fix: resolve review comments
Some checks reported errors
continuous-integration/drone/push Build was killed
Some checks reported errors
continuous-integration/drone/push Build was killed
This commit is contained in:
parent
ce15b8f59b
commit
1623b63207
GPG key ID:
40E7A58C4AA1EDB2
5 changed files with 30 additions and 7 deletions
|
|
@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
- CopyToClipboard JavaScript hook with fallback for older browsers
|
- CopyToClipboard JavaScript hook with fallback for older browsers
|
||||||
- Button shows count of visible selected members (respects search/filter)
|
- Button shows count of visible selected members (respects search/filter)
|
||||||
- German/English translations
|
- German/English translations
|
||||||
|
- Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD)
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- Email validation false positive when linking user and member with identical emails (#168 Problem #4)
|
- Email validation false positive when linking user and member with identical emails (#168 Problem #4)
|
||||||
|
|
|
||||||
4
Justfile
4
Justfile
|
|
@ -90,7 +90,7 @@ clean:
|
||||||
# ================================
|
# ================================
|
||||||
|
|
||||||
# Initialize secrets directory with generated secrets (only if not exists)
|
# Initialize secrets directory with generated secrets (only if not exists)
|
||||||
init-secrets:
|
init-prod-secrets:
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
if [ -d "secrets" ]; then
|
if [ -d "secrets" ]; then
|
||||||
|
|
@ -106,5 +106,5 @@ init-secrets:
|
||||||
echo "Secrets generated in ./secrets/"
|
echo "Secrets generated in ./secrets/"
|
||||||
|
|
||||||
# Start production environment with Docker Compose
|
# Start production environment with Docker Compose
|
||||||
start-prod: init-secrets
|
start-prod: init-prod-secrets
|
||||||
docker compose -f docker-compose.prod.yml up -d
|
docker compose -f docker-compose.prod.yml up -d
|
||||||
|
|
@ -217,6 +217,13 @@ For testing the production Docker build locally:
|
||||||
# OIDC_BASE_URL=http://localhost:8080/auth/v1
|
# OIDC_BASE_URL=http://localhost:8080/auth/v1
|
||||||
# OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback
|
# OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback
|
||||||
# OIDC_CLIENT_SECRET=<from-rauthy-client>
|
# OIDC_CLIENT_SECRET=<from-rauthy-client>
|
||||||
|
|
||||||
|
# Alternative: Use _FILE variables for Docker secrets (takes priority over regular vars):
|
||||||
|
# SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
|
||||||
|
# TOKEN_SIGNING_SECRET_FILE=/run/secrets/token_signing_secret
|
||||||
|
# OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
|
||||||
|
# DATABASE_URL_FILE=/run/secrets/database_url
|
||||||
|
# DATABASE_PASSWORD_FILE=/run/secrets/database_password
|
||||||
```
|
```
|
||||||
|
|
||||||
3. **Start development environment** (for Rauthy):
|
3. **Start development environment** (for Rauthy):
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default ->
|
||||||
file_path ->
|
file_path ->
|
||||||
case File.read(file_path) do
|
case File.read(file_path) do
|
||||||
{:ok, content} ->
|
{:ok, content} ->
|
||||||
String.trim(content)
|
String.trim_trailing(content)
|
||||||
|
|
||||||
{:error, reason} ->
|
{:error, reason} ->
|
||||||
raise """
|
raise """
|
||||||
|
|
@ -119,10 +119,25 @@ if config_env() == :prod do
|
||||||
|
|
||||||
# Rauthy OIDC configuration
|
# Rauthy OIDC configuration
|
||||||
# Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets.
|
# Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets.
|
||||||
|
# OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars).
|
||||||
|
oidc_base_url = System.get_env("OIDC_BASE_URL")
|
||||||
|
oidc_client_id = System.get_env("OIDC_CLIENT_ID")
|
||||||
|
oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id)
|
||||||
|
|
||||||
|
client_secret =
|
||||||
|
if oidc_in_use do
|
||||||
|
get_env_or_file!.("OIDC_CLIENT_SECRET", """
|
||||||
|
environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing.
|
||||||
|
This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set).
|
||||||
|
""")
|
||||||
|
else
|
||||||
|
get_env_or_file.("OIDC_CLIENT_SECRET", nil)
|
||||||
|
end
|
||||||
|
|
||||||
config :mv, :rauthy,
|
config :mv, :rauthy,
|
||||||
client_id: System.get_env("OIDC_CLIENT_ID") || "mv",
|
client_id: oidc_client_id || "mv",
|
||||||
base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1",
|
base_url: oidc_base_url || "http://localhost:8080/auth/v1",
|
||||||
client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil),
|
client_secret: client_secret,
|
||||||
redirect_uri:
|
redirect_uri:
|
||||||
System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"
|
System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: mitgliederverwaltung:latest
|
image: git.local-it.org/local-it/mitgliederverwaltung:latest
|
||||||
container_name: mv-prod-app
|
container_name: mv-prod-app
|
||||||
ports:
|
ports:
|
||||||
- "4001:4001"
|
- "4001:4001"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue