[docker] Cleanup environment files

By having the environment explicit on each service, we both document
the settings and have more control over what each service is allowed
to see.

This avoids weird things like nginx having access to postgresql's
credentials on its environment.

As a bonus: we are able to use one single environment file, which is
basically dd.conf with some values that are dynamically-calculated and
added from dd-ctl.

dd-apps/docker/postgresql/postgresql.yml

@@ -23,10 +23,23 @@ services:
     image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
     container_name: dd-apps-postgresql
     restart: unless-stopped
-    env_file: .env
     environment:
+      # Postgres
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_USER=${POSTGRES_USER}
+      # Etherpad
+      - ETHERPAD_POSTGRES_USER=${ETHERPAD_POSTGRES_USER:-etherpard}
+      - ETHERPAD_POSTGRES_PASSWORD=${ETHERPAD_POSTGRES_PASSWORD}
+      # Keycloak
+      - KEYCLOAK_DB_DATABASE=${KEYCLOAK_DB_DATABASE:-keycloak}
+      - KEYCLOAK_DB_USER=${KEYCLOAK_DB_USER:-keycloak}
+      - KEYCLOAK_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD}
+      # Moodle
+      - MOODLE_POSTGRES_USER=${MOODLE_POSTGRES_USER:-moodle}
+      - MOODLE_POSTGRES_PASSWORD=${MOODLE_POSTGRES_PASSWORD}
+      # Nextcloud
+      - NEXTCLOUD_POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER:-nextcloud}
+      - NEXTCLOUD_POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD}
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - ${DB_FOLDER}/postgres:/var/lib/postgresql/data

dd-apps/docker/wordpress/wordpress.yml

@@ -36,6 +36,7 @@ services:
     volumes:
       *wordpress-volumes
     environment:
+      DOMAIN: ${DOMAIN}
       WORDPRESS_DB_HOST: dd-apps-mariadb
       WORDPRESS_DB_NAME: "wordpress"
       WORDPRESS_DB_USER: ${WORDPRESS_MARIADB_USER}

dd-ctl

@@ -112,9 +112,11 @@ fi
 REPO_BRANCH="${1:-main}"
 
 
-cp dd.conf .env
 CUSTOM_PATH=$(pwd)
-. ./.env
+if [ -f dd.conf ]; then
+	cp dd.conf .env
+	. ./.env
+fi
 
 prerequisites_docker(){
 	# Remove uncompatible docker packages
@@ -180,9 +182,18 @@ build_compose(){
 	setconf DD_BUILD "${DD_BUILD}" .env
 
 	setconf CUSTOM_PATH "$CUSTOM_PATH" .env
+
 	setconf BUILD_APPS_ROOT_PATH "$CUSTOM_PATH/dd-apps" .env
 	setconf BUILD_SSO_ROOT_PATH "$CUSTOM_PATH/dd-sso" .env
 
+	# SMTP (needed for e.g. Nextcloud's more granular settings)
+	SMTP_LOCAL_PART="$(echo "${SMTP_USER:-}" | cut -d '@' -f 1)"
+	export SMTP_LOCAL_PART
+	SMTP_DOMAIN="$(echo "${SMTP_USER:-}" | cut -d '@' -f 2)"
+	export SMTP_DOMAIN
+	setconf SMTP_LOCAL_PART "${SMTP_LOCAL_PART}" .env
+	setconf SMTP_DOMAIN "${SMTP_DOMAIN}" .env
+
 	# Choose HAProxy configuration flavour
 	if [ "${PROXY_PROTOCOL:-false}" = "true" ]; then
 		HAPROXY_YML="haproxy.proxy.yml"
@@ -207,7 +218,7 @@ build_compose(){
 	setconf HAPROXY_CFG "${HAPROXY_CFG}"
 	setconf HAPROXY_CFG "${HAPROXY_CFG}" .env
 
-	# Enable or disable ClamAV
+	# Enable or disable ClamAV's container
 	if [ "${DISABLE_CLAMAV:-true}" = "true" ]; then
 		# Current default (might change)
 		CLAMAV_YML="clamav.disabled.yml"
@@ -215,18 +226,16 @@ build_compose(){
 		CLAMAV_YML="clamav.yml"
 	fi
 
-	## Prepare apps environment
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/.env
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/postgresql && \
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/mariadb && \
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/moodle && \
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/nextcloud && \
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/wordpress && \
-	ln -sf "${CUSTOM_PATH}/.env" dd-apps/docker/etherpad
-
-	## Prepare sso environment
-	ln -sf "${CUSTOM_PATH}/.env" dd-sso/.env
-	ln -sf "${CUSTOM_PATH}/.env" dd-sso/docker-compose-parts/.env
+	# Clean up redundant .env files
+	for f in	dd-apps \
+			dd-apps/docker/postgresql dd-apps/docker/mariadb \
+			dd-apps/docker/moodle dd-apps/docker/nextcloud \
+			dd-apps/docker/wordpress dd-apps/docker/etherpad \
+			dd-sso dd-sso/docker-compose-parts; do
+		if [ -f "${f}/.env" ]; then
+			rm "${f}/.env"
+		fi
+	done
 
 	# Clean up older custom data
 	rm -rf custom/system/keycloak-themes
@@ -234,12 +243,13 @@ build_compose(){
 
 	# Build compose ymls
 	docker-compose \
+			--env-file "${CUSTOM_PATH}/.env" \
+					\
 			-f "dd-sso/docker-compose-parts/$WAF_YML" \
 			-f "dd-sso/docker-compose-parts/$HAPROXY_YML"\
 			-f dd-sso/docker-compose-parts/api.yml \
 			-f dd-sso/docker-compose-parts/keycloak.yml \
 			-f dd-sso/docker-compose-parts/avatars.yml \
-			-f dd-apps/docker/postgresql/postgresql.yml \
 			-f dd-sso/docker-compose-parts/admin.yml \
 					\
 			-f dd-apps/docker/moodle/moodle.yml \

dd-sso/docker-compose-parts/admin.yml

@@ -39,8 +39,6 @@ services:
     - ${DATA_FOLDER}/legal:/admin/admin/static/templates/pages/legal:rw
     - ${DATA_FOLDER}/dd-admin:/data:rw
     - ${DATA_FOLDER}/nc-mail-queue:/nc-mail-queue:rw
-    env_file:
-      - .env
     environment:
       - VERIFY="false"  # In development do not verify certificates
       - DOMAIN=${DOMAIN}
@@ -53,3 +51,5 @@ services:
       - AVATARS_SERVER_HOST=dd-sso-avatars:9000
       - AVATARS_ACCESS_KEY=${AVATARS_ACCESS_KEY:-AKIAIOSFODNN7EXAMPLE}
       - AVATARS_SECRET_KEY=${AVATARS_SECRET_KEY:-wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY}
+    # TODO: Check missing env vars and pass them on the environment
+    env_file: ${CUSTOM_PATH}/.env

dd-sso/docker-compose-parts/api.yml

@@ -28,6 +28,10 @@ services:
         DOMAIN: $DOMAIN
         NGINX_ALPINE_IMG: ${NGINX_ALPINE_IMG-nginx:1.21.6-alpine}
     container_name: dd-sso-api
+    environment:
+      DOMAIN: ${DOMAIN}
+      KEYCLOAK_USER: ${KEYCLOAK_USER}
+      KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - ${CUSTOM_PATH}/custom/menu:/api/menu
@@ -37,8 +41,3 @@ services:
     restart: unless-stopped
     networks:
       - dd_net
-    # ports:
-    # - published: 7039
-    #   target: 7039
-    env_file:
-      - .env

dd-sso/docker-compose-parts/haproxy.no-ports.yml

@@ -28,6 +28,12 @@ services:
       dockerfile: Dockerfile
       target: production
     container_name: dd-sso-haproxy
+    environment:
+      DOMAIN: ${DOMAIN}
+      HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
+      LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
+      LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
     restart: unless-stopped
     volumes:
       - /etc/localtime:/etc/localtime:ro
@@ -35,8 +41,6 @@ services:
       - ${SRC_FOLDER}/haproxy/certs:/certs:rw
     networks:
       - dd_net
-    env_file:
-      - .env
     logging:
       driver: "json-file"
       options:

dd-sso/docker-compose-parts/haproxy.proxy.yml

@@ -28,6 +28,12 @@ services:
       dockerfile: Dockerfile
       target: production
     container_name: dd-sso-haproxy
+    environment:
+      DOMAIN: ${DOMAIN}
+      HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
+      LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
+      LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
     restart: unless-stopped
     volumes:
       - /etc/localtime:/etc/localtime:ro
@@ -45,8 +51,6 @@ services:
       target: 8888
     - published: 591
       target: 591
-    env_file:
-      - .env
     logging:
       driver: "json-file"
       options:

dd-sso/docker-compose-parts/haproxy.yml

@@ -28,6 +28,12 @@ services:
       dockerfile: Dockerfile
       target: production
     container_name: dd-sso-haproxy
+    environment:
+      DOMAIN: ${DOMAIN}
+      HAPROXY_CFG: ${HAPROXY_CFG:-haproxy.no-waf.no-haproxy.cfg}
+      LETSENCRYPT_DOMAIN: ${LETSENCRYPT_DOMAIN}
+      LETSENCRYPT_DOMAIN_ROOT: ${LETSENCRYPT_DOMAIN_ROOT}
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
     restart: unless-stopped
     volumes:
       - /etc/localtime:/etc/localtime:ro
@@ -40,8 +46,6 @@ services:
       target: 80
     - published: 443
       target: 443
-    env_file:
-      - .env
     logging:
       driver: "json-file"
       options:

dd-sso/docker-compose-parts/postgresql.yml

@@ -1,38 +0,0 @@
-#
-#   Copyright © 2021,2022 IsardVDI S.L.
-#
-#   This file is part of DD
-#
-#   DD is free software: you can redistribute it and/or modify
-#   it under the terms of the GNU Affero General Public License as published by
-#   the Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
-#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
-#   details.
-#
-#   You should have received a copy of the GNU Affero General Public License
-#   along with DD. If not, see <https://www.gnu.org/licenses/>.
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-version: '3.7'
-services:
-  dd-sso-postgresql:
-    image: ${POSTGRESQL_IMG-postgres:13.5-alpine3.15}
-    container_name: dd-sso-postgresql
-    restart: unless-stopped
-    env_file:
-      - .env
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - ${DB_FOLDER}/postgres:/var/lib/postgresql/data
-      - ${BUILD_SSO_ROOT_PATH}/init/databases:/docker-entrypoint-initdb.d
-    networks:
-      - dd_net
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "5m"
-        max-file: "10"

dd-sso/docker-compose-parts/waf-modsecurity.yml

@@ -7,8 +7,8 @@ services:
       dockerfile: Dockerfile
       target: production
     container_name: dd-waf-apache
-    env_file:
-      - .env
+    environment:
+      DISABLE_WAF: ${DISABLE_WAF:-true}
     restart: unless-stopped
     volumes:
       - /etc/localtime:/etc/localtime:ro

dd.conf.sample

@@ -187,8 +187,7 @@ POSTGRESQL_IMG=postgres:14.1-alpine3.15
 #MARIADB_IMG=mariadb:10.6.5
 
 ## NGINX
-#NGINX_IMG=nginx:1.21.6
-#NGINX_ALPINE_IMG=nginx:1.21.6-alpine
+#NGINX_ALPINE_IMG=nginx:1.22.1-alpine
 
 ## REDIS
 #REDIS_IMG=redis:6.2.6-alpine3.15