From 02cfe326d3226f8dfffeda445c3de736b64288d7 Mon Sep 17 00:00:00 2001 From: lub Date: Sun, 30 Aug 2020 01:04:36 +0200 Subject: [PATCH 1/3] support using files for SECRET_KEY and DB_PW this enables usage of e.g. docker swarm secrets instead of exposing the passwords directly via environment variables just use DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY --- core/admin/mailu/configuration.py | 11 ++++++++++- webmails/roundcube/config.inc.php | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 66b0b832..eacf7803 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -100,6 +100,15 @@ class ConfigManager(dict): if self.config["WEBMAIL"] != "none": self.config["WEBMAIL_ADDRESS"] = self.get_host_address("WEBMAIL") + def __get_env(self, key, value): + key_file = key + "_FILE" + if key_file in os.environ: + with open(os.environ.get(key_file)) as file: + value_from_file = file.read() + return value_from_file.strip() + else: + return os.environ.get(key, value) + def __coerce_value(self, value): if isinstance(value, str) and value.lower() in ('true','yes'): return True @@ -111,7 +120,7 @@ class ConfigManager(dict): self.config.update(app.config) # get environment variables self.config.update({ - key: self.__coerce_value(os.environ.get(key, value)) + key: self.__coerce_value(self.__get_env(key, value)) for key, value in DEFAULT_CONFIG.items() }) self.resolve_hosts() diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php index eb40047a..627b96a7 100644 --- a/webmails/roundcube/config.inc.php +++ b/webmails/roundcube/config.inc.php @@ -5,7 +5,7 @@ $config = array(); // Generals $config['db_dsnw'] = getenv('DB_DSNW');; $config['temp_dir'] = '/tmp/'; -$config['des_key'] = getenv('SECRET_KEY'); +$config['des_key'] = getenv('SECRET_KEY') ? getenv('SECRET_KEY') : trim(file_get_contents(getenv('SECRET_KEY_FILE'))); $config['cipher_method'] = 'AES-256-CBC'; $config['identities_level'] = 0; $config['reply_all_mode'] = 1; From 426355f6b861058a1f489f791f23c2ab44d6ed60 Mon Sep 17 00:00:00 2001 From: lub Date: Sun, 30 Aug 2020 01:14:47 +0200 Subject: [PATCH 2/3] add some docs about _FILE variables --- docs/swarm/master/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md index 58723c33..42e742da 100644 --- a/docs/swarm/master/README.md +++ b/docs/swarm/master/README.md @@ -106,6 +106,9 @@ As a side effect of this ingress mode "feature", make sure that the ingress subn - front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) - redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file) +## Docker secrets +There are DB_PW_FILE and SECRET_KEY_FILE environment variables available to specify files for these variables. These can be used to configure Docker secrets instead of writing the values directly into the `docker-compose.yml` or `mailu.env`. + ## Variable substitution and docker-compose.yml The docker stack deploy command doesn't support variable substitution in the .yml file itself. As a consequence, we cannot simply use ``` docker stack deploy -c docker.compose.yml mailu ``` From 714fa044e08288d14ba02b016b5aca2114e68faa Mon Sep 17 00:00:00 2001 From: lub Date: Sun, 30 Aug 2020 01:19:42 +0200 Subject: [PATCH 3/3] add towncrier for #1607 --- towncrier/newsfragments/1607.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/1607.feature diff --git a/towncrier/newsfragments/1607.feature b/towncrier/newsfragments/1607.feature new file mode 100644 index 00000000..de9f0895 --- /dev/null +++ b/towncrier/newsfragments/1607.feature @@ -0,0 +1 @@ +Implement SECRET_KEY_FILE and DB_PW_FILE variables for usage with Docker secrets.