From b8593ba6566062b877be9e489672e01f941a8e4c Mon Sep 17 00:00:00 2001
From: Derek Crudgington <derek@federated.company>
Date: Thu, 5 Jan 2023 20:29:17 +0000
Subject: [PATCH] First run of .env and secret files

---
 bin/install-federated.sh |  5 ++-
 lib/collabora.sh         | 17 +++++---
 lib/functions.sh         |  6 +++
 lib/jitsi.sh             |  2 +-
 lib/ldap.sh              | 36 +++++++++++------
 lib/listmonk.sh          | 17 +++++---
 lib/mail.sh              | 83 +++++++++++++++++++++-------------------
 lib/matrix.sh            | 28 +++++++++-----
 lib/nextcloud.sh         | 43 ++++++++++++++-------
 lib/panel.sh             | 49 +++++++++++++-----------
 lib/postgresql.sh        | 33 ++++++++++++----
 lib/vaultwarden.sh       | 22 ++++++-----
 12 files changed, 214 insertions(+), 127 deletions(-)
 create mode 100644 lib/functions.sh

diff --git a/bin/install-federated.sh b/bin/install-federated.sh
index a8e5e28..525ade1 100755
--- a/bin/install-federated.sh
+++ b/bin/install-federated.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 #
 # Federated installation script
 
@@ -44,6 +44,7 @@ get_config() {
     fi
   done
 
+  . /federated/lib/functions.sh
   . /federated/lib/checks.sh
   . /federated/lib/network.sh
   . /federated/lib/dns.sh
@@ -88,7 +89,7 @@ check_ports
 config_network
 
 # Configure and start each federated service
-for i in dns postgresql ldap mail collabora nextcloud matrix listmonk vaultwarden panel proxy jitsi; do
+for i in dns postgresql ldap mail collabora proxy nextcloud matrix listmonk vaultwarden panel jitsi; do
 	config_$i
 	start_$i
 done
diff --git a/lib/collabora.sh b/lib/collabora.sh
index 4ed0061..58eef52 100644
--- a/lib/collabora.sh
+++ b/lib/collabora.sh
@@ -39,12 +39,8 @@ services:
       - ./data/root/certs/fullchain1.pem:/etc/coolwsd/cert.pem
       - ./data/root/certs/privkey1.pem:/etc/coolwsd/key.pem
       - ./data/root/certs/chain1.pem:/etc/coolwsd/ca-chain.cert.pem
-    environment:
-      - VIRTUAL_PROTO=https
-      - VIRTUAL_PORT=9980
-      - VIRTUAL_HOST=collabora.$DOMAIN
-      - domain=nextcloud.$DOMAIN
-      - server_name=collabora.$DOMAIN
+    env_file:
+      - ./.env
     cap_add:
       - MKNOD
 
@@ -53,6 +49,15 @@ networks:
     external: true
 EOF
 
+cat > /federated/apps/collabora/.env <<EOF
+VIRTUAL_PROTO=https
+VIRTUAL_PORT=9980
+VIRTUAL_HOST=collabora.$DOMAIN
+domain=nextcloud.$DOMAIN
+server_name=collabora.$DOMAIN
+EOF
+chmod 600 /federated/apps/collabora/.env
+
 kill -9 $SPINPID &> /dev/null
 echo -ne "done."
 }
diff --git a/lib/functions.sh b/lib/functions.sh
new file mode 100644
index 0000000..65f21e9
--- /dev/null
+++ b/lib/functions.sh
@@ -0,0 +1,6 @@
+create_password() {
+#	eval $1_var=$1
+#	echo "$postgres_var"
+  SECRET=`tr -cd '[:alnum:]' < /dev/urandom | fold -w32 | head -n1`
+  echo "$SECRET";
+}
diff --git a/lib/jitsi.sh b/lib/jitsi.sh
index b72d7bb..cb95b1e 100644
--- a/lib/jitsi.sh
+++ b/lib/jitsi.sh
@@ -532,7 +532,7 @@ LDAP_BASE=DC=$DOMAIN_FIRST,DC=$DOMAIN_LAST
 LDAP_BINDDN=CN=admin,DC=$DOMAIN_FIRST,DC=$DOMAIN_LAST
 
 # LDAP user password. Do not specify this parameter for the anonymous bind
-LDAP_BINDPW=$ADMINPASS
+LDAP_BINDPW=$LDAP_SECRET
 
 # LDAP filter. Tokens example:
 
diff --git a/lib/ldap.sh b/lib/ldap.sh
index a7b5cda..ea473da 100644
--- a/lib/ldap.sh
+++ b/lib/ldap.sh
@@ -42,22 +42,36 @@ services:
       - ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
       - ./data/certs:/container/service/slapd/assets/certs
       - ./data/root:/root
-    environment:
-      - LDAP_ORGANISATION=$COMPANY
-      - LDAP_DOMAIN=$DOMAIN
-      - LDAP_ADMIN_PASSWORD=$ADMINPASS
-      - LDAP_RFC2307BIS_SCHEMA=true
-      - LDAP_REMOVE_CONFIG_AFTER_SETUP=true
-      - LDAP_TLS=true
-      - LDAP_TLS_CRT_FILENAME=fullchain1.pem
-      - LDAP_TLS_KEY_FILENAME=privkey1.pem
-      - LDAP_TLS_CA_CRT_FILENAME=chain1.pem
-      - LDAP_TLS_VERIFY_CLIENT=try
+    env_file:
+      - ./.env
+    secrets:
+      - federated_ldap_password
 
+secrets:
+  federated_ldap_password:
+    file: ./.ldap.secret
 networks:
   federated:
     external: true
 EOF
+
+cat > /federated/apps/ldap/.env <<EOF
+LDAP_ORGANISATION=$COMPANY
+LDAP_DOMAIN=$DOMAIN
+LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
+LDAP_RFC2307BIS_SCHEMA=true
+LDAP_REMOVE_CONFIG_AFTER_SETUP=true
+LDAP_TLS=true
+LDAP_TLS_CRT_FILENAME=fullchain1.pem
+LDAP_TLS_KEY_FILENAME=privkey1.pem
+LDAP_TLS_CA_CRT_FILENAME=chain1.pem
+LDAP_TLS_VERIFY_CLIENT=try
+EOF
+chmod 600 /federated/apps/ldap/.env
+
+LDAP_SECRET=$(create_password);
+echo "$LDAP_SECRET" > /federated/apps/ldap/.ldap.secret
+chmod 600 /federated/apps/ldap/.ldap.secret
  
 cat > /federated/apps/ldap/data/root/ldap.ldif <<EOF
 dn: ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
diff --git a/lib/listmonk.sh b/lib/listmonk.sh
index 891651f..50df743 100644
--- a/lib/listmonk.sh
+++ b/lib/listmonk.sh
@@ -31,11 +31,8 @@ services:
     networks:
       federated:
         ipv4_address: 172.99.0.39
-    environment:
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=9000
-      - VIRTUAL_HOST=listmonk.$DOMAIN
-      - TZ=Etc/UTC
+    env_file:
+      - ./.env
     volumes:
       - ./data/listmonk/config.toml:/listmonk/config.toml
       - ./data/listmonk/static:/listmonk/static
@@ -45,6 +42,13 @@ networks:
     external: true
 EOF
 
+cat > /federated/apps/listmonk/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=9000
+VIRTUAL_HOST=listmonk.$DOMAIN
+TZ=Etc/UTC
+EOF
+
 cat > /federated/apps/listmonk/data/listmonk/config.toml <<EOF
 [app]
 address = "0.0.0.0:9000"
@@ -56,13 +60,14 @@ admin_password = "$ADMINPASS"
 host = "postgresql.$DOMAIN"
 port = 5432
 user = "listmonk"
-password = "$ADMINPASS"
+password = "$LISTMONK_SECRET"
 database = "listmonk"
 ssl_mode = "disable"
 max_open = 25
 max_idle = 25
 max_lifetime = "300s"
 EOF
+chmod 600 /federated/apps/listmonk/data/listmonk/config.toml /federated/apps/listmonk/.env
  
 kill -9 $SPINPID &> /dev/null
 echo -ne "done."
diff --git a/lib/mail.sh b/lib/mail.sh
index 4a4656b..4d4542c 100644
--- a/lib/mail.sh
+++ b/lib/mail.sh
@@ -48,45 +48,8 @@ services:
       - ./data/var/log/mail:/var/log/mail/
       - ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
       - /etc/localtime:/etc/localtime:ro
-    environment:
-      - ENABLE_SPAMASSASSIN=1
-      - ENABLE_SPAMASSASSIN_KAM=1
-      - SPAMASSASSIN_SPAM_TO_INBOX=1
-      - ENABLE_CLAMAV=0
-      - ENABLE_FAIL2BAN=1
-      - ENABLE_POSTGREY=1
-      - ONE_DIR=1
-      - DMS_DEBUG=0
-      - LOG_LEVEL=debug
-      - ENABLE_LDAP=1
-      - SSL_TYPE=manual
-      - SSL_CERT_PATH=/root/certs/fullchain1.pem
-      - SSL_KEY_PATH=/root/certs/privkey1.pem
-      - LDAP_START_TLS=yes
-      - DOVECOT_TLS=yes
-      - SASLAUTHD_LDAP_START_TLS=yes
-      - LDAP_SERVER_HOST=ldap.$DOMAIN
-      - LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - LDAP_BIND_PW=$ADMINPASS
-      - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
-      - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
-      - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
-      - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
-        # DOVECOT
-      - DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
-      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
-      - DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
-        # SASLAUTHD
-      - ENABLE_SASLAUTHD=1
-      - SASLAUTHD_MECHANISMS=ldap
-      - SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
-      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - SASLAUTHD_LDAP_PASSWORD=$ADMINPASS
-      - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
-      - POSTMASTER_ADDRESS=postmaster@localhost.localdomain
-      - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
+    env_file:
+      - ./.env
     cap_add:
       - NET_ADMIN
       - SYS_PTRACE
@@ -96,6 +59,48 @@ networks:
     external: true
 EOF
 
+cat > /federated/apps/mail/.env <<EOF
+ENABLE_SPAMASSASSIN=1
+ENABLE_SPAMASSASSIN_KAM=1
+SPAMASSASSIN_SPAM_TO_INBOX=1
+ENABLE_CLAMAV=0
+ENABLE_FAIL2BAN=1
+ENABLE_POSTGREY=1
+ONE_DIR=1
+DMS_DEBUG=0
+LOG_LEVEL=debug
+ENABLE_LDAP=1
+SSL_TYPE=manual
+SSL_CERT_PATH=/root/certs/fullchain1.pem
+SSL_KEY_PATH=/root/certs/privkey1.pem
+LDAP_START_TLS=yes
+DOVECOT_TLS=yes
+SASLAUTHD_LDAP_START_TLS=yes
+LDAP_SERVER_HOST=ldap.$DOMAIN
+LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_BIND_PW=$LDAP_SECRET
+LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
+LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
+LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
+LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
+# DOVECOT
+DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
+# SASLAUTHD
+ENABLE_SASLAUTHD=1
+SASLAUTHD_MECHANISMS=ldap
+SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
+SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+SASLAUTHD_LDAP_PASSWORD=$LDAP_SECRET
+SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
+POSTMASTER_ADDRESS=postmaster@localhost.localdomain
+POSTFIX_MESSAGE_SIZE_LIMIT=100000000
+EOF
+chmod 600 /federated/apps/mail/.env
+
 cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
 smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
 smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
diff --git a/lib/matrix.sh b/lib/matrix.sh
index 774dcc5..81d5e1b 100644
--- a/lib/matrix.sh
+++ b/lib/matrix.sh
@@ -34,10 +34,8 @@ services:
     networks:
       federated:
         ipv4_address: 172.99.0.31
-    environment:
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=80
-      - VIRTUAL_HOST=element.$DOMAIN
+    env_file:
+      - ./.env.element
         
   synapse:
     image: matrixdotorg/synapse:latest
@@ -50,16 +48,26 @@ services:
         ipv4_address: 172.99.0.32
     volumes:
      - ./data/matrix:/data
-    environment:
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=8008
-      - VIRTUAL_HOST=matrix.$DOMAIN
+    env_file:
+      - ./.env.matrix
 
 networks:
   federated:
     external: true
 EOF
 
+cat > /federated/apps/matrix/.env.element <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=element.$DOMAIN
+EOF
+cat > /federated/apps/matrix/.env.matrix <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=8008
+VIRTUAL_HOST=matrix.$DOMAIN
+EOF
+chmod 600 /federated/apps/matrix/.env.element /federated/apps/matrix/.env.matrix
+
 cat > /federated/apps/matrix/data/element/element-config.json <<EOF
 {
     "default_server_config": {
@@ -156,7 +164,7 @@ database:
     name: psycopg2
     args:
         user: matrix
-        password: $ADMINPASS
+        password: $MATRIX_SECRET
         host: postgresql.$DOMAIN
         database: matrix
         cp_min: 5
@@ -173,7 +181,7 @@ modules:
         mail: "mail"
         name: "givenName"
       bind_dn: cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      bind_password: $ADMINPASS
+      bind_password: $LDAP_SECRET
       tls_options:
         validate: true
         local_certificate_file: /data/fullchain1.pem
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 9ad3d59..fb2735a 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -37,24 +37,41 @@ services:
       - "collabora.$DOMAIN:$EXTERNALIP"
     volumes:
       - ./data/var/www/html:/var/www/html
-    environment:
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=80
-      - VIRTUAL_HOST=nextcloud.$DOMAIN
-      - PHP_MEMORY_LIMIT=2048M
-      - PHP_UPLOAD_LIMIT=2048M
-      - NEXTCLOUD_ADMIN_USER=nextcloud
-      - NEXTCLOUD_ADMIN_PASSWORD=$ADMINPASS
-      - POSTGRES_HOST=postgresql.$DOMAIN
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=$ADMINPASS
+    env_file:
+      - ./.env
+    secrets:
+      - federated_psql_password
+      - federated_nextcloud_password
 
+secrets:
+  federated_psql_password:
+    file: ./.postgresql.secret
+  federated_nextcloud_password:
+    file: ./.nextcloud.secret
 networks:
   federated:
     external: true
 EOF
 
+cp /federated/apps/postgresql/.postgresql.secret /federated/apps/nextcloud/
+echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
+chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
+
+cat > /federated/apps/nextcloud/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=nextcloud.$DOMAIN
+PHP_MEMORY_LIMIT=2048M
+PHP_UPLOAD_LIMIT=2048M
+NEXTCLOUD_ADMIN_USER=nextcloud
+NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
+POSTGRES_HOST=postgresql.$DOMAIN
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+EOF
+chmod 600 /federated/apps/nextcloud/.env
+
 cat > /federated/apps/nextcloud/supervisord.conf <<EOF
 [supervisord]
 nodaemon=true
@@ -110,7 +127,7 @@ PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
 ./occ ldap:create-empty-config
 ./occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
 ./occ ldap:set-config s01 ldapAgentName cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-./occ ldap:set-config s01 ldapAgentPassword $ADMINPASS
+./occ ldap:set-config s01 ldapAgentPassword $LDAP_SECRET
 ./occ ldap:set-config s01 ldapBase ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
 ./occ ldap:set-config s01 ldapBaseGroups ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
 ./occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
diff --git a/lib/panel.sh b/lib/panel.sh
index 118b7c0..844f7b8 100644
--- a/lib/panel.sh
+++ b/lib/panel.sh
@@ -58,33 +58,38 @@ services:
     networks:
       federated:
         ipv4_address: 172.99.0.12
-    environment:
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=80
-      - VIRTUAL_HOST=panel.$DOMAIN
-      - SERVER_HOSTNAME=panel.$DOMAIN
-      - LDAP_URI=ldap://ldap.$DOMAIN
-      - LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - LDAP_REQUIRE_STARTTLS=true
-      - LDAP_ADMINS_GROUP=admins
-      - LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
-      - LDAP_ADMIN_BIND_PWD=$ADMINPASS
-      - LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount
-      - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailEnabled:Mail Enabled:TRUE,mailAlias+:Email aliases
-      - EMAIL_DOMAIN=$DOMAIN
-      - USERNAME_FORMAT={first_name}.{last_name}
-      - SITE_NAME=$COMPANY User Manager
-      - SMTP_HOSTNAME=mail.$DOMAIN
-      - SMTP_USERNAME=admin
-      - SMTP_PASSWORD=$ADMINPASS
-      - EMAIL_FROM_ADDRESS=admin@$DOMAIN
-      - SMTP_USE_TLS=true
-      - NO_HTTPS=true
+    env_file:
+      - ./.env
 
 networks:
   federated:
     external: true
 EOF
+
+cat > /federated/apps/panel/.env <<EOF
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=panel.$DOMAIN
+SERVER_HOSTNAME=panel.$DOMAIN
+LDAP_URI=ldap://ldap.$DOMAIN
+LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_REQUIRE_STARTTLS=true
+LDAP_ADMINS_GROUP=admins
+LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+LDAP_ADMIN_BIND_PWD=$LDAP_SECRET
+LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount
+LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailEnabled:Mail Enabled:TRUE,mailAlias+:Email aliases
+EMAIL_DOMAIN=$DOMAIN
+USERNAME_FORMAT={first_name}.{last_name}
+SITE_NAME=$COMPANY User Manager
+SMTP_HOSTNAME=mail.$DOMAIN
+SMTP_USERNAME=admin
+SMTP_PASSWORD=$ADMINPASS
+EMAIL_FROM_ADDRESS=admin@$DOMAIN
+SMTP_USE_TLS=true
+NO_HTTPS=true
+EOF
+chmod 600 /federated/apps/panel/.env
  
 kill -9 $SPINPID &> /dev/null
 echo -ne "done."
diff --git a/lib/postgresql.sh b/lib/postgresql.sh
index 8d96e44..dc51c9d 100644
--- a/lib/postgresql.sh
+++ b/lib/postgresql.sh
@@ -39,11 +39,10 @@ services:
       - ./data/var/lib/postgresql/server.key:/var/lib/postgresql/server.key
       - ./data/var/lib/postgresql/data:/var/lib/postgresql/data
       - ./data/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
-    environment:
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=$ADMINPASS
-      - POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
+    env_file:
+      - ./.env
+    secrets:
+      - federated_psql_password
     command: >
       -c ssl=on
       -c ssl_cert_file=/var/lib/postgresql/server.crt
@@ -54,20 +53,38 @@ services:
       timeout: 5s
       retries: 5
 
+secrets:
+  federated_psql_password:
+    file: ./.postgresql.secret
 networks:
   federated:
     external: true
 EOF
 
+cat > /federated/apps/postgresql/.env <<EOF
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
+EOF
+chmod 600 /federated/apps/postgresql/.env
+
+PSQL_SECRET=$(create_password);
+echo "$PSQL_SECRET" > /federated/apps/postgresql/.postgresql.secret
+chmod 600 /federated/apps/postgresql/.postgresql.secret
+VAULTWARDEN_SECRET=$(create_password);
+LISTMONK_SECRET=$(create_password);
+MATRIX_SECRET=$(create_password);
+
 # cat postgresql/data/docker-entrypoint-initdb.d/init.sql
 cat > /federated/apps/postgresql/data/docker-entrypoint-initdb.d/init.sql <<EOF
-CREATE USER vaultwarden WITH PASSWORD '$ADMINPASS';
+CREATE USER vaultwarden WITH PASSWORD '$VAULTWARDEN_SECRET';
 CREATE DATABASE vaultwarden;
 GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
-CREATE USER listmonk WITH PASSWORD '$ADMINPASS';
+CREATE USER listmonk WITH PASSWORD '$LISTMONK_SECRET';
 CREATE DATABASE listmonk;
 GRANT ALL PRIVILEGES ON DATABASE listmonk TO listmonk;
-CREATE USER matrix WITH PASSWORD '$ADMINPASS';
+CREATE USER matrix WITH PASSWORD '$MATRIX_SECRET';
 CREATE DATABASE matrix;
 GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix;
 EOF
diff --git a/lib/vaultwarden.sh b/lib/vaultwarden.sh
index d20e37c..c601f6b 100644
--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@@ -30,15 +30,8 @@ services:
     networks:
       federated:
         ipv4_address: 172.99.0.33
-    environment:
-      - VAULTWARDEN_DATABASE_URL=vaultwarden://vaultwarden:$ADMINPASS@vaultwarden.$DOMAIN/vaultwarden
-      - "DATABASE_URL=vaultwarden://vaultwarden:$ADMINPASS@vaultwarden.$DOMAIN/vaultwarden"
-      - VIRTUAL_PROTO=http
-      - VIRTUAL_PORT=80
-      - VIRTUAL_HOST=vaultwarden.$DOMAIN
-      - WEBSOCKET_ENABLED=true
-      - ADMIN_TOKEN=$ADMINPASS
-      # - SIGNUPS_ALLOWED=false
+    env_file:
+      - ./.env
     volumes:
       - ./data/data:/data
 
@@ -46,6 +39,17 @@ networks:
   federated:
     external: true
 EOF
+
+cat > /federated/apps/vaultwarden/.env <<EOF
+DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden
+VIRTUAL_PROTO=http
+VIRTUAL_PORT=80
+VIRTUAL_HOST=vaultwarden.$DOMAIN
+WEBSOCKET_ENABLED=true
+ADMIN_TOKEN=$VAULTWARDEN_SECRET
+#- SIGNUPS_ALLOWED=false
+EOF
+chmod 600 /federated/apps/vaultwarden/.env
  
 kill -9 $SPINPID &> /dev/null
 echo -ne "done."