From eef1d9759634b011e32d97b4c42ece6f77106d6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20A=C3=9Fmann?= Date: Thu, 26 Dec 2019 12:08:44 +0100 Subject: [PATCH] Added support for docker secrets for NEXTCLOUD_ADMIN_PASSWORD, MYSQL_PASSWORD and POSTGRES_PASSWORD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian Aßmann --- 15.0/apache/entrypoint.sh | 34 +++++++++++++++++ 15.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++ 15.0/fpm/entrypoint.sh | 34 +++++++++++++++++ 16.0/apache/entrypoint.sh | 34 +++++++++++++++++ 16.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++ 16.0/fpm/entrypoint.sh | 34 +++++++++++++++++ 17.0/apache/entrypoint.sh | 34 +++++++++++++++++ 17.0/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++ 17.0/fpm/entrypoint.sh | 34 +++++++++++++++++ 18.0-beta/apache/entrypoint.sh | 34 +++++++++++++++++ 18.0-beta/fpm-alpine/entrypoint.sh | 34 +++++++++++++++++ 18.0-beta/fpm/entrypoint.sh | 34 +++++++++++++++++ README.md | 60 ++++++++++++++++++++++++++++++ docker-entrypoint.sh | 34 +++++++++++++++++ 14 files changed, 502 insertions(+) diff --git a/15.0/apache/entrypoint.sh b/15.0/apache/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/15.0/apache/entrypoint.sh +++ b/15.0/apache/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/15.0/fpm-alpine/entrypoint.sh b/15.0/fpm-alpine/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/15.0/fpm-alpine/entrypoint.sh +++ b/15.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/15.0/fpm/entrypoint.sh b/15.0/fpm/entrypoint.sh index 9514d881..8bc4d33c 100755 --- a/15.0/fpm/entrypoint.sh +++ b/15.0/fpm/entrypoint.sh @@ -11,6 +11,36 @@ directory_empty() { [ -z "$(ls -A "$1/")" ] } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + run_as() { if [ "$(id -u)" = 0 ]; then su -p www-data -s /bin/sh -c "$1" @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/16.0/apache/entrypoint.sh b/16.0/apache/entrypoint.sh index 9514d881..8bc4d33c 100755 --- a/16.0/apache/entrypoint.sh +++ b/16.0/apache/entrypoint.sh @@ -11,6 +11,36 @@ directory_empty() { [ -z "$(ls -A "$1/")" ] } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + run_as() { if [ "$(id -u)" = 0 ]; then su -p www-data -s /bin/sh -c "$1" @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/16.0/fpm-alpine/entrypoint.sh b/16.0/fpm-alpine/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/16.0/fpm-alpine/entrypoint.sh +++ b/16.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/16.0/fpm/entrypoint.sh b/16.0/fpm/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/16.0/fpm/entrypoint.sh +++ b/16.0/fpm/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/17.0/apache/entrypoint.sh b/17.0/apache/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/17.0/apache/entrypoint.sh +++ b/17.0/apache/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/17.0/fpm-alpine/entrypoint.sh b/17.0/fpm-alpine/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/17.0/fpm-alpine/entrypoint.sh +++ b/17.0/fpm-alpine/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/17.0/fpm/entrypoint.sh b/17.0/fpm/entrypoint.sh index 9514d881..c95555b2 100755 --- a/17.0/fpm/entrypoint.sh +++ b/17.0/fpm/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/18.0-beta/apache/entrypoint.sh b/18.0-beta/apache/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/18.0-beta/apache/entrypoint.sh +++ b/18.0-beta/apache/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/18.0-beta/fpm-alpine/entrypoint.sh b/18.0-beta/fpm-alpine/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/18.0-beta/fpm-alpine/entrypoint.sh +++ b/18.0-beta/fpm-alpine/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/18.0-beta/fpm/entrypoint.sh b/18.0-beta/fpm/entrypoint.sh index 9514d881..8487b8cd 100755 --- a/18.0-beta/fpm/entrypoint.sh +++ b/18.0-beta/fpm/entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' diff --git a/README.md b/README.md index 8721eb66..fac5871d 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,66 @@ To use an external SMTP server, you have to provide the connection details. To c Check the [Nextcloud documentation](https://docs.nextcloud.com/server/15/admin_manual/configuration_server/email_configuration.html) for other values to configure SMTP. +## Docker secrets +As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/ files. For example: + +```yaml +version '3' +services: + db: + image: postgres + restart: always + volumes: + - db:/var/lib/postgresql/data + environment: + - POSTGRES_DB=nextcloud + - POSTGRES_USER=nextcloud + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + secrets: + - postgres_password + app: + image: nextcloud + restart: always + ports: + - 8080:80 + volumes: + - nextcloud:/var/www/html + environment: + - POSTGRES_HOST=db + - POSTGRES_DB=nextcloud + - POSTGRES_USER=nextcloud + - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password + - NEXTCLOUD_ADMIN_USER=superuser + - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password + depends_on: + - db + secrets: + - postgres_password + - admin_password + cron: + image: nextcloud + restart: always + volumes: + - nextcloud:/var/www/html + entrypoint: /cron.sh + depends_on: + - db +volumes: + db: + nextcloud: + +secrets: + postgres_password: + # file: ./postgres_password.txt # put postgresql password to this file (only for local testing) + external: true + admin_password: + # file: ./admin_password.txt # put admin password to this file (only for local testing) + external: true # For use in prodcution, create secret via the docker secret create command + +``` + +Currently, this is supported for NEXTCLOUD_ADMIN_PASSWORD, MYSQL_PASSWORD and POSTGRES_PASSWORD. + # Running this image with docker-compose The easiest way to get a fully featured and functional setup is using a `docker-compose` file. There are too many different possibilities to setup your system, so here are only some examples of what you have to look for. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 9514d881..8487b8cd 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -19,6 +19,36 @@ run_as() { fi } +# usage: env_secret_expand VAR [DEFAULT] +# example: env_secret_expand 'XYZ_DB_PASSWORD_FILE' 'password' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +env_secret_expand() { + envVar="$1" + fileVar="${envVar}_FILE" + + eval env=\$"$envVar" # Contains the value of the environment variable + eval secretFilepath=\$"$fileVar" # Contains the filepath to the secret with the value + + if [ -n "$env" ] && [ -n "$secretFilepath" ]; then + echo >&2 "error: both $env and $secretFilepath are set (but are exclusive)" + exit 1 + fi + + val=$2 # Set to default + + if [ -n "$secretFilepath" ] && [ -f "$secretFilepath" ]; then + val=$(cat "${secretFilepath}") + elif [ -n "$env" ]; then + val="$env" + fi + + export "$envVar"="$val" + + unset fileVar + unset env + unset secretFilepath +} + if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then if [ -n "${REDIS_HOST+x}" ]; then @@ -72,6 +102,10 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP if [ "$installed_version" = "0.0.0.0" ]; then echo "New nextcloud instance" + env_secret_expand NEXTCLOUD_ADMIN_PASSWORD + env_secret_expand MYSQL_PASSWORD + env_secret_expand POSTGRES_PASSWORD + if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then # shellcheck disable=SC2016 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'