From ee094eec2ffb7ea1a10fe4f2d1878957358ff2f5 Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 3 Dec 2025 12:36:13 +0100 Subject: [PATCH 1/4] feat: add file env support for secrets --- config/runtime.exs | 99 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 82 insertions(+), 17 deletions(-) diff --git a/config/runtime.exs b/config/runtime.exs index c50356c..bd48cc9 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -7,6 +7,75 @@ import Config # any compile-time configuration in here, as it won't be applied. # The block below contains prod specific runtime configuration. +# Helper function to read environment variables with Docker secrets support. +# Supports the _FILE suffix pattern: if VAR_FILE is set, reads the value from +# that file path. Otherwise falls back to VAR directly. +# VAR_FILE takes priority and must contain the full absolute path to the secret file. +get_env_or_file = fn var_name, default -> + file_var = "#{var_name}_FILE" + + case System.get_env(file_var) do + nil -> + System.get_env(var_name, default) + + file_path -> + case File.read(file_path) do + {:ok, content} -> + String.trim(content) + + {:error, reason} -> + raise """ + Failed to read secret from file specified in #{file_var}="#{file_path}". + Error: #{inspect(reason)} + """ + end + end +end + +# Same as get_env_or_file but raises if the value is not set +get_env_or_file! = fn var_name, error_message -> + case get_env_or_file.(var_name, nil) do + nil -> raise error_message + value -> value + end +end + +# Build database URL from individual components or use DATABASE_URL directly. +# Supports both approaches: +# 1. DATABASE_URL (or DATABASE_URL_FILE) - full connection URL +# 2. Separate vars: DATABASE_HOST, DATABASE_USER, DATABASE_PASSWORD (or _FILE), DATABASE_NAME, DATABASE_PORT +build_database_url = fn -> + case get_env_or_file.("DATABASE_URL", nil) do + nil -> + # Build URL from separate components + host = + System.get_env("DATABASE_HOST") || + raise "DATABASE_HOST is required when DATABASE_URL is not set" + + user = + System.get_env("DATABASE_USER") || + raise "DATABASE_USER is required when DATABASE_URL is not set" + + password = + get_env_or_file!.("DATABASE_PASSWORD", """ + DATABASE_PASSWORD or DATABASE_PASSWORD_FILE is required when DATABASE_URL is not set. + """) + + database = + System.get_env("DATABASE_NAME") || + raise "DATABASE_NAME is required when DATABASE_URL is not set" + + port = System.get_env("DATABASE_PORT", "5432") + + # URL-encode the password to handle special characters + encoded_password = URI.encode_www_form(password) + "ecto://#{user}:#{encoded_password}@#{host}:#{port}/#{database}" + + url -> + url + end +end + # ## Using releases # # If you use `mix release`, you need to explicitly enable the server @@ -21,12 +90,7 @@ if System.get_env("PHX_SERVER") do end if config_env() == :prod do - database_url = - System.get_env("DATABASE_URL") || - raise """ - environment variable DATABASE_URL is missing. - For example: ecto://USER:PASS@HOST/DATABASE - """ + database_url = build_database_url.() maybe_ipv6 = if System.get_env("ECTO_IPV6") in ~w(true 1), do: [:inet6], else: [] @@ -41,12 +105,12 @@ if config_env() == :prod do # want to use a different value for prod and you most likely don't want # to check this value into version control, so we use an environment # variable instead. + # Supports SECRET_KEY_BASE or SECRET_KEY_BASE_FILE for Docker secrets. secret_key_base = - System.get_env("SECRET_KEY_BASE") || - raise """ - environment variable SECRET_KEY_BASE is missing. - You can generate one by calling: mix phx.gen.secret - """ + get_env_or_file!.("SECRET_KEY_BASE", """ + environment variable SECRET_KEY_BASE (or SECRET_KEY_BASE_FILE) is missing. + You can generate one by calling: mix phx.gen.secret + """) host = System.get_env("PHX_HOST") || raise "Please define the PHX_HOST environment variable." port = String.to_integer(System.get_env("PORT") || "4000") @@ -54,21 +118,22 @@ if config_env() == :prod do config :mv, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY") # Rauthy OIDC configuration + # Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets. config :mv, :rauthy, client_id: System.get_env("OIDC_CLIENT_ID") || "mv", base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1", - client_secret: System.get_env("OIDC_CLIENT_SECRET"), + client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil), redirect_uri: System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback" # Token signing secret from environment variable # This overrides the placeholder value set in prod.exs + # Supports TOKEN_SIGNING_SECRET or TOKEN_SIGNING_SECRET_FILE for Docker secrets. token_signing_secret = - System.get_env("TOKEN_SIGNING_SECRET") || - raise """ - environment variable TOKEN_SIGNING_SECRET is missing. - You can generate one by calling: mix phx.gen.secret - """ + get_env_or_file!.("TOKEN_SIGNING_SECRET", """ + environment variable TOKEN_SIGNING_SECRET (or TOKEN_SIGNING_SECRET_FILE) is missing. + You can generate one by calling: mix phx.gen.secret + """) config :mv, :token_signing_secret, token_signing_secret -- 2.47.2 From d8384098b48db42a64ad19436bf713a3a6b4e660 Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 3 Dec 2025 12:38:24 +0100 Subject: [PATCH 2/4] chore: update prod-compose to use file-envs for secrets --- .gitignore | 3 +++ Justfile | 25 +++++++++++++++++++++- README.md | 2 +- config/runtime.exs | 7 +++--- docker-compose.prod.yml | 47 ++++++++++++++++++++++++++++++----------- 5 files changed, 66 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 63ff39e..9517a21 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,6 @@ npm-debug.log .env .elixir_ls/ + +# Docker secrets directory (generated by `just init-secrets`) +/secrets/ diff --git a/Justfile b/Justfile index 907283f..b97eb14 100644 --- a/Justfile +++ b/Justfile @@ -84,4 +84,27 @@ regen-migrations migration_name commit_hash='': clean: mix clean rm -rf .elixir_ls - rm -rf _build \ No newline at end of file + rm -rf _build + +# Production environment commands +# ================================ + +# Initialize secrets directory with generated secrets (only if not exists) +init-secrets: + #!/usr/bin/env bash + set -euo pipefail + if [ -d "secrets" ]; then + echo "Secrets directory already exists. Skipping generation." + exit 0 + fi + echo "Creating secrets directory and generating secrets..." + mkdir -p secrets + mix phx.gen.secret > secrets/secret_key_base.txt + mix phx.gen.secret > secrets/token_signing_secret.txt + openssl rand -base64 32 | tr -d '\n' > secrets/db_password.txt + touch secrets/oidc_client_secret.txt + echo "Secrets generated in ./secrets/" + +# Start production environment with Docker Compose +start-prod: init-secrets + docker compose -f docker-compose.prod.yml up -d \ No newline at end of file diff --git a/README.md b/README.md index 6db7980..d9569af 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,7 @@ For actual production deployment: - Set `OIDC_BASE_URL` to your production OIDC provider - Configure proper Docker networks 3. **Set up SSL/TLS** (e.g., via reverse proxy like Nginx/Traefik) -4. **Use secure secrets management** (environment variables, Docker secrets, vault) +4. **Use secure secrets management** — All sensitive environment variables support a `_FILE` suffix for Docker secrets (e.g., `SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base`). See `docker-compose.prod.yml` for an example setup with Docker secrets. 5. **Configure database backups** diff --git a/config/runtime.exs b/config/runtime.exs index bd48cc9..9f41626 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -140,11 +140,10 @@ if config_env() == :prod do config :mv, MvWeb.Endpoint, url: [host: host, port: 443, scheme: "https"], http: [ - # Enable IPv6 and bind on all interfaces. - # Set it to {0, 0, 0, 0, 0, 0, 0, 1} for local network only access. + # Bind on all IPv4 interfaces. + # Use {0, 0, 0, 0, 0, 0, 0, 0} for IPv6, or {127, 0, 0, 1} for localhost only. # See the documentation on https://hexdocs.pm/bandit/Bandit.html#t:options/0 - # for details about using IPv6 vs IPv4 and loopback vs public addresses. - ip: {0, 0, 0, 0, 0, 0, 0, 0}, + ip: {0, 0, 0, 0}, port: port ], secret_key_base: secret_key_base, diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 0bb2840..5cac351 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -1,22 +1,33 @@ services: app: - image: git.local-it.org/local-it/mitgliederverwaltung:latest + image: mitgliederverwaltung:latest container_name: mv-prod-app - # Use host network for local testing to access localhost:8080 (Rauthy) - # In real production, remove this and use external OIDC provider - network_mode: host + ports: + - "4001:4001" environment: - DATABASE_URL: "ecto://postgres:postgres@localhost:5001/mv_prod" - SECRET_KEY_BASE: "${SECRET_KEY_BASE}" - TOKEN_SIGNING_SECRET: "${TOKEN_SIGNING_SECRET}" - PHX_HOST: "${PHX_HOST}" + # Database configuration using separate variables + # Use Docker service name for internal networking + DATABASE_HOST: "db-prod" + DATABASE_PORT: "5432" + DATABASE_USER: "postgres" + DATABASE_NAME: "mv_prod" + DATABASE_PASSWORD_FILE: "/run/secrets/db_password" + # Phoenix secrets via Docker secrets + SECRET_KEY_BASE_FILE: "/run/secrets/secret_key_base" + TOKEN_SIGNING_SECRET_FILE: "/run/secrets/token_signing_secret" + PHX_HOST: "${PHX_HOST:-localhost}" PORT: "4001" PHX_SERVER: "true" - # Rauthy OIDC config - uses localhost because of host network mode + # Rauthy OIDC config - use host.docker.internal to reach host services OIDC_CLIENT_ID: "mv" - OIDC_BASE_URL: "http://localhost:8080/auth/v1" - OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET:-}" + OIDC_BASE_URL: "http://host.docker.internal:8080/auth/v1" + OIDC_CLIENT_SECRET_FILE: "/run/secrets/oidc_client_secret" OIDC_REDIRECT_URI: "http://localhost:4001/auth/user/rauthy/callback" + secrets: + - db_password + - secret_key_base + - token_signing_secret + - oidc_client_secret depends_on: - db-prod restart: unless-stopped @@ -26,13 +37,25 @@ services: container_name: mv-prod-db environment: POSTGRES_USER: postgres - POSTGRES_PASSWORD: postgres + POSTGRES_PASSWORD_FILE: /run/secrets/db_password POSTGRES_DB: mv_prod + secrets: + - db_password volumes: - postgres_data_prod:/var/lib/postgresql/data ports: - "5001:5432" restart: unless-stopped +secrets: + db_password: + file: ./secrets/db_password.txt + secret_key_base: + file: ./secrets/secret_key_base.txt + token_signing_secret: + file: ./secrets/token_signing_secret.txt + oidc_client_secret: + file: ./secrets/oidc_client_secret.txt + volumes: postgres_data_prod: -- 2.47.2 From ce15b8f59b89b3625647fd18b7c66937c2522b91 Mon Sep 17 00:00:00 2001 From: Moritz Date: Wed, 3 Dec 2025 09:55:35 +0100 Subject: [PATCH 3/4] fix: mailto formatting --- lib/mv_web/live/member_live/index.ex | 23 ++++++---- lib/mv_web/live/member_live/index.html.heex | 7 ++- priv/gettext/de/LC_MESSAGES/default.po | 50 ++++++++++----------- priv/gettext/default.pot | 50 ++++++++++----------- priv/gettext/en/LC_MESSAGES/default.po | 50 ++++++++++----------- 5 files changed, 95 insertions(+), 85 deletions(-) diff --git a/lib/mv_web/live/member_live/index.ex b/lib/mv_web/live/member_live/index.ex index 3d30d76..67ce522 100644 --- a/lib/mv_web/live/member_live/index.ex +++ b/lib/mv_web/live/member_live/index.ex @@ -137,13 +137,7 @@ defmodule MvWeb.MemberLive.Index do selected_ids = socket.assigns.selected_members # Filter members that are in the selection and have email addresses - formatted_emails = - socket.assigns.members - |> Enum.filter(fn member -> - MapSet.member?(selected_ids, member.id) && member.email && member.email != "" - end) - |> Enum.map(&format_member_email/1) - + formatted_emails = format_selected_member_emails(socket.assigns.members, selected_ids) email_count = length(formatted_emails) cond do @@ -887,9 +881,20 @@ defmodule MvWeb.MemberLive.Index do end end + # Filters selected members with email addresses and formats them. + # Returns a list of formatted email strings in the format "First Last ". + # Used by both copy_emails and mailto links. + def format_selected_member_emails(members, selected_members) do + members + |> Enum.filter(fn member -> + MapSet.member?(selected_members, member.id) && member.email && member.email != "" + end) + |> Enum.map(&format_member_email/1) + end + # Formats a member's email in the format "First Last " - # Used for copy_emails feature to create email-client-friendly format. - defp format_member_email(member) do + # Used for copy_emails feature and mailto links to create email-client-friendly format. + def format_member_email(member) do first_name = member.first_name || "" last_name = member.last_name || "" diff --git a/lib/mv_web/live/member_live/index.html.heex b/lib/mv_web/live/member_live/index.html.heex index 58e22b6..9f8851b 100644 --- a/lib/mv_web/live/member_live/index.html.heex +++ b/lib/mv_web/live/member_live/index.html.heex @@ -14,7 +14,12 @@ <.button :if={Enum.any?(@members, &MapSet.member?(@selected_members, &1.id))} - href={"mailto:?bcc=#{@members |> Enum.filter(&(MapSet.member?(@selected_members, &1.id) && &1.email)) |> Enum.map(& &1.email) |> Enum.join(",")}"} + href={ + "mailto:?bcc=" <> + (MvWeb.MemberLive.Index.format_selected_member_emails(@members, @selected_members) + |> Enum.join(", ") + |> URI.encode()) + } aria-label={gettext("Open email program with BCC recipients")} > <.icon name="hero-envelope" /> diff --git a/priv/gettext/de/LC_MESSAGES/default.po b/priv/gettext/de/LC_MESSAGES/default.po index 7a76f62..57df5ab 100644 --- a/priv/gettext/de/LC_MESSAGES/default.po +++ b/priv/gettext/de/LC_MESSAGES/default.po @@ -15,7 +15,7 @@ msgstr "" msgid "Actions" msgstr "Aktionen" -#: lib/mv_web/live/member_live/index.html.heex:243 +#: lib/mv_web/live/member_live/index.html.heex:248 #: lib/mv_web/live/user_live/index.html.heex:72 #, elixir-autogen, elixir-format msgid "Are you sure?" @@ -28,19 +28,19 @@ msgid "Attempting to reconnect" msgstr "Verbindung wird wiederhergestellt" #: lib/mv_web/live/member_live/form.ex:53 -#: lib/mv_web/live/member_live/index.html.heex:179 +#: lib/mv_web/live/member_live/index.html.heex:184 #: lib/mv_web/live/member_live/show.ex:58 #, elixir-autogen, elixir-format msgid "City" msgstr "Stadt" -#: lib/mv_web/live/member_live/index.html.heex:245 +#: lib/mv_web/live/member_live/index.html.heex:250 #: lib/mv_web/live/user_live/index.html.heex:74 #, elixir-autogen, elixir-format msgid "Delete" msgstr "Löschen" -#: lib/mv_web/live/member_live/index.html.heex:237 +#: lib/mv_web/live/member_live/index.html.heex:242 #: lib/mv_web/live/user_live/form.ex:265 #: lib/mv_web/live/user_live/index.html.heex:66 #, elixir-autogen, elixir-format @@ -54,7 +54,7 @@ msgid "Edit Member" msgstr "Mitglied bearbeiten" #: lib/mv_web/live/member_live/form.ex:47 -#: lib/mv_web/live/member_live/index.html.heex:107 +#: lib/mv_web/live/member_live/index.html.heex:112 #: lib/mv_web/live/member_live/show.ex:50 #: lib/mv_web/live/user_live/form.ex:46 #: lib/mv_web/live/user_live/index.html.heex:44 @@ -70,7 +70,7 @@ msgid "First Name" msgstr "Vorname" #: lib/mv_web/live/member_live/form.ex:50 -#: lib/mv_web/live/member_live/index.html.heex:215 +#: lib/mv_web/live/member_live/index.html.heex:220 #: lib/mv_web/live/member_live/show.ex:55 #, elixir-autogen, elixir-format msgid "Join Date" @@ -82,12 +82,12 @@ msgstr "Beitrittsdatum" msgid "Last Name" msgstr "Nachname" -#: lib/mv_web/live/member_live/index.html.heex:24 +#: lib/mv_web/live/member_live/index.html.heex:29 #, elixir-autogen, elixir-format msgid "New Member" msgstr "Neues Mitglied" -#: lib/mv_web/live/member_live/index.html.heex:234 +#: lib/mv_web/live/member_live/index.html.heex:239 #: lib/mv_web/live/user_live/index.html.heex:63 #, elixir-autogen, elixir-format msgid "Show" @@ -115,7 +115,7 @@ msgid "Exit Date" msgstr "Austrittsdatum" #: lib/mv_web/live/member_live/form.ex:55 -#: lib/mv_web/live/member_live/index.html.heex:143 +#: lib/mv_web/live/member_live/index.html.heex:148 #: lib/mv_web/live/member_live/show.ex:60 #, elixir-autogen, elixir-format msgid "House Number" @@ -130,21 +130,21 @@ msgstr "Notizen" #: lib/mv_web/live/components/payment_filter_component.ex:94 #: lib/mv_web/live/components/payment_filter_component.ex:144 #: lib/mv_web/live/member_live/form.ex:48 -#: lib/mv_web/live/member_live/index.html.heex:224 +#: lib/mv_web/live/member_live/index.html.heex:229 #: lib/mv_web/live/member_live/show.ex:51 #, elixir-autogen, elixir-format msgid "Paid" msgstr "Bezahlt" #: lib/mv_web/live/member_live/form.ex:49 -#: lib/mv_web/live/member_live/index.html.heex:197 +#: lib/mv_web/live/member_live/index.html.heex:202 #: lib/mv_web/live/member_live/show.ex:54 #, elixir-autogen, elixir-format msgid "Phone Number" msgstr "Telefonnummer" #: lib/mv_web/live/member_live/form.ex:56 -#: lib/mv_web/live/member_live/index.html.heex:161 +#: lib/mv_web/live/member_live/index.html.heex:166 #: lib/mv_web/live/member_live/show.ex:61 #, elixir-autogen, elixir-format msgid "Postal Code" @@ -165,7 +165,7 @@ msgid "Saving..." msgstr "Speichern..." #: lib/mv_web/live/member_live/form.ex:54 -#: lib/mv_web/live/member_live/index.html.heex:125 +#: lib/mv_web/live/member_live/index.html.heex:130 #: lib/mv_web/live/member_live/show.ex:59 #, elixir-autogen, elixir-format msgid "Street" @@ -176,7 +176,7 @@ msgstr "Straße" msgid "Id" msgstr "ID" -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:61 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -193,7 +193,7 @@ msgstr "Mitglied anzeigen" msgid "This is a member record from your database." msgstr "Dies ist ein Mitglied aus deiner Datenbank." -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:60 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -359,12 +359,12 @@ msgstr "Profil" msgid "Required" msgstr "Erforderlich" -#: lib/mv_web/live/member_live/index.html.heex:63 +#: lib/mv_web/live/member_live/index.html.heex:68 #, elixir-autogen, elixir-format msgid "Select all members" msgstr "Alle Mitglieder auswählen" -#: lib/mv_web/live/member_live/index.html.heex:77 +#: lib/mv_web/live/member_live/index.html.heex:82 #, elixir-autogen, elixir-format msgid "Select member" msgstr "Mitglied auswählen" @@ -550,7 +550,7 @@ msgid "Toggle dark mode" msgstr "Dunklen Modus umschalten" #: lib/mv_web/live/components/search_bar_component.ex:15 -#: lib/mv_web/live/member_live/index.html.heex:34 +#: lib/mv_web/live/member_live/index.html.heex:39 #, elixir-autogen, elixir-format msgid "Search..." msgstr "Suchen..." @@ -566,7 +566,7 @@ msgstr "Benutzer*innen" msgid "Click to sort" msgstr "Klicke um zu sortieren" -#: lib/mv_web/live/member_live/index.html.heex:89 +#: lib/mv_web/live/member_live/index.html.heex:94 #, elixir-autogen, elixir-format msgid "First name" msgstr "Vorname" @@ -776,7 +776,7 @@ msgstr "Mitglied entverknüpfen" msgid "Unlinking scheduled" msgstr "Entverknüpfung geplant" -#: lib/mv_web/live/member_live/index.ex:165 +#: lib/mv_web/live/member_live/index.ex:159 #, elixir-autogen, elixir-format msgid "Copied %{count} email address to clipboard" msgid_plural "Copied %{count} email addresses to clipboard" @@ -793,27 +793,27 @@ msgstr "E-Mail-Adressen der ausgewählten Mitglieder kopieren" msgid "Copy emails" msgstr "E-Mails kopieren" -#: lib/mv_web/live/member_live/index.ex:154 +#: lib/mv_web/live/member_live/index.ex:148 #, elixir-autogen, elixir-format msgid "No email addresses found" msgstr "Keine E-Mail-Adressen gefunden" -#: lib/mv_web/live/member_live/index.ex:151 +#: lib/mv_web/live/member_live/index.ex:145 #, elixir-autogen, elixir-format msgid "No members selected" msgstr "Keine Mitglieder ausgewählt" -#: lib/mv_web/live/member_live/index.html.heex:18 +#: lib/mv_web/live/member_live/index.html.heex:23 #, elixir-autogen, elixir-format msgid "Open email program with BCC recipients" msgstr "E-Mail-Programm mit BCC-Empfänger*innen öffnen" -#: lib/mv_web/live/member_live/index.html.heex:21 +#: lib/mv_web/live/member_live/index.html.heex:26 #, elixir-autogen, elixir-format msgid "Open in email program" msgstr "Im E-Mail-Programm öffnen" -#: lib/mv_web/live/member_live/index.ex:174 +#: lib/mv_web/live/member_live/index.ex:168 #, elixir-autogen, elixir-format msgid "Tip: Paste email addresses into the BCC field for privacy compliance" msgstr "Tipp: E-Mail-Adressen ins BCC-Feld einfügen für Datenschutzkonformität" diff --git a/priv/gettext/default.pot b/priv/gettext/default.pot index 7229e28..1e0e954 100644 --- a/priv/gettext/default.pot +++ b/priv/gettext/default.pot @@ -16,7 +16,7 @@ msgstr "" msgid "Actions" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:243 +#: lib/mv_web/live/member_live/index.html.heex:248 #: lib/mv_web/live/user_live/index.html.heex:72 #, elixir-autogen, elixir-format msgid "Are you sure?" @@ -29,19 +29,19 @@ msgid "Attempting to reconnect" msgstr "" #: lib/mv_web/live/member_live/form.ex:53 -#: lib/mv_web/live/member_live/index.html.heex:179 +#: lib/mv_web/live/member_live/index.html.heex:184 #: lib/mv_web/live/member_live/show.ex:58 #, elixir-autogen, elixir-format msgid "City" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:245 +#: lib/mv_web/live/member_live/index.html.heex:250 #: lib/mv_web/live/user_live/index.html.heex:74 #, elixir-autogen, elixir-format msgid "Delete" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:237 +#: lib/mv_web/live/member_live/index.html.heex:242 #: lib/mv_web/live/user_live/form.ex:265 #: lib/mv_web/live/user_live/index.html.heex:66 #, elixir-autogen, elixir-format @@ -55,7 +55,7 @@ msgid "Edit Member" msgstr "" #: lib/mv_web/live/member_live/form.ex:47 -#: lib/mv_web/live/member_live/index.html.heex:107 +#: lib/mv_web/live/member_live/index.html.heex:112 #: lib/mv_web/live/member_live/show.ex:50 #: lib/mv_web/live/user_live/form.ex:46 #: lib/mv_web/live/user_live/index.html.heex:44 @@ -71,7 +71,7 @@ msgid "First Name" msgstr "" #: lib/mv_web/live/member_live/form.ex:50 -#: lib/mv_web/live/member_live/index.html.heex:215 +#: lib/mv_web/live/member_live/index.html.heex:220 #: lib/mv_web/live/member_live/show.ex:55 #, elixir-autogen, elixir-format msgid "Join Date" @@ -83,12 +83,12 @@ msgstr "" msgid "Last Name" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:24 +#: lib/mv_web/live/member_live/index.html.heex:29 #, elixir-autogen, elixir-format msgid "New Member" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:234 +#: lib/mv_web/live/member_live/index.html.heex:239 #: lib/mv_web/live/user_live/index.html.heex:63 #, elixir-autogen, elixir-format msgid "Show" @@ -116,7 +116,7 @@ msgid "Exit Date" msgstr "" #: lib/mv_web/live/member_live/form.ex:55 -#: lib/mv_web/live/member_live/index.html.heex:143 +#: lib/mv_web/live/member_live/index.html.heex:148 #: lib/mv_web/live/member_live/show.ex:60 #, elixir-autogen, elixir-format msgid "House Number" @@ -131,21 +131,21 @@ msgstr "" #: lib/mv_web/live/components/payment_filter_component.ex:94 #: lib/mv_web/live/components/payment_filter_component.ex:144 #: lib/mv_web/live/member_live/form.ex:48 -#: lib/mv_web/live/member_live/index.html.heex:224 +#: lib/mv_web/live/member_live/index.html.heex:229 #: lib/mv_web/live/member_live/show.ex:51 #, elixir-autogen, elixir-format msgid "Paid" msgstr "" #: lib/mv_web/live/member_live/form.ex:49 -#: lib/mv_web/live/member_live/index.html.heex:197 +#: lib/mv_web/live/member_live/index.html.heex:202 #: lib/mv_web/live/member_live/show.ex:54 #, elixir-autogen, elixir-format msgid "Phone Number" msgstr "" #: lib/mv_web/live/member_live/form.ex:56 -#: lib/mv_web/live/member_live/index.html.heex:161 +#: lib/mv_web/live/member_live/index.html.heex:166 #: lib/mv_web/live/member_live/show.ex:61 #, elixir-autogen, elixir-format msgid "Postal Code" @@ -166,7 +166,7 @@ msgid "Saving..." msgstr "" #: lib/mv_web/live/member_live/form.ex:54 -#: lib/mv_web/live/member_live/index.html.heex:125 +#: lib/mv_web/live/member_live/index.html.heex:130 #: lib/mv_web/live/member_live/show.ex:59 #, elixir-autogen, elixir-format msgid "Street" @@ -177,7 +177,7 @@ msgstr "" msgid "Id" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:61 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -194,7 +194,7 @@ msgstr "" msgid "This is a member record from your database." msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:60 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -360,12 +360,12 @@ msgstr "" msgid "Required" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:63 +#: lib/mv_web/live/member_live/index.html.heex:68 #, elixir-autogen, elixir-format msgid "Select all members" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:77 +#: lib/mv_web/live/member_live/index.html.heex:82 #, elixir-autogen, elixir-format msgid "Select member" msgstr "" @@ -551,7 +551,7 @@ msgid "Toggle dark mode" msgstr "" #: lib/mv_web/live/components/search_bar_component.ex:15 -#: lib/mv_web/live/member_live/index.html.heex:34 +#: lib/mv_web/live/member_live/index.html.heex:39 #, elixir-autogen, elixir-format msgid "Search..." msgstr "" @@ -567,7 +567,7 @@ msgstr "" msgid "Click to sort" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:89 +#: lib/mv_web/live/member_live/index.html.heex:94 #, elixir-autogen, elixir-format msgid "First name" msgstr "" @@ -777,7 +777,7 @@ msgstr "" msgid "Unlinking scheduled" msgstr "" -#: lib/mv_web/live/member_live/index.ex:165 +#: lib/mv_web/live/member_live/index.ex:159 #, elixir-autogen, elixir-format msgid "Copied %{count} email address to clipboard" msgid_plural "Copied %{count} email addresses to clipboard" @@ -794,27 +794,27 @@ msgstr "" msgid "Copy emails" msgstr "" -#: lib/mv_web/live/member_live/index.ex:154 +#: lib/mv_web/live/member_live/index.ex:148 #, elixir-autogen, elixir-format msgid "No email addresses found" msgstr "" -#: lib/mv_web/live/member_live/index.ex:151 +#: lib/mv_web/live/member_live/index.ex:145 #, elixir-autogen, elixir-format msgid "No members selected" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:18 +#: lib/mv_web/live/member_live/index.html.heex:23 #, elixir-autogen, elixir-format msgid "Open email program with BCC recipients" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:21 +#: lib/mv_web/live/member_live/index.html.heex:26 #, elixir-autogen, elixir-format msgid "Open in email program" msgstr "" -#: lib/mv_web/live/member_live/index.ex:174 +#: lib/mv_web/live/member_live/index.ex:168 #, elixir-autogen, elixir-format msgid "Tip: Paste email addresses into the BCC field for privacy compliance" msgstr "" diff --git a/priv/gettext/en/LC_MESSAGES/default.po b/priv/gettext/en/LC_MESSAGES/default.po index 3b471d5..319bcc3 100644 --- a/priv/gettext/en/LC_MESSAGES/default.po +++ b/priv/gettext/en/LC_MESSAGES/default.po @@ -16,7 +16,7 @@ msgstr "" msgid "Actions" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:243 +#: lib/mv_web/live/member_live/index.html.heex:248 #: lib/mv_web/live/user_live/index.html.heex:72 #, elixir-autogen, elixir-format msgid "Are you sure?" @@ -29,19 +29,19 @@ msgid "Attempting to reconnect" msgstr "" #: lib/mv_web/live/member_live/form.ex:53 -#: lib/mv_web/live/member_live/index.html.heex:179 +#: lib/mv_web/live/member_live/index.html.heex:184 #: lib/mv_web/live/member_live/show.ex:58 #, elixir-autogen, elixir-format msgid "City" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:245 +#: lib/mv_web/live/member_live/index.html.heex:250 #: lib/mv_web/live/user_live/index.html.heex:74 #, elixir-autogen, elixir-format msgid "Delete" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:237 +#: lib/mv_web/live/member_live/index.html.heex:242 #: lib/mv_web/live/user_live/form.ex:265 #: lib/mv_web/live/user_live/index.html.heex:66 #, elixir-autogen, elixir-format @@ -55,7 +55,7 @@ msgid "Edit Member" msgstr "" #: lib/mv_web/live/member_live/form.ex:47 -#: lib/mv_web/live/member_live/index.html.heex:107 +#: lib/mv_web/live/member_live/index.html.heex:112 #: lib/mv_web/live/member_live/show.ex:50 #: lib/mv_web/live/user_live/form.ex:46 #: lib/mv_web/live/user_live/index.html.heex:44 @@ -71,7 +71,7 @@ msgid "First Name" msgstr "" #: lib/mv_web/live/member_live/form.ex:50 -#: lib/mv_web/live/member_live/index.html.heex:215 +#: lib/mv_web/live/member_live/index.html.heex:220 #: lib/mv_web/live/member_live/show.ex:55 #, elixir-autogen, elixir-format msgid "Join Date" @@ -83,12 +83,12 @@ msgstr "" msgid "Last Name" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:24 +#: lib/mv_web/live/member_live/index.html.heex:29 #, elixir-autogen, elixir-format msgid "New Member" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:234 +#: lib/mv_web/live/member_live/index.html.heex:239 #: lib/mv_web/live/user_live/index.html.heex:63 #, elixir-autogen, elixir-format msgid "Show" @@ -116,7 +116,7 @@ msgid "Exit Date" msgstr "" #: lib/mv_web/live/member_live/form.ex:55 -#: lib/mv_web/live/member_live/index.html.heex:143 +#: lib/mv_web/live/member_live/index.html.heex:148 #: lib/mv_web/live/member_live/show.ex:60 #, elixir-autogen, elixir-format msgid "House Number" @@ -131,21 +131,21 @@ msgstr "" #: lib/mv_web/live/components/payment_filter_component.ex:94 #: lib/mv_web/live/components/payment_filter_component.ex:144 #: lib/mv_web/live/member_live/form.ex:48 -#: lib/mv_web/live/member_live/index.html.heex:224 +#: lib/mv_web/live/member_live/index.html.heex:229 #: lib/mv_web/live/member_live/show.ex:51 #, elixir-autogen, elixir-format msgid "Paid" msgstr "" #: lib/mv_web/live/member_live/form.ex:49 -#: lib/mv_web/live/member_live/index.html.heex:197 +#: lib/mv_web/live/member_live/index.html.heex:202 #: lib/mv_web/live/member_live/show.ex:54 #, elixir-autogen, elixir-format msgid "Phone Number" msgstr "" #: lib/mv_web/live/member_live/form.ex:56 -#: lib/mv_web/live/member_live/index.html.heex:161 +#: lib/mv_web/live/member_live/index.html.heex:166 #: lib/mv_web/live/member_live/show.ex:61 #, elixir-autogen, elixir-format msgid "Postal Code" @@ -166,7 +166,7 @@ msgid "Saving..." msgstr "" #: lib/mv_web/live/member_live/form.ex:54 -#: lib/mv_web/live/member_live/index.html.heex:125 +#: lib/mv_web/live/member_live/index.html.heex:130 #: lib/mv_web/live/member_live/show.ex:59 #, elixir-autogen, elixir-format msgid "Street" @@ -177,7 +177,7 @@ msgstr "" msgid "Id" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:61 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -194,7 +194,7 @@ msgstr "" msgid "This is a member record from your database." msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:229 +#: lib/mv_web/live/member_live/index.html.heex:234 #: lib/mv_web/live/member_live/index/formatter.ex:60 #: lib/mv_web/live/member_live/show.ex:52 #, elixir-autogen, elixir-format @@ -360,12 +360,12 @@ msgstr "" msgid "Required" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:63 +#: lib/mv_web/live/member_live/index.html.heex:68 #, elixir-autogen, elixir-format msgid "Select all members" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:77 +#: lib/mv_web/live/member_live/index.html.heex:82 #, elixir-autogen, elixir-format msgid "Select member" msgstr "" @@ -551,7 +551,7 @@ msgid "Toggle dark mode" msgstr "" #: lib/mv_web/live/components/search_bar_component.ex:15 -#: lib/mv_web/live/member_live/index.html.heex:34 +#: lib/mv_web/live/member_live/index.html.heex:39 #, elixir-autogen, elixir-format msgid "Search..." msgstr "" @@ -567,7 +567,7 @@ msgstr "" msgid "Click to sort" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:89 +#: lib/mv_web/live/member_live/index.html.heex:94 #, elixir-autogen, elixir-format, fuzzy msgid "First name" msgstr "" @@ -777,7 +777,7 @@ msgstr "" msgid "Unlinking scheduled" msgstr "" -#: lib/mv_web/live/member_live/index.ex:165 +#: lib/mv_web/live/member_live/index.ex:159 #, elixir-autogen, elixir-format msgid "Copied %{count} email address to clipboard" msgid_plural "Copied %{count} email addresses to clipboard" @@ -794,27 +794,27 @@ msgstr "" msgid "Copy emails" msgstr "" -#: lib/mv_web/live/member_live/index.ex:154 +#: lib/mv_web/live/member_live/index.ex:148 #, elixir-autogen, elixir-format msgid "No email addresses found" msgstr "" -#: lib/mv_web/live/member_live/index.ex:151 +#: lib/mv_web/live/member_live/index.ex:145 #, elixir-autogen, elixir-format, fuzzy msgid "No members selected" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:18 +#: lib/mv_web/live/member_live/index.html.heex:23 #, elixir-autogen, elixir-format msgid "Open email program with BCC recipients" msgstr "" -#: lib/mv_web/live/member_live/index.html.heex:21 +#: lib/mv_web/live/member_live/index.html.heex:26 #, elixir-autogen, elixir-format msgid "Open in email program" msgstr "" -#: lib/mv_web/live/member_live/index.ex:174 +#: lib/mv_web/live/member_live/index.ex:168 #, elixir-autogen, elixir-format msgid "Tip: Paste email addresses into the BCC field for privacy compliance" msgstr "" -- 2.47.2 From 1623b6320789f54ce903c5ace5b787485c9c58d2 Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 3 Dec 2025 14:27:22 +0100 Subject: [PATCH 4/4] fix: resolve review comments --- CHANGELOG.md | 1 + Justfile | 4 ++-- README.md | 7 +++++++ config/runtime.exs | 23 +++++++++++++++++++---- docker-compose.prod.yml | 2 +- 5 files changed, 30 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71d9147..28b4a37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - CopyToClipboard JavaScript hook with fallback for older browsers - Button shows count of visible selected members (respects search/filter) - German/English translations +- Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD) ### Fixed - Email validation false positive when linking user and member with identical emails (#168 Problem #4) diff --git a/Justfile b/Justfile index b97eb14..3e3e764 100644 --- a/Justfile +++ b/Justfile @@ -90,7 +90,7 @@ clean: # ================================ # Initialize secrets directory with generated secrets (only if not exists) -init-secrets: +init-prod-secrets: #!/usr/bin/env bash set -euo pipefail if [ -d "secrets" ]; then @@ -106,5 +106,5 @@ init-secrets: echo "Secrets generated in ./secrets/" # Start production environment with Docker Compose -start-prod: init-secrets +start-prod: init-prod-secrets docker compose -f docker-compose.prod.yml up -d \ No newline at end of file diff --git a/README.md b/README.md index d9569af..14435db 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,13 @@ For testing the production Docker build locally: # OIDC_BASE_URL=http://localhost:8080/auth/v1 # OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback # OIDC_CLIENT_SECRET= + + # Alternative: Use _FILE variables for Docker secrets (takes priority over regular vars): + # SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base + # TOKEN_SIGNING_SECRET_FILE=/run/secrets/token_signing_secret + # OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret + # DATABASE_URL_FILE=/run/secrets/database_url + # DATABASE_PASSWORD_FILE=/run/secrets/database_password ``` 3. **Start development environment** (for Rauthy): diff --git a/config/runtime.exs b/config/runtime.exs index 9f41626..71138ef 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default -> file_path -> case File.read(file_path) do {:ok, content} -> - String.trim(content) + String.trim_trailing(content) {:error, reason} -> raise """ @@ -119,10 +119,25 @@ if config_env() == :prod do # Rauthy OIDC configuration # Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets. + # OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars). + oidc_base_url = System.get_env("OIDC_BASE_URL") + oidc_client_id = System.get_env("OIDC_CLIENT_ID") + oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id) + + client_secret = + if oidc_in_use do + get_env_or_file!.("OIDC_CLIENT_SECRET", """ + environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing. + This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set). + """) + else + get_env_or_file.("OIDC_CLIENT_SECRET", nil) + end + config :mv, :rauthy, - client_id: System.get_env("OIDC_CLIENT_ID") || "mv", - base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1", - client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil), + client_id: oidc_client_id || "mv", + base_url: oidc_base_url || "http://localhost:8080/auth/v1", + client_secret: client_secret, redirect_uri: System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback" diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 5cac351..b4b7a1f 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -1,6 +1,6 @@ services: app: - image: mitgliederverwaltung:latest + image: git.local-it.org/local-it/mitgliederverwaltung:latest container_name: mv-prod-app ports: - "4001:4001" -- 2.47.2