From efe3caebdcd0cf23553aedd8d0f56cea4a5053fa Mon Sep 17 00:00:00 2001 From: Boris Gorbylev Date: Tue, 31 Mar 2020 17:23:57 +0300 Subject: [PATCH 1/3] Compatibility with docker secrets (#560) * Read passwords from files specified with *_PASSWORD_FILE variables (docker secrets) Fixes #731 Signed-off-by: Boris Gorbylev Signed-off-by: Jonas Thelemann * Add NEXTCLOUD_ADMIN_USER, POSTGRES_DB, POSTGRES_USER Signed-off-by: Jonas Thelemann * Fix Variables Signed-off-by: Jonas Thelemann Co-authored-by: Jonas Thelemann --- 16.0/apache/entrypoint.sh | 34 +++++++++++++++++++ 16.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++++ 16.0/fpm/entrypoint.sh | 34 +++++++++++++++++++ 17.0/apache/entrypoint.sh | 34 +++++++++++++++++++ 17.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++++ 17.0/fpm/entrypoint.sh | 34 +++++++++++++++++++ 18.0/apache/entrypoint.sh | 34 +++++++++++++++++++ 18.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++++ 18.0/fpm/entrypoint.sh | 34 +++++++++++++++++++ README.md | 62 +++++++++++++++++++++++++++++++++++ docker-entrypoint.sh | 34 +++++++++++++++++++ 11 files changed, 402 insertions(+) diff --git a/16.0/apache/entrypoint.sh b/16.0/apache/entrypoint.sh index fb2fe686..2510743e 100755 --- a/16.0/apache/entrypoint.sh +++ b/16.0/apache/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/16.0/fpm-alpine/entrypoint.sh b/16.0/fpm-alpine/entrypoint.sh index fb2fe686..2510743e 100755 --- a/16.0/fpm-alpine/entrypoint.sh +++ b/16.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/16.0/fpm/entrypoint.sh b/16.0/fpm/entrypoint.sh index fb2fe686..2510743e 100755 --- a/16.0/fpm/entrypoint.sh +++ b/16.0/fpm/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/17.0/apache/entrypoint.sh b/17.0/apache/entrypoint.sh index fb2fe686..2510743e 100755 --- a/17.0/apache/entrypoint.sh +++ b/17.0/apache/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/17.0/fpm-alpine/entrypoint.sh b/17.0/fpm-alpine/entrypoint.sh index fb2fe686..2510743e 100755 --- a/17.0/fpm-alpine/entrypoint.sh +++ b/17.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/17.0/fpm/entrypoint.sh b/17.0/fpm/entrypoint.sh index fb2fe686..2510743e 100755 --- a/17.0/fpm/entrypoint.sh +++ b/17.0/fpm/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/18.0/apache/entrypoint.sh b/18.0/apache/entrypoint.sh index fb2fe686..2510743e 100755 --- a/18.0/apache/entrypoint.sh +++ b/18.0/apache/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/18.0/fpm-alpine/entrypoint.sh b/18.0/fpm-alpine/entrypoint.sh index fb2fe686..2510743e 100755 --- a/18.0/fpm-alpine/entrypoint.sh +++ b/18.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/18.0/fpm/entrypoint.sh b/18.0/fpm/entrypoint.sh index fb2fe686..2510743e 100755 --- a/18.0/fpm/entrypoint.sh +++ b/18.0/fpm/entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" diff --git a/README.md b/README.md index 8721eb66..69ab22d9 100644 --- a/README.md +++ b/README.md @@ -252,6 +252,68 @@ services: Then run `docker-compose up -d`, now you can access Nextcloud at http://localhost:8080/ from your host system. +# Docker Secrets +As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/ files. For example: +```yaml +version: '3.2' + +services: + db: + image: postgres + restart: always + volumes: + - db:/var/lib/postgresql/data + environment: + - POSTGRES_DB_FILE=/run/secrets/postgres_db + - POSTGRES_USER_FILE=/run/secrets/postgres_user + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + secrets: + - postgres_db + - postgres_password + - postgres_user + + app: + image: nextcloud + restart: always + ports: + - 8080:80 + volumes: + - nextcloud:/var/www/html + environment: + - POSTGRES_HOST=db + - POSTGRES_DB_FILE=/run/secrets/postgres_db + - POSTGRES_USER_FILE=/run/secrets/postgres_user + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password + - NEXTCLOUD_ADMIN_USER_FILE=/run/secrets/nextcloud_admin_user + depends_on: + - db + secrets: + - nextcloud_admin_password + - nextcloud_admin_user + - postgres_db + - postgres_password + - postgres_user + +volumes: + db: + nextcloud: + +secrets: + nextcloud_admin_password: + file: ./nextcloud_admin_password.txt # put admin password to this file + nextcloud_admin_user: + file: ./nextcloud_admin_user.txt # put admin username to this file + postgres_db: + file: ./postgres_db.txt # put postgresql db name to this file + postgres_password: + file: ./postgres_password.txt # put postgresql password to this file + postgres_user: + file: ./postgres_user.txt # put postgresql username to this file +``` + +Currently, this is only supported for `NEXTCLOUD_ADMIN_PASSWORD`, `NEXTCLOUD_ADMIN_USER`, `MYSQL_DB`, `MYSQL_PASSWORD`, `MYSQL_USER`, `POSTGRES_DB`, `POSTGRES_PASSWORD`, `POSTGRES_USER`. + # Make your Nextcloud available from the internet Until here, your Nextcloud is just available from you docker host. If you want your Nextcloud available from the internet adding SSL encryption is mandatory. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index fb2fe686..2510743e 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -19,6 +19,30 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + unset "$fileVar" +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -79,6 +103,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + file_env NEXTCLOUD_ADMIN_PASSWORD + file_env NEXTCLOUD_ADMIN_USER + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' @@ -91,6 +118,13 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install=false if [ -n "${SQLITE_DATABASE+x}" ]; then echo "Installing with SQLite database" From 63438ef792fdedd4ceb80664d22391aca21f6bd1 Mon Sep 17 00:00:00 2001 From: kesselb Date: Mon, 6 Apr 2020 22:44:58 +0200 Subject: [PATCH 2/3] Disable rewriteip for apache image (#1010) * Disable rewrite ip for apache image Signed-off-by: Daniel Kesselberg * Run update.sh Signed-off-by: Daniel Kesselberg --- .config/reverse_proxy.config.php | 11 +++++++++++ 16.0/apache/config/reverse_proxy.config.php | 11 +++++++++++ 16.0/apache/entrypoint.sh | 6 ++++++ 16.0/fpm-alpine/config/reverse_proxy.config.php | 11 +++++++++++ 16.0/fpm-alpine/entrypoint.sh | 6 ++++++ 16.0/fpm/config/reverse_proxy.config.php | 11 +++++++++++ 16.0/fpm/entrypoint.sh | 6 ++++++ 17.0/apache/config/reverse_proxy.config.php | 11 +++++++++++ 17.0/apache/entrypoint.sh | 6 ++++++ 17.0/fpm-alpine/config/reverse_proxy.config.php | 11 +++++++++++ 17.0/fpm-alpine/entrypoint.sh | 6 ++++++ 17.0/fpm/config/reverse_proxy.config.php | 11 +++++++++++ 17.0/fpm/entrypoint.sh | 6 ++++++ 18.0/apache/config/reverse_proxy.config.php | 11 +++++++++++ 18.0/apache/entrypoint.sh | 6 ++++++ 18.0/fpm-alpine/config/reverse_proxy.config.php | 11 +++++++++++ 18.0/fpm-alpine/entrypoint.sh | 6 ++++++ 18.0/fpm/config/reverse_proxy.config.php | 11 +++++++++++ 18.0/fpm/entrypoint.sh | 6 ++++++ README.md | 8 ++++++++ docker-entrypoint.sh | 6 ++++++ 21 files changed, 178 insertions(+) create mode 100644 .config/reverse_proxy.config.php create mode 100644 16.0/apache/config/reverse_proxy.config.php create mode 100644 16.0/fpm-alpine/config/reverse_proxy.config.php create mode 100644 16.0/fpm/config/reverse_proxy.config.php create mode 100644 17.0/apache/config/reverse_proxy.config.php create mode 100644 17.0/fpm-alpine/config/reverse_proxy.config.php create mode 100644 17.0/fpm/config/reverse_proxy.config.php create mode 100644 18.0/apache/config/reverse_proxy.config.php create mode 100644 18.0/fpm-alpine/config/reverse_proxy.config.php create mode 100644 18.0/fpm/config/reverse_proxy.config.php diff --git a/.config/reverse_proxy.config.php b/.config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/.config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/16.0/fpm-alpine/config/reverse_proxy.config.php b/16.0/fpm-alpine/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/16.0/fpm-alpine/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/16.0/fpm/config/reverse_proxy.config.php b/16.0/fpm/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/16.0/fpm/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/17.0/apache/config/reverse_proxy.config.php b/17.0/apache/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/17.0/apache/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/17.0/fpm-alpine/config/reverse_proxy.config.php b/17.0/fpm-alpine/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/17.0/fpm-alpine/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/17.0/fpm/config/reverse_proxy.config.php b/17.0/fpm/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/17.0/fpm/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/18.0/apache/config/reverse_proxy.config.php b/18.0/apache/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/18.0/apache/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/18.0/fpm-alpine/config/reverse_proxy.config.php b/18.0/fpm-alpine/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/18.0/fpm-alpine/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/18.0/fpm/config/reverse_proxy.config.php b/18.0/fpm/config/reverse_proxy.config.php new file mode 100644 index 00000000..26a8bff3 --- /dev/null +++ b/18.0/fpm/config/reverse_proxy.config.php @@ -0,0 +1,11 @@ +/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then diff --git a/README.md b/README.md index 69ab22d9..c7fda8a6 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,14 @@ To use an external SMTP server, you have to provide the connection details. To c Check the [Nextcloud documentation](https://docs.nextcloud.com/server/15/admin_manual/configuration_server/email_configuration.html) for other values to configure SMTP. +## Using the apache image behind a reverse proxy and auto configure server host and protocol + +The apache image will replace the remote addr (ip address visible to Nextcloud) with the ip address from `X-Real-IP` if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client ip (`HTTP_X_FORWARDED_FOR`) from a trusted proxy disable rewrite ip and the reverse proxies ip address to `TRUSTED_PROXIES`. + +- `APACHE_DISABLE_REWRITE_IP` (not set by default): Set to 1 to disable rewrite ip. + +- `TRUSTED_PROXIES` (empty by default): A space-separated list of trusted proxies. CIDR notation is supported for IPv4. + # Running this image with docker-compose The easiest way to get a fully featured and functional setup is using a `docker-compose` file. There are too many different possibilities to setup your system, so here are only some examples of what you have to look for. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2510743e..07b44d61 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -43,6 +43,12 @@ file_env() { unset "$fileVar" } +if expr "$1" : "apache" 1>/dev/null; then + if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then + a2disconf remoteip + fi +fi + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then From 6274e06ef4aebed9e2516f19cfd578e5d5b1218e Mon Sep 17 00:00:00 2001 From: J0WI Date: Mon, 6 Apr 2020 20:51:18 +0000 Subject: [PATCH 3/3] Update url to occ (#1062) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c7fda8a6..4ea87e08 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ nextcloud ``` ## Using the Nextcloud command-line interface -To use the [Nextcloud command-line interface](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/occ_command.html) (aka. `occ` command): +To use the [Nextcloud command-line interface](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html) (aka. `occ` command): ```console $ docker exec --user www-data CONTAINER_ID php occ ```