Lea/Docker-DocumentServer
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

entrypoint: add docker secret friendly _FILE options

Browse source 
to prevent having to define secrets in docker compose file when using
docker stack, add a _FILE option for sensitive information so that
docker secrets may be used; update README accordingly
This commit is contained in:
Andreas Weigel 2022-10-19 15:51:11 -04:00
parent 46683cbc4e
commit 5e8c2122ad
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -180,7 +180,7 @@ Below is the complete list of parameters that can be set using environment varia
- **DB_PORT**: The database server port number.
- **DB_NAME**: The name of a database to use. Should be existing on container startup.
- **DB_USER**: The new user name with superuser permissions for the database account.
- **DB_PWD**: The password set for the database account.
- **DB_PWD[_FILE]**: The password set for the database account.
- **AMQP_URI**: The [AMQP URI](https://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server.
- **AMQP_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
- **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
@ -188,9 +188,9 @@ Below is the complete list of parameters that can be set using environment varia
- **REDIS_SERVER_PASS**: The Redis server password. The password is not set by default.
- **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
- **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
- **SECURE_LINK_SECRET[_FILE]**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
- **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`.
- **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
- **JWT_SECRET[_FILE]**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
- **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
- **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`.
- **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`.
@ -203,6 +203,8 @@ Below is the complete list of parameters that can be set using environment varia
- **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
- **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
Parameters ending in **[_FILE]** can alternatively be given as a path to a file from which the value is read to faciliate using docker secrets for sensitive information. If the parameter is specified both as **PARAM** and **PARAM_FILE**, the latter takes precedence.
## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:

25
run-document-server.sh
View file

@ -8,6 +8,23 @@ function clean_exit {
trap clean_exit SIGTERM
function file_env {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo "Both $var and $fileVar are set; $fileVar takes precedence"
fi
local val="$def"
if [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
elif [ "${!var:-}" ]; then
val="${!var}"
fi
export "$var"="$val"
unset "$fileVar"
}
# Define '**' behavior explicitly
shopt -s globstar
@ -84,9 +101,10 @@ else
JWT_ENABLED="false"
fi
[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
[ -z "$JWT_SECRET" ] && [ -z "$JWT_SECRET_FILE" ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
JWT_SECRET=${JWT_SECRET:-$(pwgen -s 20)}
file_env JWT_SECRET
[ -z "$JWT_SECRET" ] && JWT_SECRET=$(pwgen -s 20)
JWT_HEADER=${JWT_HEADER:-Authorization}
JWT_IN_BODY=${JWT_IN_BODY:-false}
@ -158,7 +176,7 @@ read_setting(){
esac
DB_NAME=${DB_NAME:-${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}}
DB_USER=${DB_USER:-${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}}
DB_PWD=${DB_PWD:-${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}}
file_env DB_PWD ${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}
RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
AMQP_URI=${AMQP_URI:-${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}}
@ -488,6 +506,7 @@ update_nginx_settings(){
sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
fi
file_env SECURE_LINK_SECRET
documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false
}