local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 72 Pull requests 3 Projects 4 Releases Packages 1 Activity Actions

Add file_envs for secrets and allow passing database url via separate envs #246

Merged
simon merged 5 commits from add-file-envs into main 2025-12-03 14:29:34 +01:00
Conversation 1 Commits 5 Files changed 6 +30 -7
5 changed files with 30 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 1623b63207 - Show all commits

1
CHANGELOG.md
View file

@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- CopyToClipboard JavaScript hook with fallback for older browsers
- Button shows count of visible selected members (respects search/filter)
- German/English translations
- Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD)
### Fixed
- Email validation false positive when linking user and member with identical emails (#168 Problem #4)

4
Justfile
View file

@ -90,7 +90,7 @@ clean:
# ================================
# Initialize secrets directory with generated secrets (only if not exists)
init-secrets:
init-prod-secrets:
simon marked this conversation as resolved Outdated
rafael commented 2025-12-03 13:29:07 +01:00
Outdated
Copy link

Should we name this action init-prod-secrets to communicate its scope?

Should we name this action `init-prod-secrets` to communicate its scope?
#!/usr/bin/env bash
set -euo pipefail
if [ -d "secrets" ]; then
@ -106,5 +106,5 @@ init-secrets:
echo "Secrets generated in ./secrets/"
# Start production environment with Docker Compose
start-prod: init-secrets
start-prod: init-prod-secrets
docker compose -f docker-compose.prod.yml up -d

7
README.md
View file

@ -217,6 +217,13 @@ For testing the production Docker build locally:
# OIDC_BASE_URL=http://localhost:8080/auth/v1
# OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback
# OIDC_CLIENT_SECRET=<from-rauthy-client>
# Alternative: Use _FILE variables for Docker secrets (takes priority over regular vars):
# SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
# TOKEN_SIGNING_SECRET_FILE=/run/secrets/token_signing_secret
# OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
# DATABASE_URL_FILE=/run/secrets/database_url
# DATABASE_PASSWORD_FILE=/run/secrets/database_password
```
3. **Start development environment** (for Rauthy):

23
config/runtime.exs
View file

@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default ->
file_path ->
case File.read(file_path) do
{:ok, content} ->
String.trim(content)
String.trim_trailing(content)
simon marked this conversation as resolved Outdated
rafael commented 2025-12-03 13:31:17 +01:00
Outdated
Copy link

Is this trim specifically needed? Seems like it could lead to some surprising behavior in some edge cases.

Is this `trim` specifically needed? Seems like it could lead to some surprising behavior in some edge cases.
simon commented 2025-12-03 14:11:01 +01:00
Outdated
Copy link

replaced by trim_trailing

  • leading whitespaces remain
  • only trailing whitespaces are removed, common use case when using secret files, with newlines etc
replaced by trim_trailing - leading whitespaces remain - only trailing whitespaces are removed, common use case when using secret files, with newlines etc
{:error, reason} ->
raise """
@ -119,10 +119,25 @@ if config_env() == :prod do
# Rauthy OIDC configuration
# Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets.
# OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars).
oidc_base_url = System.get_env("OIDC_BASE_URL")
oidc_client_id = System.get_env("OIDC_CLIENT_ID")
oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id)
simon marked this conversation as resolved Outdated
rafael commented 2025-12-03 13:34:32 +01:00
Outdated
Copy link

Let's add an error message here, similar to the other calls

Let's add an error message here, similar to the other calls
client_secret =
if oidc_in_use do
get_env_or_file!.("OIDC_CLIENT_SECRET", """
environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing.
This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set).
""")
else
get_env_or_file.("OIDC_CLIENT_SECRET", nil)
end
config :mv, :rauthy,
client_id: System.get_env("OIDC_CLIENT_ID") || "mv",
base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1",
client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil),
client_id: oidc_client_id || "mv",
base_url: oidc_base_url || "http://localhost:8080/auth/v1",
client_secret: client_secret,
redirect_uri:
System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"

2
docker-compose.prod.yml
View file

@ -1,6 +1,6 @@
services:
app:
image: mitgliederverwaltung:latest
image: git.local-it.org/local-it/mitgliederverwaltung:latest
simon marked this conversation as resolved Outdated
rafael commented 2025-12-03 13:35:28 +01:00
Outdated
Copy link

Should we change this back? Or is there a way we can support dev environments and "real" prod deployments with the same file?

Should we change this back? Or is there a way we can support dev environments and "real" prod deployments with the same file?
simon commented 2025-12-03 14:14:30 +01:00
Outdated
Copy link

was just for testing, whoopsie

was just for testing, whoopsie
container_name: mv-prod-app
ports:
- "4001:4001"