diff --git a/bin/install-federated.sh b/bin/install-federated.sh
index a8e5e28..525ade1 100755
--- a/bin/install-federated.sh
+++ b/bin/install-federated.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
#
# Federated installation script
@@ -44,6 +44,7 @@ get_config() {
fi
done
+ . /federated/lib/functions.sh
. /federated/lib/checks.sh
. /federated/lib/network.sh
. /federated/lib/dns.sh
@@ -88,7 +89,7 @@ check_ports
config_network
# Configure and start each federated service
-for i in dns postgresql ldap mail collabora nextcloud matrix listmonk vaultwarden panel proxy jitsi; do
+for i in dns postgresql ldap mail collabora proxy nextcloud matrix listmonk vaultwarden panel jitsi; do
config_$i
start_$i
done
diff --git a/lib/collabora.sh b/lib/collabora.sh
index 4ed0061..58eef52 100644
--- a/lib/collabora.sh
+++ b/lib/collabora.sh
@@ -39,12 +39,8 @@ services:
- ./data/root/certs/fullchain1.pem:/etc/coolwsd/cert.pem
- ./data/root/certs/privkey1.pem:/etc/coolwsd/key.pem
- ./data/root/certs/chain1.pem:/etc/coolwsd/ca-chain.cert.pem
- environment:
- - VIRTUAL_PROTO=https
- - VIRTUAL_PORT=9980
- - VIRTUAL_HOST=collabora.$DOMAIN
- - domain=nextcloud.$DOMAIN
- - server_name=collabora.$DOMAIN
+ env_file:
+ - ./.env
cap_add:
- MKNOD
@@ -53,6 +49,15 @@ networks:
external: true
EOF
+cat > /federated/apps/collabora/.env <<EOF
+VIRTUAL_PROTO=https
+VIRTUAL_PORT=9980
+VIRTUAL_HOST=collabora.$DOMAIN
+domain=nextcloud.$DOMAIN
+server_name=collabora.$DOMAIN
+EOF
+chmod 600 /federated/apps/collabora/.env
+
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
diff --git a/lib/functions.sh b/lib/functions.sh
new file mode 100644
index 0000000..65f21e9
--- /dev/null
+++ b/lib/functions.sh
@@ -0,0 +1,6 @@
+create_password() {
+# eval $1_var=$1
+# echo "$postgres_var"
+ SECRET=`tr -cd '[:alnum:]' < /dev/urandom | fold -w32 | head -n1`
+ echo "$SECRET";
+}
diff --git a/lib/jitsi.sh b/lib/jitsi.sh
index b72d7bb..cb95b1e 100644
--- a/lib/jitsi.sh
+++ b/lib/jitsi.sh
@@ -532,7 +532,7 @@ LDAP_BASE=DC=$DOMAIN_FIRST,DC=$DOMAIN_LAST
LDAP_BINDDN=CN=admin,DC=$DOMAIN_FIRST,DC=$DOMAIN_LAST
# LDAP user password. Do not specify this parameter for the anonymous bind
-LDAP_BINDPW=$ADMINPASS
+LDAP_BINDPW=$LDAP_SECRET
# LDAP filter. Tokens example:
diff --git a/lib/ldap.sh b/lib/ldap.sh
index a7b5cda..ea473da 100644
--- a/lib/ldap.sh
+++ b/lib/ldap.sh
@@ -42,22 +42,36 @@ services:
- ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
- ./data/certs:/container/service/slapd/assets/certs
- ./data/root:/root
- environment:
- - LDAP_ORGANISATION=$COMPANY
- - LDAP_DOMAIN=$DOMAIN
- - LDAP_ADMIN_PASSWORD=$ADMINPASS
- - LDAP_RFC2307BIS_SCHEMA=true
- - LDAP_REMOVE_CONFIG_AFTER_SETUP=true
- - LDAP_TLS=true
- - LDAP_TLS_CRT_FILENAME=fullchain1.pem
- - LDAP_TLS_KEY_FILENAME=privkey1.pem
- - LDAP_TLS_CA_CRT_FILENAME=chain1.pem
- - LDAP_TLS_VERIFY_CLIENT=try
+ env_file:
+ - ./.env
+ secrets:
+ - federated_ldap_password
+secrets:
+ federated_ldap_password:
+ file: ./.ldap.secret
networks:
federated:
external: true
EOF
+
+cat > /federated/apps/ldap/.env <<EOF
+LDAP_ORGANISATION=$COMPANY
+LDAP_DOMAIN=$DOMAIN
+LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
+LDAP_RFC2307BIS_SCHEMA=true
+LDAP_REMOVE_CONFIG_AFTER_SETUP=true
+LDAP_TLS=true
+LDAP_TLS_CRT_FILENAME=fullchain1.pem
+LDAP_TLS_KEY_FILENAME=privkey1.pem
+LDAP_TLS_CA_CRT_FILENAME=chain1.pem
+LDAP_TLS_VERIFY_CLIENT=try
+EOF
+chmod 600 /federated/apps/ldap/.env
+
+LDAP_SECRET=$(create_password);
+echo "$LDAP_SECRET" > /federated/apps/ldap/.ldap.secret
+chmod 600 /federated/apps/ldap/.ldap.secret
cat > /federated/apps/ldap/data/root/ldap.ldif <<EOF
dn: ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
diff --git a/lib/listmonk.sh b/lib/listmonk.sh
index 891651f..50df743 100644
--- a/lib/listmonk.sh
+++ b/lib/listmonk.sh
@@ -31,11 +31,8 @@ services:
networks:
federated:
ipv4_address: 172.99.0.39
- environment:
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=9000
- - VIRTUAL_HOST=listmonk.$DOMAIN
- - TZ=Etc/UTC
+ env_file:
+ - ./.env
volumes:
- ./data/listmonk/config.toml:/listmonk/config.toml
- ./data/listmonk/static:/listmonk/static
@@ -45,6 +42,13 @@ networks:
external: true
EOF
+cat > /federated/apps/listmonk/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=9000
+VIRTUAL_HOST=listmonk.$DOMAIN
+TZ=Etc/UTC
+EOF
+
cat > /federated/apps/listmonk/data/listmonk/config.toml <<EOF
[app]
address = "0.0.0.0:9000"
@@ -56,13 +60,14 @@ admin_password = "$ADMINPASS"
host = "postgresql.$DOMAIN"
port = 5432
user = "listmonk"
-password = "$ADMINPASS"
+password = "$LISTMONK_SECRET"
database = "listmonk"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"
EOF
+chmod 600 /federated/apps/listmonk/data/listmonk/config.toml /federated/apps/listmonk/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
diff --git a/lib/mail.sh b/lib/mail.sh
index 4a4656b..4d4542c 100644
--- a/lib/mail.sh
+++ b/lib/mail.sh
@@ -48,45 +48,8 @@ services:
- ./data/var/log/mail:/var/log/mail/
- ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
- environment:
- - ENABLE_SPAMASSASSIN=1
- - ENABLE_SPAMASSASSIN_KAM=1
- - SPAMASSASSIN_SPAM_TO_INBOX=1
- - ENABLE_CLAMAV=0
- - ENABLE_FAIL2BAN=1
- - ENABLE_POSTGREY=1
- - ONE_DIR=1
- - DMS_DEBUG=0
- - LOG_LEVEL=debug
- - ENABLE_LDAP=1
- - SSL_TYPE=manual
- - SSL_CERT_PATH=/root/certs/fullchain1.pem
- - SSL_KEY_PATH=/root/certs/privkey1.pem
- - LDAP_START_TLS=yes
- - DOVECOT_TLS=yes
- - SASLAUTHD_LDAP_START_TLS=yes
- - LDAP_SERVER_HOST=ldap.$DOMAIN
- - LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - LDAP_BIND_PW=$ADMINPASS
- - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
- - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
- - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
- # DOVECOT
- - DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
- - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
- - DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
- # SASLAUTHD
- - ENABLE_SASLAUTHD=1
- - SASLAUTHD_MECHANISMS=ldap
- - SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
- - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - SASLAUTHD_LDAP_PASSWORD=$ADMINPASS
- - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
- - POSTMASTER_ADDRESS=postmaster@localhost.localdomain
- - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
+ env_file:
+ - ./.env
cap_add:
- NET_ADMIN
- SYS_PTRACE
@@ -96,6 +59,48 @@ networks:
external: true
EOF
+cat > /federated/apps/mail/.env <<EOF
+ENABLE_SPAMASSASSIN=1
+ENABLE_SPAMASSASSIN_KAM=1
+SPAMASSASSIN_SPAM_TO_INBOX=1
+ENABLE_CLAMAV=0
+ENABLE_FAIL2BAN=1
+ENABLE_POSTGREY=1
+ONE_DIR=1
+DMS_DEBUG=0
+LOG_LEVEL=debug
+ENABLE_LDAP=1
+SSL_TYPE=manual
+SSL_CERT_PATH=/root/certs/fullchain1.pem
+SSL_KEY_PATH=/root/certs/privkey1.pem
+LDAP_START_TLS=yes
+DOVECOT_TLS=yes
+SASLAUTHD_LDAP_START_TLS=yes
+LDAP_SERVER_HOST=ldap.$DOMAIN
+LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_BIND_PW=$LDAP_SECRET
+LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
+LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
+LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
+LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
+# DOVECOT
+DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
+# SASLAUTHD
+ENABLE_SASLAUTHD=1
+SASLAUTHD_MECHANISMS=ldap
+SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
+SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+SASLAUTHD_LDAP_PASSWORD=$LDAP_SECRET
+SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
+POSTMASTER_ADDRESS=postmaster@localhost.localdomain
+POSTFIX_MESSAGE_SIZE_LIMIT=100000000
+EOF
+chmod 600 /federated/apps/mail/.env
+
cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
diff --git a/lib/matrix.sh b/lib/matrix.sh
index 774dcc5..81d5e1b 100644
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@@ -34,10 +34,8 @@ services:
networks:
federated:
ipv4_address: 172.99.0.31
- environment:
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=80
- - VIRTUAL_HOST=element.$DOMAIN
+ env_file:
+ - ./.env.element
synapse:
image: matrixdotorg/synapse:latest
@@ -50,16 +48,26 @@ services:
ipv4_address: 172.99.0.32
volumes:
- ./data/matrix:/data
- environment:
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=8008
- - VIRTUAL_HOST=matrix.$DOMAIN
+ env_file:
+ - ./.env.matrix
networks:
federated:
external: true
EOF
+cat > /federated/apps/matrix/.env.element <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=element.$DOMAIN
+EOF
+cat > /federated/apps/matrix/.env.matrix <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=8008
+VIRTUAL_HOST=matrix.$DOMAIN
+EOF
+chmod 600 /federated/apps/matrix/.env.element /federated/apps/matrix/.env.matrix
+
cat > /federated/apps/matrix/data/element/element-config.json <<EOF
{
"default_server_config": {
@@ -156,7 +164,7 @@ database:
name: psycopg2
args:
user: matrix
- password: $ADMINPASS
+ password: $MATRIX_SECRET
host: postgresql.$DOMAIN
database: matrix
cp_min: 5
@@ -173,7 +181,7 @@ modules:
mail: "mail"
name: "givenName"
bind_dn: cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- bind_password: $ADMINPASS
+ bind_password: $LDAP_SECRET
tls_options:
validate: true
local_certificate_file: /data/fullchain1.pem
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 9ad3d59..fb2735a 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -37,24 +37,41 @@ services:
- "collabora.$DOMAIN:$EXTERNALIP"
volumes:
- ./data/var/www/html:/var/www/html
- environment:
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=80
- - VIRTUAL_HOST=nextcloud.$DOMAIN
- - PHP_MEMORY_LIMIT=2048M
- - PHP_UPLOAD_LIMIT=2048M
- - NEXTCLOUD_ADMIN_USER=nextcloud
- - NEXTCLOUD_ADMIN_PASSWORD=$ADMINPASS
- - POSTGRES_HOST=postgresql.$DOMAIN
- - POSTGRES_DB=nextcloud
- - POSTGRES_USER=nextcloud
- - POSTGRES_PASSWORD=$ADMINPASS
+ env_file:
+ - ./.env
+ secrets:
+ - federated_psql_password
+ - federated_nextcloud_password
+secrets:
+ federated_psql_password:
+ file: ./.postgresql.secret
+ federated_nextcloud_password:
+ file: ./.nextcloud.secret
networks:
federated:
external: true
EOF
+cp /federated/apps/postgresql/.postgresql.secret /federated/apps/nextcloud/
+echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
+chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
+
+cat > /federated/apps/nextcloud/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=nextcloud.$DOMAIN
+PHP_MEMORY_LIMIT=2048M
+PHP_UPLOAD_LIMIT=2048M
+NEXTCLOUD_ADMIN_USER=nextcloud
+NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
+POSTGRES_HOST=postgresql.$DOMAIN
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+EOF
+chmod 600 /federated/apps/nextcloud/.env
+
cat > /federated/apps/nextcloud/supervisord.conf <<EOF
[supervisord]
nodaemon=true
@@ -110,7 +127,7 @@ PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
./occ ldap:create-empty-config
./occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
./occ ldap:set-config s01 ldapAgentName cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-./occ ldap:set-config s01 ldapAgentPassword $ADMINPASS
+./occ ldap:set-config s01 ldapAgentPassword $LDAP_SECRET
./occ ldap:set-config s01 ldapBase ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapBaseGroups ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
diff --git a/lib/panel.sh b/lib/panel.sh
index 118b7c0..844f7b8 100644
--- a/lib/panel.sh
+++ b/lib/panel.sh
@@ -58,33 +58,38 @@ services:
networks:
federated:
ipv4_address: 172.99.0.12
- environment:
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=80
- - VIRTUAL_HOST=panel.$DOMAIN
- - SERVER_HOSTNAME=panel.$DOMAIN
- - LDAP_URI=ldap://ldap.$DOMAIN
- - LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - LDAP_REQUIRE_STARTTLS=true
- - LDAP_ADMINS_GROUP=admins
- - LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- - LDAP_ADMIN_BIND_PWD=$ADMINPASS
- - LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount
- - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailEnabled:Mail Enabled:TRUE,mailAlias+:Email aliases
- - EMAIL_DOMAIN=$DOMAIN
- - USERNAME_FORMAT={first_name}.{last_name}
- - SITE_NAME=$COMPANY User Manager
- - SMTP_HOSTNAME=mail.$DOMAIN
- - SMTP_USERNAME=admin
- - SMTP_PASSWORD=$ADMINPASS
- - EMAIL_FROM_ADDRESS=admin@$DOMAIN
- - SMTP_USE_TLS=true
- - NO_HTTPS=true
+ env_file:
+ - ./.env
networks:
federated:
external: true
EOF
+
+cat > /federated/apps/panel/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=panel.$DOMAIN
+SERVER_HOSTNAME=panel.$DOMAIN
+LDAP_URI=ldap://ldap.$DOMAIN
+LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_REQUIRE_STARTTLS=true
+LDAP_ADMINS_GROUP=admins
+LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_ADMIN_BIND_PWD=$LDAP_SECRET
+LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount
+LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailEnabled:Mail Enabled:TRUE,mailAlias+:Email aliases
+EMAIL_DOMAIN=$DOMAIN
+USERNAME_FORMAT={first_name}.{last_name}
+SITE_NAME=$COMPANY User Manager
+SMTP_HOSTNAME=mail.$DOMAIN
+SMTP_USERNAME=admin
+SMTP_PASSWORD=$ADMINPASS
+EMAIL_FROM_ADDRESS=admin@$DOMAIN
+SMTP_USE_TLS=true
+NO_HTTPS=true
+EOF
+chmod 600 /federated/apps/panel/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
diff --git a/lib/postgresql.sh b/lib/postgresql.sh
index 8d96e44..dc51c9d 100644
--- a/lib/postgresql.sh
+++ b/lib/postgresql.sh
@@ -39,11 +39,10 @@ services:
- ./data/var/lib/postgresql/server.key:/var/lib/postgresql/server.key
- ./data/var/lib/postgresql/data:/var/lib/postgresql/data
- ./data/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
- environment:
- - POSTGRES_DB=nextcloud
- - POSTGRES_USER=nextcloud
- - POSTGRES_PASSWORD=$ADMINPASS
- - POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
+ env_file:
+ - ./.env
+ secrets:
+ - federated_psql_password
command: >
-c ssl=on
-c ssl_cert_file=/var/lib/postgresql/server.crt
@@ -54,20 +53,38 @@ services:
timeout: 5s
retries: 5
+secrets:
+ federated_psql_password:
+ file: ./.postgresql.secret
networks:
federated:
external: true
EOF
+cat > /federated/apps/postgresql/.env <<EOF
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
+EOF
+chmod 600 /federated/apps/postgresql/.env
+
+PSQL_SECRET=$(create_password);
+echo "$PSQL_SECRET" > /federated/apps/postgresql/.postgresql.secret
+chmod 600 /federated/apps/postgresql/.postgresql.secret
+VAULTWARDEN_SECRET=$(create_password);
+LISTMONK_SECRET=$(create_password);
+MATRIX_SECRET=$(create_password);
+
# cat postgresql/data/docker-entrypoint-initdb.d/init.sql
cat > /federated/apps/postgresql/data/docker-entrypoint-initdb.d/init.sql <<EOF
-CREATE USER vaultwarden WITH PASSWORD '$ADMINPASS';
+CREATE USER vaultwarden WITH PASSWORD '$VAULTWARDEN_SECRET';
CREATE DATABASE vaultwarden;
GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
-CREATE USER listmonk WITH PASSWORD '$ADMINPASS';
+CREATE USER listmonk WITH PASSWORD '$LISTMONK_SECRET';
CREATE DATABASE listmonk;
GRANT ALL PRIVILEGES ON DATABASE listmonk TO listmonk;
-CREATE USER matrix WITH PASSWORD '$ADMINPASS';
+CREATE USER matrix WITH PASSWORD '$MATRIX_SECRET';
CREATE DATABASE matrix;
GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
EOF
diff --git a/lib/vaultwarden.sh b/lib/vaultwarden.sh
index d20e37c..c601f6b 100644
--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@@ -30,15 +30,8 @@ services:
networks:
federated:
ipv4_address: 172.99.0.33
- environment:
- - VAULTWARDEN_DATABASE_URL=vaultwarden://vaultwarden:$ADMINPASS@vaultwarden.$DOMAIN/vaultwarden
- - "DATABASE_URL=vaultwarden://vaultwarden:$ADMINPASS@vaultwarden.$DOMAIN/vaultwarden"
- - VIRTUAL_PROTO=http
- - VIRTUAL_PORT=80
- - VIRTUAL_HOST=vaultwarden.$DOMAIN
- - WEBSOCKET_ENABLED=true
- - ADMIN_TOKEN=$ADMINPASS
- # - SIGNUPS_ALLOWED=false
+ env_file:
+ - ./.env
volumes:
- ./data/data:/data
@@ -46,6 +39,17 @@ networks:
federated:
external: true
EOF
+
+cat > /federated/apps/vaultwarden/.env <<EOF
+DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=vaultwarden.$DOMAIN
+WEBSOCKET_ENABLED=true
+ADMIN_TOKEN=$VAULTWARDEN_SECRET
+#- SIGNUPS_ALLOWED=false
+EOF
+chmod 600 /federated/apps/vaultwarden/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."