diff --git a/2020.07/apache/entrypoint.sh b/2020.07/apache/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.07/apache/entrypoint.sh +++ b/2020.07/apache/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/2020.07/fpm-alpine/entrypoint.sh b/2020.07/fpm-alpine/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.07/fpm-alpine/entrypoint.sh +++ b/2020.07/fpm-alpine/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/2020.07/fpm/entrypoint.sh b/2020.07/fpm/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.07/fpm/entrypoint.sh +++ b/2020.07/fpm/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/2020.09-dev/apache/entrypoint.sh b/2020.09-dev/apache/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.09-dev/apache/entrypoint.sh +++ b/2020.09-dev/apache/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/2020.09-dev/fpm-alpine/entrypoint.sh b/2020.09-dev/fpm-alpine/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.09-dev/fpm-alpine/entrypoint.sh +++ b/2020.09-dev/fpm-alpine/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/2020.09-dev/fpm/entrypoint.sh b/2020.09-dev/fpm/entrypoint.sh index a6054e3..9a4ee70 100755 --- a/2020.09-dev/fpm/entrypoint.sh +++ b/2020.09-dev/fpm/entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables" diff --git a/README.md b/README.md index 8d32442..4fe70cb 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,66 @@ To enable the automatic installation, you have to the following environment vari - `MYSQL_DATABASE` Name of the database using mysql / mariadb. - `MYSQL_HOST` Hostname of the database server using mysql / mariadb. +# Docker Secrets +As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. +In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/ files. +For example: +```yaml +version: '3.2' + +services: + db: + image: mariadb + restart: always + volumes: + - db:/var/lib/mysql + environment: + - MYSQL_DATABASE_FILE=/run/secrets/mysql_db + - MYSQL_USER_FILE=/run/secrets/mysql_user + - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password + secrets: + - mysql_database + - mysql_password + - mysql_user + + app: + image: friendica + restart: always + volumes: + - friendica:/var/www/html + ports: + - "8080:80" + environment: + - MYSQL_HOST=db + - MYSQL_DATABASE_FILE=/run/secrets/mysql_db + - MYSQL_USER_FILE=/run/secrets/mysql_user + - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password + - FRIENDICA_ADMIN_MAIL_FILE=/run/secrets/friendica_admin_mail + depends_on: + - db + secrets: + - friendica_admin_mail + - mysql_database + - mysql_password + - mysql_user + +volumes: + db: + friendica: + +secrets: + friendica_admin_mail: + file: ./friendica_admin_mail.txt # put admin email to this file + mysql_database: + file: ./mysql_database.txt # put mysql database name to this file + mysql_password: + file: ./mysql_password.txt # put mysql password to this file + mysql_user: + file: ./mysql_user.txt # put mysql username to this file +``` + +Currently, this is only supported for `FRIENDICA_ADMIN_MAIL`, `MYSQL_DATABASE`, `MYSQL_PASSWORD`, `MYSQL_USER`. + # Maintenance of the image ## Updating to a newer version diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a6054e3..9a4ee70 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -16,6 +16,30 @@ version_greater() { [ "$(printf '%s\n' "$@" | sort -r -t '-' -k2,2 | sort -t '.' -n -k1,1 -k2,2 -s | head -n 1)" != "$1" ] } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + sh /setup_msmtp.sh # just check if we execute apache or php-fpm @@ -66,6 +90,12 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ]; then if [ "$installed_version" = "0.0.0.0" ]; then echo "New Friendica instance" + file_env FRIENDICA_ADMIN_MAIL + + file_env MYSQL_DATABASE + file_env MYSQL_USER + file_env MYSQL_PASSWORD + install=false if [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${FRIENDICA_ADMIN_MAIL+x}" ] && [ -n "${FRIENDICA_URL+x}" ]; then echo "Installation with environment variables"