Harden compose secrets and add required provisioning docs

apps/passbolt/docker-compose.yml

@@ -4,17 +4,21 @@ services:
     container_name: passbolt-db
     image: mariadb:12
     restart: always
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "passbolt"
-      MYSQL_USER: "passbolt"
-      MYSQL_PASSWORD: "P4ssb0lt"
+      MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
+      MYSQL_USER: ${PASSBOLT_DB_USER}
+      MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
+    secrets:
+      - passbolt_db_password
     volumes:
       - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
     networks:
       - passbolt
     healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
       interval: 10s
       timeout: 5s
       retries: 12
@@ -22,22 +26,24 @@ services:
     labels:
        - "io.portainer.accesscontrol.public"
 
-
   passbolt-webapp:
     image: passbolt/passbolt:latest-ce
     profiles: ["apps","all","passbolt"]
     container_name: passbolt-webapp
-    #Alternatively you can use rootless:
     restart: always
     depends_on:
       - passbolt-db
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
       APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
       DATASOURCES_DEFAULT_HOST: "passbolt-db"
-      DATASOURCES_DEFAULT_USERNAME: "passbolt"
-      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
-      DATASOURCES_DEFAULT_DATABASE: "passbolt"
+      DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
+      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
+      DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
       PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
+    secrets:
+      - passbolt_db_password
     volumes:
       - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
       - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
       - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
       - "io.portainer.accesscontrol.public"
       - "traefik.docker.network=core_traefik"
-
     healthcheck:
       test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
-#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
-#        | grep -q "No error found"
       interval: 30s
       timeout: 10s
       retries: 6
       start_period: 120s
 
-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
-#  internal:
-#    driver: bridge
   passbolt:
+
+secrets:
+  passbolt_db_password:
+    file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt