Skip to content

Commit 119d2b7

Browse files
alexmvalexmv
committed
compose: Use Docker secrets for secret management.
1 parent 8703db5 commit 119d2b7

File tree

2 files changed

+54
-20
lines changed

2 files changed

+54
-20
lines changed

compose.yaml

Lines changed: 53 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,31 @@
11
---
2+
secrets:
3+
zulip__postgres_password:
4+
## Note that you need to do a manual `ALTER ROLE` query if you
5+
## change this on a system after booting the postgres container
6+
## the first time on a host. Instructions are available in README.md.
7+
environment: "ZULIP__POSTGRES_PASSWORD"
8+
zulip__memcached_password:
9+
environment: "ZULIP__MEMCACHED_PASSWORD"
10+
zulip__rabbitmq_password:
11+
environment: "ZULIP__RABBITMQ_PASSWORD"
12+
zulip__redis_password:
13+
environment: "ZULIP__REDIS_PASSWORD"
14+
zulip__secret_key:
15+
environment: "ZULIP__SECRET_KEY"
16+
zulip__email_password:
17+
environment: "ZULIP__EMAIL_PASSWORD"
18+
219
services:
320
database:
421
image: "zulip/zulip-postgresql:14"
522
restart: unless-stopped
23+
secrets:
24+
- zulip__postgres_password
625
environment:
726
POSTGRES_DB: "zulip"
827
POSTGRES_USER: "zulip"
9-
## Note that you need to do a manual `ALTER ROLE` query if you
10-
## change this on a system after booting the postgres container
11-
## the first time on a host. Instructions are available in README.md.
12-
POSTGRES_PASSWORD: "REPLACE_WITH_SECURE_POSTGRES_PASSWORD"
28+
POSTGRES_PASSWORD_FILE: /run/secrets/zulip__postgres_password
1329
volumes:
1430
- "postgresql-14:/var/lib/postgresql/data:rw"
1531
attach: false
@@ -21,20 +37,32 @@ services:
2137
- "-euc"
2238
- |
2339
echo 'mech_list: plain' > "$$SASL_CONF_PATH"
24-
echo "zulip@$$HOSTNAME:$$MEMCACHED_PASSWORD" > "$$MEMCACHED_SASL_PWDB"
25-
echo "zulip@localhost:$$MEMCACHED_PASSWORD" >> "$$MEMCACHED_SASL_PWDB"
40+
echo "zulip@$$HOSTNAME:$$(cat $$MEMCACHED_PASSWORD_FILE)" > "$$MEMCACHED_SASL_PWDB"
41+
echo "zulip@localhost:$$(cat $$MEMCACHED_PASSWORD_FILE)" >> "$$MEMCACHED_SASL_PWDB"
2642
exec memcached -S
43+
secrets:
44+
- zulip__memcached_password
2745
environment:
2846
SASL_CONF_PATH: "/home/memcache/memcached.conf"
2947
MEMCACHED_SASL_PWDB: "/home/memcache/memcached-sasl-db"
30-
MEMCACHED_PASSWORD: "REPLACE_WITH_SECURE_MEMCACHED_PASSWORD"
48+
MEMCACHED_PASSWORD_FILE: /run/secrets/zulip__memcached_password
3149
attach: false
3250
rabbitmq:
3351
image: "rabbitmq:4.1"
3452
restart: unless-stopped
53+
command:
54+
- "sh"
55+
- "-euc"
56+
- |
57+
export RABBITMQ_DEFAULT_PASS="$$(cat $$RABBITMQ_PASSWORD_FILE)"
58+
echo 'default_user = $$(RABBITMQ_DEFAULT_USER)' >> /etc/rabbitmq/rabbitmq.conf
59+
echo 'default_pass = $$(RABBITMQ_DEFAULT_PASS)' >> /etc/rabbitmq/rabbitmq.conf
60+
exec docker-entrypoint.sh rabbitmq-server
61+
secrets:
62+
- zulip__rabbitmq_password
3563
environment:
3664
RABBITMQ_DEFAULT_USER: "zulip"
37-
RABBITMQ_DEFAULT_PASS: "REPLACE_WITH_SECURE_RABBITMQ_PASSWORD"
65+
RABBITMQ_PASSWORD_FILE: /run/secrets/zulip__rabbitmq_password
3866
volumes:
3967
- "rabbitmq:/var/lib/rabbitmq:rw"
4068
attach: false
@@ -44,11 +72,11 @@ services:
4472
command:
4573
- "sh"
4674
- "-euc"
47-
- |
48-
echo "requirepass '$$REDIS_PASSWORD'" > /etc/redis.conf
49-
exec redis-server /etc/redis.conf
75+
- '/usr/local/bin/docker-entrypoint.sh --requirepass "$$(cat $$REDIS_PASSWORD_FILE)"'
76+
secrets:
77+
- zulip__redis_password
5078
environment:
51-
REDIS_PASSWORD: "REPLACE_WITH_SECURE_REDIS_PASSWORD"
79+
REDIS_PASSWORD_FILE: /run/secrets/zulip__redis_password
5280
volumes:
5381
- "redis:/data:rw"
5482
attach: false
@@ -74,6 +102,13 @@ services:
74102
target: 443
75103
published: 443
76104
app_protocol: https
105+
secrets:
106+
- zulip__postgres_password
107+
- zulip__memcached_password
108+
- zulip__rabbitmq_password
109+
- zulip__redis_password
110+
- zulip__secret_key
111+
- zulip__email_password
77112
environment:
78113
## See https://github.com/zulip/docker-zulip#configuration for
79114
## details on this section and how to discover the many
@@ -85,14 +120,12 @@ services:
85120
SETTING_MEMCACHED_LOCATION: "memcached:11211"
86121
SETTING_RABBITMQ_HOST: "rabbitmq"
87122
SETTING_REDIS_HOST: "redis"
88-
SECRETS_email_password: "123456789"
89-
## These should match RABBITMQ_DEFAULT_PASS, POSTGRES_PASSWORD,
90-
## MEMCACHED_PASSWORD, and REDIS_PASSWORD above.
91-
SECRETS_rabbitmq_password: "REPLACE_WITH_SECURE_RABBITMQ_PASSWORD"
92-
SECRETS_postgres_password: "REPLACE_WITH_SECURE_POSTGRES_PASSWORD"
93-
SECRETS_memcached_password: "REPLACE_WITH_SECURE_MEMCACHED_PASSWORD"
94-
SECRETS_redis_password: "REPLACE_WITH_SECURE_REDIS_PASSWORD"
95-
SECRETS_secret_key: "REPLACE_WITH_SECURE_SECRET_KEY"
123+
SECRETS_postgres_password_FILE: /run/secrets/zulip__postgres_password
124+
SECRETS_memcached_password_FILE: /run/secrets/zulip__memcached_password
125+
SECRETS_rabbitmq_password_FILE: /run/secrets/zulip__rabbitmq_password
126+
SECRETS_redis_password_FILE: /run/secrets/zulip__redis_password
127+
SECRETS_secret_key_FILE: /run/secrets/zulip__secret_key
128+
SECRETS_email_password_FILE: /run/secrets/zulip__email_password
96129
SETTING_EXTERNAL_HOST: "localhost.localdomain"
97130
SETTING_ZULIP_ADMINISTRATOR: "admin@example.com"
98131
SETTING_EMAIL_HOST: "" # e.g. smtp.example.com

entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -286,6 +286,7 @@ secretsConfiguration() {
286286
echo "ERROR: Secret \"$SECRET_KEY\" contains a newline!"
287287
exit 1
288288
fi
289+
echo "Setting $SECRET_KEY from environment variable $key"
289290
crudini --set "$DATA_DIR/zulip-secrets.conf" "secrets" "${SECRET_KEY}" "${SECRET_VAR}"
290291
done
291292
echo "Zulip secrets configuration succeeded."

0 commit comments

Comments
 (0)