[docker] Cleanup environment files

By having the environment explicit on each service, we both document
the settings and have more control over what each service is allowed
to see.

This avoids weird things like nginx having access to postgresql's
credentials on its environment.

As a bonus: we are able to use one single environment file, which is
basically dd.conf with some values that are dynamically-calculated and
added from dd-ctl.
feature/wp_can_upload_videos
Evilham 2023-01-10 16:58:17 +01:00
parent affbbde9d3
commit a72001dea5
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
11 changed files with 68 additions and 72 deletions

View File

@ -23,10 +23,23 @@ services:
image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
container_name: dd-apps-postgresql
restart: unless-stopped
env_file: .env
environment:
# Postgres
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_USER=${POSTGRES_USER}
# Etherpad
- ETHERPAD_POSTGRES_USER=${ETHERPAD_POSTGRES_USER:-etherpard}
- ETHERPAD_POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWORD}
# Keycloak
- KEYCLOAK_DB_DATABASE=${KEYCLOAK_DB_DATABASE:-keycloak}
- KEYCLOAK_DB_USER=${KEYCLOAK_DB_USER:-keycloak}
- KEYCLOAK_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD}
# Moodle
- MOODLE_POSTGRES_USER=${MOODLE_POSTGRES_USER:-moodle}
- MOODLE_POSTGRES_PASSWORD=${MOODLE_POSTGRES_PASSWORD}
# Nextcloud
- NEXTCLOUD_POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER:-nextcloud}
- NEXTCLOUD_POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DB_FOLDER}/postgres:/var/lib/postgresql/data

View File

@ -36,6 +36,7 @@ services:
volumes:
*wordpress-volumes
environment:
DOMAIN: ${DOMAIN}
WORDPRESS_DB_HOST: dd-apps-mariadb
WORDPRESS_DB_NAME: "wordpress"
WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER}

40
dd-ctl
View File

@ -112,9 +112,11 @@ fi
REPO_BRANCH="${1:-main}"
cp dd.conf .env
CUSTOM_PATH=$(pwd)
if [ -f dd.conf ]; then
cp dd.conf .env
. ./.env
fi
prerequisites_docker(){
# Remove uncompatible docker packages
@ -180,9 +182,18 @@ build_compose(){
setconf DD_BUILD "${DD_BUILD}" .env
setconf CUSTOM_PATH "$CUSTOM_PATH" .env
setconf BUILD_APPS_ROOT_PATH "$CUSTOM_PATH/dd-apps" .env
setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env
# SMTP (needed for e.g. Nextcloud's more granular settings)
SMTP_LOCAL_PART="$(echo "${SMTP_USER:-}" | cut -d '@' -f 1)"
export SMTP_LOCAL_PART
SMTP_DOMAIN="$(echo "${SMTP_USER:-}" | cut -d '@' -f 2)"
export SMTP_DOMAIN
setconf SMTP_LOCAL_PART "${SMTP_LOCAL_PART}" .env
setconf SMTP_DOMAIN "${SMTP_DOMAIN}" .env
# Choose HAProxy configuration flavour
if [ "${PROXY_PROTOCOL:-false}" = "true" ]; then
HAPROXY_YML="haproxy.proxy.yml"
@ -207,7 +218,7 @@ build_compose(){
setconf HAPROXY_CFG "${HAPROXY_CFG}"
setconf HAPROXY_CFG "${HAPROXY_CFG}" .env
# Enable or disable ClamAV
# Enable or disable ClamAV's container
if [ "${DISABLE_CLAMAV:-true}" = "true" ]; then
# Current default (might change)
CLAMAV_YML="clamav.disabled.yml"
@ -215,18 +226,16 @@ build_compose(){
CLAMAV_YML="clamav.yml"
fi
## Prepare apps environment
ln -sf "${CUSTOM_PATH}/.env" dd-apps/.env
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/postgresql && \
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/mariadb && \
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/moodle && \
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/nextcloud && \
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/wordpress && \
ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/etherpad
## Prepare sso environment
ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env
ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env
# Clean up redundant .env files
for f in dd-apps \
dd-apps/docker/postgresql dd-apps/docker/mariadb \
dd-apps/docker/moodle dd-apps/docker/nextcloud \
dd-apps/docker/wordpress dd-apps/docker/etherpad \
dd-sso dd-sso/docker-compose-parts; do
if [ -f "${f}/.env" ]; then
rm "${f}/.env"
fi
done
# Clean up older custom data
rm -rf custom/system/keycloak-themes
@ -234,12 +243,13 @@ build_compose(){
# Build compose ymls
docker-compose \
--env-file "${CUSTOM_PATH}/.env" \
\
-f "dd-sso/docker-compose-parts/$WAF_YML" \
-f "dd-sso/docker-compose-parts/$HAPROXY_YML"\
-f dd-sso/docker-compose-parts/api.yml \
-f dd-sso/docker-compose-parts/keycloak.yml \
-f dd-sso/docker-compose-parts/avatars.yml \
-f dd-apps/docker/postgresql/postgresql.yml \
-f dd-sso/docker-compose-parts/admin.yml \
\
-f dd-apps/docker/moodle/moodle.yml \

View File

@ -39,8 +39,6 @@ services:
- ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw
- ${DATA_FOLDER}/dd-admin:/data:rw
- ${DATA_FOLDER}/nc-mail-queue:/nc-mail-queue:rw
env_file:
- .env
environment:
- VERIFY="false" # In development do not verify certificates
- DOMAIN=${DOMAIN}
@ -53,3 +51,5 @@ services:
- AVATARS_SERVER_HOST=dd-sso-avatars:9000
- AVATARS_ACCESS_KEY=${AVATARS_ACCESS_KEY:-AKIAIOSFODNN7EXAMPLE}
- AVATARS_SECRET_KEY=${AVATARS_SECRET_KEY:-wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY}
# TODO: Check missing env vars and pass them on the environment
env_file: ${CUSTOM_PATH}/.env

View File

@ -28,6 +28,10 @@ services:
DOMAIN: $DOMAIN
NGINX_ALPINE_IMG: ${NGINX_ALPINE_IMG-nginx:1.21.6-alpine}
container_name: dd-sso-api
environment:
DOMAIN: ${DOMAIN}
KEYCLOAK_USER: ${KEYCLOAK_USER}
KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
volumes:
- /etc/localtime:/etc/localtime:ro
- ${CUSTOM_PATH}/custom/menu:/api/menu
@ -37,8 +41,3 @@ services:
restart: unless-stopped
networks:
- dd_net
# ports:
# - published: 7039
# target: 7039
env_file:
- .env

View File

@ -28,6 +28,12 @@ services:
dockerfile: Dockerfile
target: production
container_name: dd-sso-haproxy
environment:
DOMAIN: ${DOMAIN}
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
@ -35,8 +41,6 @@ services:
- ${SRC_FOLDER}/haproxy/certs:/certs:rw
networks:
- dd_net
env_file:
- .env
logging:
driver: "json-file"
options:

View File

@ -28,6 +28,12 @@ services:
dockerfile: Dockerfile
target: production
container_name: dd-sso-haproxy
environment:
DOMAIN: ${DOMAIN}
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
@ -45,8 +51,6 @@ services:
target: 8888
- published: 591
target: 591
env_file:
- .env
logging:
driver: "json-file"
options:

View File

@ -28,6 +28,12 @@ services:
dockerfile: Dockerfile
target: production
container_name: dd-sso-haproxy
environment:
DOMAIN: ${DOMAIN}
HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
@ -40,8 +46,6 @@ services:
target: 80
- published: 443
target: 443
env_file:
- .env
logging:
driver: "json-file"
options:

View File

@ -1,38 +0,0 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
#
# This file is part of DD
#
# DD is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
version: '3.7'
services:
dd-sso-postgresql:
image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
container_name: dd-sso-postgresql
restart: unless-stopped
env_file:
- .env
volumes:
- /etc/localtime:/etc/localtime:ro
- ${DB_FOLDER}/postgres:/var/lib/postgresql/data
- ${BUILD_SSO_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d
networks:
- dd_net
logging:
driver: "json-file"
options:
max-size: "5m"
max-file: "10"

View File

@ -7,8 +7,8 @@ services:
dockerfile: Dockerfile
target: production
container_name: dd-waf-apache
env_file:
- .env
environment:
DISABLE_WAF: ${DISABLE_WAF:-true}
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro

View File

@ -187,8 +187,7 @@ POSTGRESQL_IMG=postgres:14.1-alpine3.15
#MARIADB_IMG=mariadb:10.6.5
## NGINX
#NGINX_IMG=nginx:1.21.6
#NGINX_ALPINE_IMG=nginx:1.21.6-alpine
#NGINX_ALPINE_IMG=nginx:1.22.1-alpine
## REDIS
#REDIS_IMG=redis:6.2.6-alpine3.15