beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden compose secrets and add required provisioning docs

Browse Source
This commit is contained in:
beatz174-bit
2026-04-07 16:12:50 +10:00
parent 417973b1cb
commit 3c2d28c763
14 changed files with 242 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/gramps/docker-compose.yml
+17 -17
View File
@@ -4,22 +4,25 @@ services:
image: postgres:13
container_name: gramps-db
restart: always
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
POSTGRES_USER: gramps
POSTGRES_PASSWORD: grampspassword
POSTGRES_DB: gramps
POSTGRES_USER: ${GRAMPS_DB_USER}
POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
POSTGRES_DB: ${GRAMPS_DB_NAME}
secrets:
- gramps_db_password
volumes:
- ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
networks:
- gramps
healthcheck:
test: ["CMD-SHELL", "pg_isready -h db -p 5432 -U gramps -d gramps"]
test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
interval: 10s
timeout: 5s
retries: 12
start_period: 30s
grampsweb:
profiles: ["apps","all","gramps"]
image: ghcr.io/gramps-project/grampsweb:latest
@@ -27,15 +30,13 @@ services:
depends_on:
- gramps-db
restart: always
# ports:
# - "5000:5000" # access via http://localhost:5000
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
DB_URI: postgresql://gramps:grampspassword@db:5432/gramps
DB_URI: postgresql://${GRAMPS_DB_USER}:${GRAMPS_DB_PASSWORD}@gramps-db:5432/${GRAMPS_DB_NAME}
GRAMPSWEB_LOGLEVEL: INFO
# default admin user created on first run:
INITIAL_ADMIN: admin
INITIAL_ADMIN_PASSWORD: admin
# optional: storage paths inside container
INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN}
INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD}
GRAMPSWEB_MEDIAPATH: /app/media
GRAMPSWEB_TREE: "main"
volumes:
@@ -62,10 +63,9 @@ services:
retries: 6
start_period: 60s
networks:
# traefik_reverse_proxy:
# external: true
gramps:
# driver: bridge
secrets:
gramps_db_password:
file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt
apps/nextcloud/docker-compose.yml
+43 -31
View File
@@ -1,12 +1,13 @@
services:
nextcloud-webapp:
# image: nextcloud:production
profiles: ["apps","all","nextcloud"]
build:
context: ${PROJECT_ROOT}/apps/nextcloud
container_name: nextcloud-webapp
restart: always
hostname: nextcloud.lan.ddnsgeek.com
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
- ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
@@ -16,26 +17,28 @@ services:
- nextcloud-db
- nextcloud-redis
environment:
- MYSQL_PASSWORD=R1m@dmin
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MYSQL_HOST=nextcloud_db:3306
- NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
- OVERWRITEPROTOCOL=https
- OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com
- SMTP_HOST=smtp.gmail.com
- SMTP_SECURE=tls
- SMTP_PORT=587
- SMTP_AUTHTYPE=login
- MAIL_FROM_ADDRESS=beatz174
- MAIL_DOMAIN=gmail.com
- SMTP_NAME=beatz174@gmail.com
- SMTP_PASSWORD=kqdw fvml wlag ldgv
- MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
- MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
- SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
- SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
- REDIS_HOST=redis
- REDIS_HOST_PORT=6379
- REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
- REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
secrets:
- nextcloud_db_password
- nextcloud_smtp_password
- nextcloud_redis_password
networks:
- traefik
- nextcloud
@@ -54,7 +57,6 @@ services:
- "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
- "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
- "traefik.docker.network=core_traefik"
healthcheck:
test:
- CMD-SHELL
@@ -68,9 +70,6 @@ services:
retries: 6
start_period: 180s
nextcloud-db:
image: mariadb:11.4
restart: always
@@ -78,36 +77,41 @@ services:
container_name: nextcloud-db
hostname: nextcloud_db
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
environment:
- MYSQL_ROOT_PASSWORD=R1m@dmin
- MYSQL_PASSWORD=R1m@dmin
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
- MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MARIADB_AUTO_UPGRADE=1
- NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
- NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
secrets:
- nextcloud_db_root_password
- nextcloud_db_password
- nextcloud_admin_password
networks:
- nextcloud
labels:
- "io.portainer.accesscontrol.public"
healthcheck:
test: ["CMD-SHELL", "mariadb-admin ping -u nextcloud --password=R1m@dmin --silent"]
test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
interval: 10s
timeout: 5s
retries: 12
start_period: 60s
nextcloud-redis:
image: "redis"
profiles: ["apps","all","nextcloud"]
command: ["redis-server", "--requirepass", "TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n", "--appendonly", "yes", "--save", "60", "1000"]
command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
hostname: redis
container_name: nextcloud-redis
environment:
- REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
secrets:
- nextcloud_redis_password
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
restart: always
@@ -116,15 +120,23 @@ services:
labels:
- "io.portainer.accesscontrol.public"
healthcheck:
test: ["CMD-SHELL", "redis-cli -a TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n PING | grep -q PONG"]
test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
interval: 10s
timeout: 5s
retries: 6
start_period: 10s
networks:
# traefik_reverse_proxy:
# external: true
nextcloud:
# driver: bridge
secrets:
nextcloud_db_root_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
nextcloud_db_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
nextcloud_admin_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
nextcloud_smtp_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
nextcloud_redis_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt
apps/passbolt/docker-compose.yml
+19 -17
View File
@@ -4,17 +4,21 @@ services:
container_name: passbolt-db
image: mariadb:12
restart: always
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "P4ssb0lt"
MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
MYSQL_USER: ${PASSBOLT_DB_USER}
MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
secrets:
- passbolt_db_password
volumes:
- ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
networks:
- passbolt
healthcheck:
test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
interval: 10s
timeout: 5s
retries: 12
@@ -22,22 +26,24 @@ services:
labels:
- "io.portainer.accesscontrol.public"
passbolt-webapp:
image: passbolt/passbolt:latest-ce
profiles: ["apps","all","passbolt"]
container_name: passbolt-webapp
#Alternatively you can use rootless:
restart: always
depends_on:
- passbolt-db
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
DATASOURCES_DEFAULT_HOST: "passbolt-db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
secrets:
- passbolt_db_password
volumes:
- ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
- ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
- "traefik.http.routers.passbolt.tls.certresolver=myresolver"
- "io.portainer.accesscontrol.public"
- "traefik.docker.network=core_traefik"
healthcheck:
test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
# su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
# | grep -q "No error found"
interval: 30s
timeout: 10s
retries: 6
start_period: 120s
networks:
# traefik_reverse_proxy:
# external: true
# internal:
# driver: bridge
passbolt:
secrets:
passbolt_db_password:
file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt