Use secrets, again

Author: ldionne

docker/compose.yaml

@@ -25,8 +25,11 @@ services:
       - DB_USER=lntuser
       - DB_HOST=dbserver
       - DB_NAME=lnt.db
-      - DB_PASSWORD=${LNT_DB_PASSWORD}
-      - AUTH_TOKEN=${LNT_AUTH_TOKEN}
+      - DB_PASSWORD_FILE=/run/secrets/lnt-db-password
+      - AUTH_TOKEN_FILE=/run/secrets/lnt-auth-token
+    secrets:
+      - lnt-db-password
+      - lnt-auth-token
     depends_on:
       - db
     deploy:
@@ -42,13 +45,21 @@ services:
     container_name: dbserver
     image: docker.io/postgres:18-alpine
     environment:
-      - POSTGRES_PASSWORD=${LNT_DB_PASSWORD}
+      - POSTGRES_PASSWORD_FILE=/run/secrets/lnt-db-password
       - POSTGRES_USER=lntuser
       - POSTGRES_DB=lnt.db
+    secrets:
+      - lnt-db-password
     volumes:
       - database:/var/lib/postgresql
 
 volumes:
   instance:
   logs:
   database:
+
+secrets:
+  lnt-db-password:
+    environment: "LNT_DB_PASSWORD"
+  lnt-auth-token:
+    environment: "LNT_AUTH_TOKEN"

docker/docker-entrypoint.sh

@@ -2,7 +2,9 @@
 
 set -u
 
-DB_PATH="postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}"
+password="$(cat ${DB_PASSWORD_FILE})"
+token="$(cat ${AUTH_TOKEN_FILE})"
+DB_PATH="postgres://${DB_USER}:${password}@${DB_HOST}"
 
 # Set up the instance the first time this gets run.
 if [ ! -e /var/lib/lnt/instance/lnt.cfg ]; then
@@ -12,7 +14,7 @@ if [ ! -e /var/lib/lnt/instance/lnt.cfg ]; then
         --tmp-dir /tmp/lnt              \
         --db-dir "${DB_PATH}"           \
         --default-db "${DB_NAME}"
-    sed -i "s/# \(api_auth_token =\).*/\1 '${AUTH_TOKEN}'/" /var/lib/lnt/instance/lnt.cfg
+    sed -i "s/# \(api_auth_token =\).*/\1 '${token}'/" /var/lib/lnt/instance/lnt.cfg
 fi
 
 # Run the server under gunicorn.

docker/lnt.dockerfile

@@ -2,20 +2,20 @@
 # This image is intended to be built from a Docker Compose file, as it
 # requires additional information passed as environment variables:
 #
-#   ENV DB_USER
+#   DB_USER
 #     The username to use for logging into the database.
 #
-#   ENV DB_HOST
+#   DB_HOST
 #     The hostname to use to access the database.
 #
-#   ENV DB_NAME
+#   DB_NAME
 #     The name of the database on the server.
 #
-#   ENV DB_PASSWORD
-#     The password to use for logging into the database.
+#   DB_PASSWORD_FILE
+#     File containing the password to use for logging into the database.
 #
-#   ENV AUTH_TOKEN
-#     The authentication token used to require authentication
+#   AUTH_TOKEN_FILE
+#     File containing the authentication token used to require authentication
 #     to perform destructive actions.
 
 FROM python:3.10-alpine
@@ -37,6 +37,5 @@ VOLUME /var/lib/lnt /var/log/lnt
 
 # Set up the actual entrypoint that gets run when the container starts.
 COPY docker/docker-entrypoint.sh docker/lnt-wait-db /usr/local/bin/
-ENV DB_USER= DB_HOST= DB_NAME= DB_PASSWORD= AUTH_TOKEN=
 ENTRYPOINT ["docker-entrypoint.sh"]
 EXPOSE 8000