mirror of
https://github.com/N0rthernL1ghts/wordpress.git
synced 2024-11-23 14:13:27 +01:00
Use docker secrets
This commit is contained in:
parent
1191b6120e
commit
abcb0d0fe3
|
@ -6,6 +6,9 @@ x-wordpress-configuration-env: &wordpress-configuration-env
|
||||||
WORDPRESS_TABLE_PREFIX: 'wp_'
|
WORDPRESS_TABLE_PREFIX: 'wp_'
|
||||||
WORDPRESS_DEBUG: 0
|
WORDPRESS_DEBUG: 0
|
||||||
DEFAULT_EMAIL: "webmaster@example.com"
|
DEFAULT_EMAIL: "webmaster@example.com"
|
||||||
|
WORDPRESS_DB_USER: wordpress
|
||||||
|
WORDPRESS_DB_NAME: wordpress
|
||||||
|
WORDPRESS_DB_HOST: database
|
||||||
WORDPRESS_CONFIG_EXTRA: |
|
WORDPRESS_CONFIG_EXTRA: |
|
||||||
define('WP_AUTO_UPDATE_CORE', false);
|
define('WP_AUTO_UPDATE_CORE', false);
|
||||||
define('WP_SITEURL', 'https://www.example.com');
|
define('WP_SITEURL', 'https://www.example.com');
|
||||||
|
@ -22,10 +25,22 @@ x-wordpress-configuration-env: &wordpress-configuration-env
|
||||||
$$_SERVER['REQUEST_SCHEME'] = 'https';
|
$$_SERVER['REQUEST_SCHEME'] = 'https';
|
||||||
# $_SERVER definitions above are set to trick WP that it's accessed over HTTPS. This is typically useful only behind reverse proxy and should be avoided in production
|
# $_SERVER definitions above are set to trick WP that it's accessed over HTTPS. This is typically useful only behind reverse proxy and should be avoided in production
|
||||||
|
|
||||||
|
# Required since nginx unit will not pass environment variables s6-envdir loads. wp-config.php has docker_getenv()
|
||||||
|
x-wordpress-secrets-files: &wordpress-secrets-files-env
|
||||||
|
WORDPRESS_AUTH_KEY_FILE: /run/secrets/wordpress_auth_key
|
||||||
|
WORDPRESS_SECURE_AUTH_KEY_FILE: /run/secrets/wordpress_secure_auth_key
|
||||||
|
WORDPRESS_LOGGED_IN_KEY_FILE: /run/secrets/wordpress_logged_in_key
|
||||||
|
WORDPRESS_NONCE_KEY_FILE: /run/secrets/wordpress_nonce_key
|
||||||
|
WORDPRESS_AUTH_SALT_FILE: /run/secrets/wordpress_auth_salt
|
||||||
|
WORDPRESS_SECURE_AUTH_SALT_FILE: /run/secrets/wordpress_secure_auth_salt
|
||||||
|
WORDPRESS_LOGGED_IN_SALT_FILE: /run/secrets/wordpress_logged_in_salt
|
||||||
|
WORDPRESS_NONCE_SALT_FILE: /run/secrets/wordpress_nonce_salt
|
||||||
|
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/wordpress_db_password
|
||||||
|
|
||||||
x-wordpress-init-env: &wordpress-init-env
|
x-wordpress-init-env: &wordpress-init-env
|
||||||
WORDPRESS_INIT_ENABLE: "true"
|
WORDPRESS_INIT_ENABLE: "true"
|
||||||
WORDPRESS_INIT_ADMIN_USER: admin
|
WORDPRESS_INIT_ADMIN_USER: admin
|
||||||
WORDPRESS_INIT_ADMIN_PASSWORD: admin
|
# WORDPRESS_INIT_ADMIN_PASSWORD is defined in secrets
|
||||||
WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com
|
WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com
|
||||||
WORDPRESS_INIT_SITE_TITLE: "Example.com"
|
WORDPRESS_INIT_SITE_TITLE: "Example.com"
|
||||||
WORDPRESS_INIT_SITE_URL: "https://www.example.com"
|
WORDPRESS_INIT_SITE_URL: "https://www.example.com"
|
||||||
|
@ -39,10 +54,31 @@ secrets:
|
||||||
file: ./.secrets/database_root_password.txt
|
file: ./.secrets/database_root_password.txt
|
||||||
wordpress_database_password:
|
wordpress_database_password:
|
||||||
file: ./.secrets/wordpress_database_password.txt
|
file: ./.secrets/wordpress_database_password.txt
|
||||||
|
wordpress_db_password:
|
||||||
|
file: ./.secrets/wordpress_database_password.txt
|
||||||
|
wordpress_auth_key:
|
||||||
|
file: ./.secrets/wordpress_auth_key
|
||||||
|
wordpress_secure_auth_key:
|
||||||
|
file: ./.secrets/wordpress_secure_auth_key
|
||||||
|
wordpress_logged_in_key:
|
||||||
|
file: ./.secrets/wordpress_logged_in_key
|
||||||
|
wordpress_nonce_key:
|
||||||
|
file: ./.secrets/wordpress_nonce_key
|
||||||
|
wordpress_auth_salt:
|
||||||
|
file: ./.secrets/wordpress_auth_salt
|
||||||
|
wordpress_secure_auth_salt:
|
||||||
|
file: ./.secrets/wordpress_secure_auth_salt
|
||||||
|
wordpress_logged_in_salt:
|
||||||
|
file: ./.secrets/wordpress_logged_in_salt
|
||||||
|
wordpress_nonce_salt:
|
||||||
|
file: ./.secrets/wordpress_nonce_salt
|
||||||
|
wordpress_init_admin_password:
|
||||||
|
file: ./.secrets/wordpress_init_admin_password
|
||||||
|
|
||||||
|
|
||||||
services:
|
services:
|
||||||
wordpress:
|
wordpress:
|
||||||
image: ghcr.io/n0rthernl1ghts/wordpress:6.5.3
|
image: ghcr.io/n0rthernl1ghts/wordpress:6.6.2
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: any
|
condition: any
|
||||||
|
@ -51,11 +87,19 @@ services:
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
retries: 3
|
retries: 3
|
||||||
env_file:
|
secrets:
|
||||||
- ./.secrets/wp-salts.env
|
- wordpress_db_password
|
||||||
- ./.secrets/wp-database.env
|
- wordpress_auth_key
|
||||||
|
- wordpress_secure_auth_key
|
||||||
|
- wordpress_logged_in_key
|
||||||
|
- wordpress_nonce_key
|
||||||
|
- wordpress_auth_salt
|
||||||
|
- wordpress_secure_auth_salt
|
||||||
|
- wordpress_logged_in_salt
|
||||||
|
- wordpress_nonce_salt
|
||||||
|
- wordpress_init_admin_password
|
||||||
environment:
|
environment:
|
||||||
<<: [ *wordpress-configuration-env, *wordpress-init-env ]
|
<<: [ *wordpress-configuration-env, *wordpress-secrets-files-env, *wordpress-init-env ]
|
||||||
CRON_ENABLED: "false"
|
CRON_ENABLED: "false"
|
||||||
labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance
|
labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
|
|
|
@ -1,13 +1,22 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
|
local secretsDir="${DOCKER_SECRETS_DIR:-./.secrets}"
|
||||||
local keys=("AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT")
|
local keys=("AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT")
|
||||||
local key
|
|
||||||
local value
|
mkdir -p "${secretsDir}"
|
||||||
|
|
||||||
for key in "${keys[@]}"; do
|
for key in "${keys[@]}"; do
|
||||||
value="$(src/wp-utils/wp-generate-salt 64)"
|
value="$(src/wp-utils/wp-generate-salt 64)"
|
||||||
echo "WORDPRESS_${key}='${value}'"
|
secretName="wordpress_${key,,}"
|
||||||
|
secretFile="${secretsDir}/${secretName}"
|
||||||
|
|
||||||
|
if [ -f "${secretFile}" ]; then
|
||||||
|
printf "Warning: Secret %s already exists and will be overwritten\n" "${secretName}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf "Secret %s: Wrote %d bytes to %s\n" "${secretName}" "${#value}" "${secretFile}"
|
||||||
|
printf "%s" "${value}" > "${secretFile}"
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user