Cosmetic changes

README.md

@@ -10,6 +10,7 @@
         + [Strengthening the Server Security](#strengthening-the-server-security)
         + [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)
         + [Available Configuration Parameters](#available-configuration-parameters)
+    - [Running ONLYOFFICE Document Server using docker secrets](#running-onlyoffice-document-server-using-docker-secrets)
 * [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
 * [Issues](#issues)
     - [Docker Issues](#docker-issues)
@@ -163,6 +164,58 @@ chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
 
 You are now just one step away from having our application secured.
 
+### Running ONLYOFFICE Document Server using docker secrets
+
+For manage sensitive data like database password/username you can use Docker secrets. If you want use secrets, you must start the Document Server like service with docker compose or docker swarm. According to [official docker documentation](https://docs.docker.com/engine/swarm/secrets/) secrets did not avalivable to standalone containers. To start using the secrets you need to go through a few simple steps: 
+
+**STEP 1**: 
+At first you need to iniciate docker swarm with command:
+
+```bash
+sudo docker swarm init 
+```
+
+**STEP 2**:
+On the next step you need to make the secrets. DocumentServer support username/password for postgresql access and jwt header/secret. 
+
+If you want to use secrets for database access create secrets with command:
+
+```bash
+sudo printf "your_pass" | docker secret create dbPass -
+sudo printf "your_user" | docker secret create dbUser -
+```
+NOTE: After secrets dbPass and dbUser was created, DocumentServer will be configured automaticly for use the same secrets for postgres access.
+
+If you want to use JSON Web Token values from secrets create secrets with command: 
+
+```bash
+sudo printf "secret_value" | docker secret create jwtSecret -
+sudo printf "header_value" | docker secret create jwtHeader -
+```
+
+**STEP 3**:
+After secrets was created you need to build the DocumentServer with command:
+
+```bash
+sudo docker compose build
+```
+
+**STEP 4**:
+After all when images was builded and secrets was created very important uncomment in docker-compose.yml file strings with secrets thats you want to use. For more information refer to the comments in docker-compose.yml
+
+**STEP 5**:
+Now Document Server is ready to deploy with secrets. For that run: 
+
+```bash
+sudo docker stack deploy --compose-file=docker-compose.yml documentserver-secrets
+```
+
+Also you can run Document Server in docker-compose mode with the same config
+
+```bash
+sudo docker compose up -d 
+```
+
 #### Available Configuration Parameters
 
 *Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.*
@@ -203,6 +256,13 @@ Below is the complete list of parameters that can be set using environment varia
 - **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
 - **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
 
+Below list values avalivable only for compose/swarm mode.
+
+- **JWT_SECRET_FILE**: Specifies the path to the mounted file, the value from which will be used like JWT_Secret value. Default path that docker mounted secrets: `/run/secrets/jwtSecret`
+- **JWT_HEADER_FILE**: Specifies the path to the mounted file, the value from which will be used like JWT_Header value. Default path that docker mounted secrets: `/run/secrets/jwtHeader`
+- **POSTGRES_USER_FILE**: Default postgresql container value. Tells the database where to get the username value by set to db access. Default path: `run/secrets/dbUser`
+- **POSTGRES_PASSWORD_FILE**: Default postgresql container value. Tells the database where to get the password value by set to db access. Default path: `run/secrets/dbPass`
+
 ## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
 
 ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2'
+version: "3.9"
 services:
   onlyoffice-documentserver:
     build:
@@ -8,6 +8,7 @@ services:
       - onlyoffice-postgresql
       - onlyoffice-rabbitmq
     environment:
+      - USE_SECRETS=false # ←  Set on "true" if you plan use secrets.
       - DB_TYPE=postgres
       - DB_HOST=onlyoffice-postgresql
       - DB_PORT=5432
@@ -16,9 +17,13 @@ services:
       - AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
       # Uncomment strings below to enable the JSON Web Token validation.
       #- JWT_ENABLED=true
+      #- JWT_IN_BODY=true
       #- JWT_SECRET=secret
       #- JWT_HEADER=Authorization
-      #- JWT_IN_BODY=true
+      #  ↑ Uncomment two upper strings to use jwt_secret and jwt_header values by default without docker secrets.
+      #  ↓ Or uncomment two strings below to use jwt_secret and jwt_header values from docker secrets that you create.
+      #- JWT_SECTER_FILE=/run/secrets/jwtSecret
+      #- JWT_HEADER_FILE=/run/secrets/jwtHeader
     ports:
       - '80:80'
       - '443:443'
@@ -31,6 +36,12 @@ services:
        - /var/lib/onlyoffice/documentserver/App_Data/cache/files
        - /var/www/onlyoffice/documentserver-example/public/files
        - /usr/share/fonts
+   # ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
+   #secrets:
+   #  - dbUser
+   #  - dbPass
+   #  - jwtSecret
+   #  - jwtHeader
        
   onlyoffice-rabbitmq:
     container_name: onlyoffice-rabbitmq
@@ -46,11 +57,30 @@ services:
       - POSTGRES_DB=onlyoffice
       - POSTGRES_USER=onlyoffice
       - POSTGRES_HOST_AUTH_METHOD=trust
+      #  ↑ Comment two lines upper: POSTGRES_HOST_AUTH_METHOD and POSTGRES_USER and
+      #  ↓ Uncomment two strings below for use database access values from secrets that you create. 
+      #- POSTGRES_USER_FILE=/run/secrets/dbUser
+      #- POSTGRES_PASSWORD_FILE=/run/secrets/dbPass
     restart: always
     expose:
       - '5432'
     volumes:
       - postgresql_data:/var/lib/postgresql
+   #  ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
+   #secrets:
+   #  - dbUser
+   #  - dbPass
+
+#  ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
+#secrets:
+#  dbUser:
+#    external: true
+#  dbPass:
+#    external: true
+#  jwtSecret:
+#    external: true
+#  jwtHeader:
+#    external: true
 
 volumes:
   postgresql_data:

run-document-server.sh

@@ -19,6 +19,7 @@ LIB_DIR="/var/lib/${COMPANY_NAME}"
 DS_LIB_DIR="${LIB_DIR}/documentserver"
 CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
 IS_UPGRADE="false"
+SECRETS_PATH="/run/secrets/"
 
 ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
 ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
@@ -86,6 +87,14 @@ JWT_SECRET=${JWT_SECRET:-secret}
 JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}
 
+if [ ${USE_SECRETS} == "true" ] && [ -s ${SECRETS_PATH}/jwtSecret ]; then
+  JWT_SECRET=$( cat ${SECRETS_PATH}/jwtSecret )
+fi
+
+if [ ${USE_SECRETS} == "true" ] && [ -s ${SECRETS_PATH}/jwtHeader ]; then
+  JWT_HEADER=$( cat ${SECRETS_PATH}/jwtHeader ) 
+fi
+
 WOPI_ENABLED=${WOPI_ENABLED:-false}
 
 GENERATE_FONTS=${GENERATE_FONTS:-true}
@@ -120,6 +129,17 @@ if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
   SSL_KEY_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/privkey.pem
 fi
 
+# update db credentials if secrets was configure
+if [ "${USE_SECRETS}" == "true" ]; then
+  if [ -s ${SECRETS_PATH}/dbUser ]; then
+    DB_USER=$( cat ${SECRETS_PATH}/dbUser )
+  fi
+
+  if [ -s ${SECRETS_PATH}/dbPass ]; then
+    DB_PWD=$( cat ${SECRETS_PATH}/dbPass )
+  fi
+fi
+
 read_setting(){
   deprecated_var POSTGRESQL_SERVER_HOST DB_HOST
   deprecated_var POSTGRESQL_SERVER_PORT DB_PORT