N0rthernL1ghts/wordpress
1
0
Fork 0
mirror of https://github.com/N0rthernL1ghts/wordpress.git synced 2024-11-23 12:01:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use docker secrets

Browse Source
This commit is contained in:
Aleksandar Puharic 2024-10-29 19:17:44 +01:00
parent 1191b6120e
commit abcb0d0fe3
Signed by: xZero707
GPG Key ID: 3CC53DCAA9C237BB
2 changed files with 66 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
docker-compose.yml
View File

@ -6,6 +6,9 @@ x-wordpress-configuration-env: &wordpress-configuration-env
WORDPRESS_TABLE_PREFIX: 'wp_' WORDPRESS_TABLE_PREFIX: 'wp_'
WORDPRESS_DEBUG: 0 WORDPRESS_DEBUG: 0
DEFAULT_EMAIL: "webmaster@example.com" DEFAULT_EMAIL: "webmaster@example.com"
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_NAME: wordpress
WORDPRESS_DB_HOST: database
WORDPRESS_CONFIG_EXTRA: | WORDPRESS_CONFIG_EXTRA: |
define('WP_AUTO_UPDATE_CORE', false); define('WP_AUTO_UPDATE_CORE', false);
define('WP_SITEURL', 'https://www.example.com'); define('WP_SITEURL', 'https://www.example.com');
@ -22,10 +25,22 @@ x-wordpress-configuration-env: &wordpress-configuration-env
$$_SERVER['REQUEST_SCHEME'] = 'https'; $$_SERVER['REQUEST_SCHEME'] = 'https';
# $_SERVER definitions above are set to trick WP that it's accessed over HTTPS. This is typically useful only behind reverse proxy and should be avoided in production # $_SERVER definitions above are set to trick WP that it's accessed over HTTPS. This is typically useful only behind reverse proxy and should be avoided in production
# Required since nginx unit will not pass environment variables s6-envdir loads. wp-config.php has docker_getenv()
x-wordpress-secrets-files: &wordpress-secrets-files-env
WORDPRESS_AUTH_KEY_FILE: /run/secrets/wordpress_auth_key
WORDPRESS_SECURE_AUTH_KEY_FILE: /run/secrets/wordpress_secure_auth_key
WORDPRESS_LOGGED_IN_KEY_FILE: /run/secrets/wordpress_logged_in_key
WORDPRESS_NONCE_KEY_FILE: /run/secrets/wordpress_nonce_key
WORDPRESS_AUTH_SALT_FILE: /run/secrets/wordpress_auth_salt
WORDPRESS_SECURE_AUTH_SALT_FILE: /run/secrets/wordpress_secure_auth_salt
WORDPRESS_LOGGED_IN_SALT_FILE: /run/secrets/wordpress_logged_in_salt
WORDPRESS_NONCE_SALT_FILE: /run/secrets/wordpress_nonce_salt
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/wordpress_db_password
x-wordpress-init-env: &wordpress-init-env x-wordpress-init-env: &wordpress-init-env
WORDPRESS_INIT_ENABLE: "true" WORDPRESS_INIT_ENABLE: "true"
WORDPRESS_INIT_ADMIN_USER: admin WORDPRESS_INIT_ADMIN_USER: admin
WORDPRESS_INIT_ADMIN_PASSWORD: admin # WORDPRESS_INIT_ADMIN_PASSWORD is defined in secrets
WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com WORDPRESS_INIT_ADMIN_EMAIL: admin@example.com
WORDPRESS_INIT_SITE_TITLE: "Example.com" WORDPRESS_INIT_SITE_TITLE: "Example.com"
WORDPRESS_INIT_SITE_URL: "https://www.example.com" WORDPRESS_INIT_SITE_URL: "https://www.example.com"
@ -35,14 +50,35 @@ networks:
default: default:
secrets: secrets:
database_root_password: database_root_password:
file: ./.secrets/database_root_password.txt file: ./.secrets/database_root_password.txt
wordpress_database_password: wordpress_database_password:
file: ./.secrets/wordpress_database_password.txt file: ./.secrets/wordpress_database_password.txt
wordpress_db_password:
file: ./.secrets/wordpress_database_password.txt
wordpress_auth_key:
file: ./.secrets/wordpress_auth_key
wordpress_secure_auth_key:
file: ./.secrets/wordpress_secure_auth_key
wordpress_logged_in_key:
file: ./.secrets/wordpress_logged_in_key
wordpress_nonce_key:
file: ./.secrets/wordpress_nonce_key
wordpress_auth_salt:
file: ./.secrets/wordpress_auth_salt
wordpress_secure_auth_salt:
file: ./.secrets/wordpress_secure_auth_salt
wordpress_logged_in_salt:
file: ./.secrets/wordpress_logged_in_salt
wordpress_nonce_salt:
file: ./.secrets/wordpress_nonce_salt
wordpress_init_admin_password:
file: ./.secrets/wordpress_init_admin_password
services: services:
wordpress: wordpress:
image: ghcr.io/n0rthernl1ghts/wordpress:6.5.3 image: ghcr.io/n0rthernl1ghts/wordpress:6.6.2
deploy: deploy:
restart_policy: restart_policy:
condition: any condition: any
@ -51,11 +87,19 @@ services:
interval: 30s interval: 30s
timeout: 5s timeout: 5s
retries: 3 retries: 3
env_file: secrets:
- ./.secrets/wp-salts.env - wordpress_db_password
- ./.secrets/wp-database.env - wordpress_auth_key
- wordpress_secure_auth_key
- wordpress_logged_in_key
- wordpress_nonce_key
- wordpress_auth_salt
- wordpress_secure_auth_salt
- wordpress_logged_in_salt
- wordpress_nonce_salt
- wordpress_init_admin_password
environment: environment:
<<: [ *wordpress-configuration-env, *wordpress-init-env ] <<: [ *wordpress-configuration-env, *wordpress-secrets-files-env, *wordpress-init-env ]
CRON_ENABLED: "false" CRON_ENABLED: "false"
labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance labels: # This configures traefik - if you have it. You also need to make sure that this service is in the same network with Traefik instance
- "traefik.enable=true" - "traefik.enable=true"

15
src/wp-utils/wp-generate-salts
View File

@ -1,13 +1,22 @@
#!/usr/bin/env bash #!/usr/bin/env bash
main() { main() {
local secretsDir="${DOCKER_SECRETS_DIR:-./.secrets}"
local keys=("AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT") local keys=("AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT")
local key
local value mkdir -p "${secretsDir}"
for key in "${keys[@]}"; do for key in "${keys[@]}"; do
value="$(src/wp-utils/wp-generate-salt 64)" value="$(src/wp-utils/wp-generate-salt 64)"
echo "WORDPRESS_${key}='${value}'" secretName="wordpress_${key,,}"
secretFile="${secretsDir}/${secretName}"
if [ -f "${secretFile}" ]; then
printf "Warning: Secret %s already exists and will be overwritten\n" "${secretName}"
fi
printf "Secret %s: Wrote %d bytes to %s\n" "${secretName}" "${#value}" "${secretFile}"
printf "%s" "${value}" > "${secretFile}"
done done
} }