entrypoint: add docker secret friendly _FILE options

to prevent having to define secrets in docker compose file when using docker stack, add a _FILE option for sensitive information so that docker secrets may be used; update README accordingly
ONLYOFFICE · Oct 21, 2022 · 4073ce9 · 4073ce9
1 parent 46683cb
commit 4073ce9
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -180,17 +180,17 @@ Below is the complete list of parameters that can be set using environment varia
 - **DB_PORT**: The database server port number.
 - **DB_NAME**: The name of a database to use. Should be existing on container startup.
 - **DB_USER**: The new user name with superuser permissions for the database account.
-- **DB_PWD**: The password set for the database account.
+- **DB_PWD[_FILE]**: The password set for the database account.
 - **AMQP_URI**: The [AMQP URI](https://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server.
 - **AMQP_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
 - **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
 - **REDIS_SERVER_PORT**:  The Redis server port number.
 - **REDIS_SERVER_PASS**: The Redis server password. The password is not set by default.
 - **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
 - **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
-- **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
+- **SECURE_LINK_SECRET[_FILE]**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `random string`.
 - **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`.
-- **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
+- **JWT_SECRET[_FILE]**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
 - **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
 - **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`.
 - **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`.
@@ -203,6 +203,8 @@ Below is the complete list of parameters that can be set using environment varia
 - **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
 - **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
 
+Parameters ending in **[_FILE]** can alternatively be given as a path to a file from which the value is read to faciliate using docker secrets for sensitive information. If the parameter is specified both as **PARAM** and **PARAM_FILE**, the latter takes precedence.
+
 ## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
 
 ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:

diff --git a/run-document-server.sh b/run-document-server.sh
@@ -8,6 +8,23 @@ function clean_exit {
 
 trap clean_exit SIGTERM
 
+function file_env {
+        local var="$1"
+        local fileVar="${var}_FILE"
+        local def="${2:-}"
+        if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+                echo "Both $var and $fileVar are set; $fileVar takes precedence"
+        fi
+        local val="$def"
+        if [ "${!fileVar:-}" ]; then
+                val="$(< "${!fileVar}")"
+        elif [ "${!var:-}" ]; then
+                val="${!var}"
+        fi
+        export "$var"="$val"
+        unset "$fileVar"
+}
+
 # Define '**' behavior explicitly
 shopt -s globstar
 
@@ -84,9 +101,9 @@ else
   JWT_ENABLED="false"
 fi
 
-[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
-
-JWT_SECRET=${JWT_SECRET:-$(pwgen -s 20)}
+[ -z "$JWT_SECRET" ] && [ -z "$JWT_SECRET_FILE" ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
+file_env JWT_SECRET
+[ -z "$JWT_SECRET" ] && JWT_SECRET=$(pwgen -s 20)
 JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}
 
@@ -158,7 +175,7 @@ read_setting(){
   esac
   DB_NAME=${DB_NAME:-${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}}
   DB_USER=${DB_USER:-${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}}
-  DB_PWD=${DB_PWD:-${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}}
+  file_env DB_PWD ${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}
 
   RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
   AMQP_URI=${AMQP_URI:-${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}}
@@ -488,6 +505,7 @@ update_nginx_settings(){
     sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
   fi
 
+  file_env SECURE_LINK_SECRET
   documentserver-update-securelink.sh -s ${SECURE_LINK_SECRET:-$(pwgen -s 20)} -r false
 }