From 1623b6320789f54ce903c5ace5b787485c9c58d2 Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 3 Dec 2025 14:27:22 +0100 Subject: [PATCH] fix: resolve review comments --- CHANGELOG.md | 1 + Justfile | 4 ++-- README.md | 7 +++++++ config/runtime.exs | 23 +++++++++++++++++++---- docker-compose.prod.yml | 2 +- 5 files changed, 30 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71d9147..28b4a37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - CopyToClipboard JavaScript hook with fallback for older browsers - Button shows count of visible selected members (respects search/filter) - German/English translations +- Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD) ### Fixed - Email validation false positive when linking user and member with identical emails (#168 Problem #4) diff --git a/Justfile b/Justfile index b97eb14..3e3e764 100644 --- a/Justfile +++ b/Justfile @@ -90,7 +90,7 @@ clean: # ================================ # Initialize secrets directory with generated secrets (only if not exists) -init-secrets: +init-prod-secrets: #!/usr/bin/env bash set -euo pipefail if [ -d "secrets" ]; then @@ -106,5 +106,5 @@ init-secrets: echo "Secrets generated in ./secrets/" # Start production environment with Docker Compose -start-prod: init-secrets +start-prod: init-prod-secrets docker compose -f docker-compose.prod.yml up -d \ No newline at end of file diff --git a/README.md b/README.md index d9569af..14435db 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,13 @@ For testing the production Docker build locally: # OIDC_BASE_URL=http://localhost:8080/auth/v1 # OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback # OIDC_CLIENT_SECRET= + + # Alternative: Use _FILE variables for Docker secrets (takes priority over regular vars): + # SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base + # TOKEN_SIGNING_SECRET_FILE=/run/secrets/token_signing_secret + # OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret + # DATABASE_URL_FILE=/run/secrets/database_url + # DATABASE_PASSWORD_FILE=/run/secrets/database_password ``` 3. **Start development environment** (for Rauthy): diff --git a/config/runtime.exs b/config/runtime.exs index 9f41626..71138ef 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default -> file_path -> case File.read(file_path) do {:ok, content} -> - String.trim(content) + String.trim_trailing(content) {:error, reason} -> raise """ @@ -119,10 +119,25 @@ if config_env() == :prod do # Rauthy OIDC configuration # Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets. + # OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars). + oidc_base_url = System.get_env("OIDC_BASE_URL") + oidc_client_id = System.get_env("OIDC_CLIENT_ID") + oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id) + + client_secret = + if oidc_in_use do + get_env_or_file!.("OIDC_CLIENT_SECRET", """ + environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing. + This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set). + """) + else + get_env_or_file.("OIDC_CLIENT_SECRET", nil) + end + config :mv, :rauthy, - client_id: System.get_env("OIDC_CLIENT_ID") || "mv", - base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1", - client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil), + client_id: oidc_client_id || "mv", + base_url: oidc_base_url || "http://localhost:8080/auth/v1", + client_secret: client_secret, redirect_uri: System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback" diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 5cac351..b4b7a1f 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -1,6 +1,6 @@ services: app: - image: mitgliederverwaltung:latest + image: git.local-it.org/local-it/mitgliederverwaltung:latest container_name: mv-prod-app ports: - "4001:4001"