diff --git a/docker-compose.yml b/docker-compose.yml index 3571595..7b6e5c8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,6 +6,9 @@ x-wordpress-configuration-env: &wordpress-configuration-env WORDPRESS_TABLE_PREFIX: 'wp_' WORDPRESS_DEBUG: 0 DEFAULT_EMAIL: "webmaster@example.com" + WORDPRESS_DB_USER: wordpress + WORDPRESS_DB_NAME: wordpress + WORDPRESS_DB_HOST: database WORDPRESS_CONFIG_EXTRA: | define('WP_AUTO_UPDATE_CORE', false); define('WP_SITEURL', 'https://www.example.com'); @@ -22,10 +25,22 @@ x-wordpress-configuration-env: &wordpress-configuration-env $$_SERVER['REQUEST_SCHEME'] = 'https'; # $_SERVER definitions above are set to trick WP that it's accessed over HTTPS. This is typically useful only behind reverse proxy and should be avoided in production +# Required since nginx unit will not pass environment variables s6-envdir loads. wp-config.php has docker_getenv() +x-wordpress-secrets-files: &wordpress-secrets-files-env + WORDPRESS_AUTH_KEY_FILE: /run/secrets/wordpress_auth_key + WORDPRESS_SECURE_AUTH_KEY_FILE: /run/secrets/wordpress_secure_auth_key + WORDPRESS_LOGGED_IN_KEY_FILE: /run/secrets/wordpress_logged_in_key + WORDPRESS_NONCE_KEY_FILE: /run/secrets/wordpress_nonce_key + WORDPRESS_AUTH_SALT_FILE: /run/secrets/wordpress_auth_salt + WORDPRESS_SECURE_AUTH_SALT_FILE: /run/secrets/wordpress_secure_auth_salt + WORDPRESS_LOGGED_IN_SALT_FILE: /run/secrets/wordpress_logged_in_salt + WORDPRESS_NONCE_SALT_FILE: /run/secrets/wordpress_nonce_salt + WORDPRESS_DB_PASSWORD_FILE: /run/secrets/wordpress_db_password + x-wordpress-init-env: &wordpress-init-env WORDPRESS_INIT_ENABLE: "true" WORDPRESS_INIT_ADMIN_USER: admin - WORDPRESS_INIT_ADMIN_PASSWORD: admin + # WORDPRESS_INIT_ADMIN_PASSWORD is defined in secrets WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com WORDPRESS_INIT_SITE_TITLE: "Example.com" WORDPRESS_INIT_SITE_URL: "https://www.example.com" @@ -35,14 +50,35 @@ networks: default: secrets: - database_root_password: - file: ./.secrets/database_root_password.txt - wordpress_database_password: - file: ./.secrets/wordpress_database_password.txt + database_root_password: + file: ./.secrets/database_root_password.txt + wordpress_database_password: + file: ./.secrets/wordpress_database_password.txt + wordpress_db_password: + file: ./.secrets/wordpress_database_password.txt + wordpress_auth_key: + file: ./.secrets/wordpress_auth_key + wordpress_secure_auth_key: + file: ./.secrets/wordpress_secure_auth_key + wordpress_logged_in_key: + file: ./.secrets/wordpress_logged_in_key + wordpress_nonce_key: + file: ./.secrets/wordpress_nonce_key + wordpress_auth_salt: + file: ./.secrets/wordpress_auth_salt + wordpress_secure_auth_salt: + file: ./.secrets/wordpress_secure_auth_salt + wordpress_logged_in_salt: + file: ./.secrets/wordpress_logged_in_salt + wordpress_nonce_salt: + file: ./.secrets/wordpress_nonce_salt + wordpress_init_admin_password: + file: ./.secrets/wordpress_init_admin_password + services: wordpress: - image: ghcr.io/n0rthernl1ghts/wordpress:6.5.3 + image: ghcr.io/n0rthernl1ghts/wordpress:6.6.2 deploy: restart_policy: condition: any @@ -51,11 +87,19 @@ services: interval: 30s timeout: 5s retries: 3 - env_file: - - ./.secrets/wp-salts.env - - ./.secrets/wp-database.env + secrets: + - wordpress_db_password + - wordpress_auth_key + - wordpress_secure_auth_key + - wordpress_logged_in_key + - wordpress_nonce_key + - wordpress_auth_salt + - wordpress_secure_auth_salt + - wordpress_logged_in_salt + - wordpress_nonce_salt + - wordpress_init_admin_password environment: - <<: [ *wordpress-configuration-env, *wordpress-init-env ] + <<: [ *wordpress-configuration-env, *wordpress-secrets-files-env, *wordpress-init-env ] CRON_ENABLED: "false" labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance - "traefik.enable=true" diff --git a/src/wp-utils/wp-generate-salts b/src/wp-utils/wp-generate-salts index a4c6dba..5ea7d59 100755 --- a/src/wp-utils/wp-generate-salts +++ b/src/wp-utils/wp-generate-salts @@ -1,13 +1,22 @@ #!/usr/bin/env bash main() { + local secretsDir="${DOCKER_SECRETS_DIR:-./.secrets}" local keys=("AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT") - local key - local value + + mkdir -p "${secretsDir}" for key in "${keys[@]}"; do value="$(src/wp-utils/wp-generate-salt 64)" - echo "WORDPRESS_${key}='${value}'" + secretName="wordpress_${key,,}" + secretFile="${secretsDir}/${secretName}" + + if [ -f "${secretFile}" ]; then + printf "Warning: Secret %s already exists and will be overwritten\n" "${secretName}" + fi + + printf "Secret %s: Wrote %d bytes to %s\n" "${secretName}" "${#value}" "${secretFile}" + printf "%s" "${value}" > "${secretFile}" done }