mirror of
https://github.com/joaovitoriasilva/endurain.git
synced 2026-01-08 23:38:01 -05:00
d265be67bc
Introduces secure reading of sensitive environment variables (DB_PASSWORD, SECRET_KEY, FERNET_KEY) via _FILE variants for Docker secrets. Updates backend to use new read_secret utility, adds validation for Fernet keys, and documents usage in advanced setup guide. Bumps version to 0.15.3 and provides a docker-compose secrets example.
74 lines
2.1 KiB
Plaintext
74 lines
2.1 KiB
Plaintext
# Docker Compose example with File-Based Secrets
|
|
# This file demonstrates how to use file-based Docker secrets for sensitive environment variables
|
|
# like DB_PASSWORD, SECRET_KEY, and FERNET_KEY.
|
|
|
|
services:
|
|
endurain:
|
|
container_name: endurain-app
|
|
image: ghcr.io/joaovitoriasilva/endurain:latest
|
|
environment:
|
|
# Use _FILE variants to read secrets from files
|
|
- DB_PASSWORD_FILE=/run/secrets/db_password
|
|
- SECRET_KEY_FILE=/run/secrets/secret_key
|
|
- FERNET_KEY_FILE=/run/secrets/fernet_key
|
|
# Regular environment variables
|
|
- TZ=Europe/Lisbon
|
|
- DB_TYPE=postgres
|
|
- DB_HOST=postgres
|
|
- DB_PORT=5432
|
|
- DB_USER=endurain
|
|
- DB_DATABASE=endurain
|
|
- ENDURAIN_HOST=https://endurain.example.com
|
|
- BEHIND_PROXY=true
|
|
- ALGORITHM=HS256
|
|
- ACCESS_TOKEN_EXPIRE_MINUTES=15
|
|
- REFRESH_TOKEN_EXPIRE_DAYS=7
|
|
secrets:
|
|
- db_password
|
|
- secret_key
|
|
- fernet_key
|
|
volumes:
|
|
- /opt/endurain/backend/data:/app/backend/data
|
|
- /opt/endurain/backend/logs:/app/backend/logs
|
|
ports:
|
|
- "8080:8080"
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
|
|
postgres:
|
|
image: docker.io/postgres:17.5
|
|
container_name: endurain-postgres
|
|
environment:
|
|
- POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
|
|
- POSTGRES_DB=endurain
|
|
- POSTGRES_USER=endurain
|
|
- PGDATA=/var/lib/postgresql/data/pgdata
|
|
secrets:
|
|
- postgres_password
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U endurain"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 5
|
|
volumes:
|
|
- /opt/endurain/postgres:/var/lib/postgresql/data
|
|
restart: unless-stopped
|
|
|
|
secrets:
|
|
# File-based secrets - secrets are read from local files
|
|
db_password:
|
|
file: ./secrets/db_password.txt
|
|
|
|
# Postgres uses the same password as the application
|
|
postgres_password:
|
|
file: ./secrets/db_password.txt
|
|
|
|
# JWT secret key
|
|
secret_key:
|
|
file: ./secrets/secret_key.txt
|
|
|
|
# Fernet encryption key
|
|
fernet_key:
|
|
file: ./secrets/fernet_key.txt |