[docker] Cleanup environment files
By having the environment explicit on each service, we both document the settings and have more control over what each service is allowed to see. This avoids weird things like nginx having access to postgresql's credentials on its environment. As a bonus: we are able to use one single environment file, which is basically dd.conf with some values that are dynamically-calculated and added from dd-ctl.feature/wp_can_upload_videos
parent
affbbde9d3
commit
a72001dea5
|
@ -23,10 +23,23 @@ services:
|
|||
image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
|
||||
container_name: dd-apps-postgresql
|
||||
restart: unless-stopped
|
||||
env_file: .env
|
||||
environment:
|
||||
# Postgres
|
||||
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
||||
- POSTGRES_USER=${POSTGRES_USER}
|
||||
# Etherpad
|
||||
- ETHERPAD_POSTGRES_USER=${ETHERPAD_POSTGRES_USER:-etherpard}
|
||||
- ETHERPAD_POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWORD}
|
||||
# Keycloak
|
||||
- KEYCLOAK_DB_DATABASE=${KEYCLOAK_DB_DATABASE:-keycloak}
|
||||
- KEYCLOAK_DB_USER=${KEYCLOAK_DB_USER:-keycloak}
|
||||
- KEYCLOAK_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD}
|
||||
# Moodle
|
||||
- MOODLE_POSTGRES_USER=${MOODLE_POSTGRES_USER:-moodle}
|
||||
- MOODLE_POSTGRES_PASSWORD=${MOODLE_POSTGRES_PASSWORD}
|
||||
# Nextcloud
|
||||
- NEXTCLOUD_POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER:-nextcloud}
|
||||
- NEXTCLOUD_POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD}
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- ${DB_FOLDER}/postgres:/var/lib/postgresql/data
|
||||
|
|
|
@ -36,6 +36,7 @@ services:
|
|||
volumes:
|
||||
*wordpress-volumes
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
WORDPRESS_DB_HOST: dd-apps-mariadb
|
||||
WORDPRESS_DB_NAME: "wordpress"
|
||||
WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER}
|
||||
|
|
40
dd-ctl
40
dd-ctl
|
@ -112,9 +112,11 @@ fi
|
|||
REPO_BRANCH="${1:-main}"
|
||||
|
||||
|
||||
cp dd.conf .env
|
||||
CUSTOM_PATH=$(pwd)
|
||||
if [ -f dd.conf ]; then
|
||||
cp dd.conf .env
|
||||
. ./.env
|
||||
fi
|
||||
|
||||
prerequisites_docker(){
|
||||
# Remove uncompatible docker packages
|
||||
|
@ -180,9 +182,18 @@ build_compose(){
|
|||
setconf DD_BUILD "${DD_BUILD}" .env
|
||||
|
||||
setconf CUSTOM_PATH "$CUSTOM_PATH" .env
|
||||
|
||||
setconf BUILD_APPS_ROOT_PATH "$CUSTOM_PATH/dd-apps" .env
|
||||
setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env
|
||||
|
||||
# SMTP (needed for e.g. Nextcloud's more granular settings)
|
||||
SMTP_LOCAL_PART="$(echo "${SMTP_USER:-}" | cut -d '@' -f 1)"
|
||||
export SMTP_LOCAL_PART
|
||||
SMTP_DOMAIN="$(echo "${SMTP_USER:-}" | cut -d '@' -f 2)"
|
||||
export SMTP_DOMAIN
|
||||
setconf SMTP_LOCAL_PART "${SMTP_LOCAL_PART}" .env
|
||||
setconf SMTP_DOMAIN "${SMTP_DOMAIN}" .env
|
||||
|
||||
# Choose HAProxy configuration flavour
|
||||
if [ "${PROXY_PROTOCOL:-false}" = "true" ]; then
|
||||
HAPROXY_YML="haproxy.proxy.yml"
|
||||
|
@ -207,7 +218,7 @@ build_compose(){
|
|||
setconf HAPROXY_CFG "${HAPROXY_CFG}"
|
||||
setconf HAPROXY_CFG "${HAPROXY_CFG}" .env
|
||||
|
||||
# Enable or disable ClamAV
|
||||
# Enable or disable ClamAV's container
|
||||
if [ "${DISABLE_CLAMAV:-true}" = "true" ]; then
|
||||
# Current default (might change)
|
||||
CLAMAV_YML="clamav.disabled.yml"
|
||||
|
@ -215,18 +226,16 @@ build_compose(){
|
|||
CLAMAV_YML="clamav.yml"
|
||||
fi
|
||||
|
||||
## Prepare apps environment
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/.env
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/postgresql && \
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/mariadb && \
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/moodle && \
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/nextcloud && \
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/wordpress && \
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/etherpad
|
||||
|
||||
## Prepare sso environment
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env
|
||||
ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env
|
||||
# Clean up redundant .env files
|
||||
for f in dd-apps \
|
||||
dd-apps/docker/postgresql dd-apps/docker/mariadb \
|
||||
dd-apps/docker/moodle dd-apps/docker/nextcloud \
|
||||
dd-apps/docker/wordpress dd-apps/docker/etherpad \
|
||||
dd-sso dd-sso/docker-compose-parts; do
|
||||
if [ -f "${f}/.env" ]; then
|
||||
rm "${f}/.env"
|
||||
fi
|
||||
done
|
||||
|
||||
# Clean up older custom data
|
||||
rm -rf custom/system/keycloak-themes
|
||||
|
@ -234,12 +243,13 @@ build_compose(){
|
|||
|
||||
# Build compose ymls
|
||||
docker-compose \
|
||||
--env-file "${CUSTOM_PATH}/.env" \
|
||||
\
|
||||
-f "dd-sso/docker-compose-parts/$WAF_YML" \
|
||||
-f "dd-sso/docker-compose-parts/$HAPROXY_YML"\
|
||||
-f dd-sso/docker-compose-parts/api.yml \
|
||||
-f dd-sso/docker-compose-parts/keycloak.yml \
|
||||
-f dd-sso/docker-compose-parts/avatars.yml \
|
||||
-f dd-apps/docker/postgresql/postgresql.yml \
|
||||
-f dd-sso/docker-compose-parts/admin.yml \
|
||||
\
|
||||
-f dd-apps/docker/moodle/moodle.yml \
|
||||
|
|
|
@ -39,8 +39,6 @@ services:
|
|||
- ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw
|
||||
- ${DATA_FOLDER}/dd-admin:/data:rw
|
||||
- ${DATA_FOLDER}/nc-mail-queue:/nc-mail-queue:rw
|
||||
env_file:
|
||||
- .env
|
||||
environment:
|
||||
- VERIFY="false" # In development do not verify certificates
|
||||
- DOMAIN=${DOMAIN}
|
||||
|
@ -53,3 +51,5 @@ services:
|
|||
- AVATARS_SERVER_HOST=dd-sso-avatars:9000
|
||||
- AVATARS_ACCESS_KEY=${AVATARS_ACCESS_KEY:-AKIAIOSFODNN7EXAMPLE}
|
||||
- AVATARS_SECRET_KEY=${AVATARS_SECRET_KEY:-wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY}
|
||||
# TODO: Check missing env vars and pass them on the environment
|
||||
env_file: ${CUSTOM_PATH}/.env
|
||||
|
|
|
@ -28,6 +28,10 @@ services:
|
|||
DOMAIN: $DOMAIN
|
||||
NGINX_ALPINE_IMG: ${NGINX_ALPINE_IMG-nginx:1.21.6-alpine}
|
||||
container_name: dd-sso-api
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
KEYCLOAK_USER: ${KEYCLOAK_USER}
|
||||
KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- ${CUSTOM_PATH}/custom/menu:/api/menu
|
||||
|
@ -37,8 +41,3 @@ services:
|
|||
restart: unless-stopped
|
||||
networks:
|
||||
- dd_net
|
||||
# ports:
|
||||
# - published: 7039
|
||||
# target: 7039
|
||||
env_file:
|
||||
- .env
|
||||
|
|
|
@ -28,6 +28,12 @@ services:
|
|||
dockerfile: Dockerfile
|
||||
target: production
|
||||
container_name: dd-sso-haproxy
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
|
||||
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
|
||||
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
|
||||
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
@ -35,8 +41,6 @@ services:
|
|||
- ${SRC_FOLDER}/haproxy/certs:/certs:rw
|
||||
networks:
|
||||
- dd_net
|
||||
env_file:
|
||||
- .env
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
|
|
|
@ -28,6 +28,12 @@ services:
|
|||
dockerfile: Dockerfile
|
||||
target: production
|
||||
container_name: dd-sso-haproxy
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
|
||||
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
|
||||
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
|
||||
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
@ -45,8 +51,6 @@ services:
|
|||
target: 8888
|
||||
- published: 591
|
||||
target: 591
|
||||
env_file:
|
||||
- .env
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
|
|
|
@ -28,6 +28,12 @@ services:
|
|||
dockerfile: Dockerfile
|
||||
target: production
|
||||
container_name: dd-sso-haproxy
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
|
||||
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
|
||||
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
|
||||
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
@ -40,8 +46,6 @@ services:
|
|||
target: 80
|
||||
- published: 443
|
||||
target: 443
|
||||
env_file:
|
||||
- .env
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
#
|
||||
# Copyright © 2021,2022 IsardVDI S.L.
|
||||
#
|
||||
# This file is part of DD
|
||||
#
|
||||
# DD is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Affero General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or (at your
|
||||
# option) any later version.
|
||||
#
|
||||
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
||||
# details.
|
||||
#
|
||||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with DD. If not, see <https://www.gnu.org/licenses/>.
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
version: '3.7'
|
||||
services:
|
||||
dd-sso-postgresql:
|
||||
image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
|
||||
container_name: dd-sso-postgresql
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- ${DB_FOLDER}/postgres:/var/lib/postgresql/data
|
||||
- ${BUILD_SSO_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d
|
||||
networks:
|
||||
- dd_net
|
||||
logging:
|
||||
driver: "json-file"
|
||||
options:
|
||||
max-size: "5m"
|
||||
max-file: "10"
|
|
@ -7,8 +7,8 @@ services:
|
|||
dockerfile: Dockerfile
|
||||
target: production
|
||||
container_name: dd-waf-apache
|
||||
env_file:
|
||||
- .env
|
||||
environment:
|
||||
DISABLE_WAF: ${DISABLE_WAF:-true}
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
|
|
@ -187,8 +187,7 @@ POSTGRESQL_IMG=postgres:14.1-alpine3.15
|
|||
#MARIADB_IMG=mariadb:10.6.5
|
||||
|
||||
## NGINX
|
||||
#NGINX_IMG=nginx:1.21.6
|
||||
#NGINX_ALPINE_IMG=nginx:1.21.6-alpine
|
||||
#NGINX_ALPINE_IMG=nginx:1.22.1-alpine
|
||||
|
||||
## REDIS
|
||||
#REDIS_IMG=redis:6.2.6-alpine3.15
|
||||
|
|
Loading…
Reference in New Issue