINX_ALPINE_IMG=nginx:1.22.1-alpine ## REDIS #REDIS_IMG=redis:6.2.6-alpine3.15