From 844794dbacfa2c5da7f71242dedf10e88ae1568e Mon Sep 17 00:00:00 2001
From: kaysond <github@aram.nubmail.ca>
Date: Wed, 24 Nov 2021 22:43:49 -0800
Subject: [PATCH] add an entrypoint script that allows setting secrets from a
 file; version the upstream containers

---
 Dockerfile           | 10 +++++++---
 README.md            |  2 ++
 docker-entrypoint.sh | 18 ++++++++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100755 docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 5a571f7..c88bbb3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build image
-FROM rust:alpine AS chef
+FROM rust:alpine3.14 AS chef
 
 RUN set -x \
     # Add user
@@ -40,7 +40,7 @@ RUN cargo build --release -p lldap \
     && ./app/build.sh
 
 # Final image
-FROM alpine
+FROM alpine:3.14
 
 RUN set -x \
     # Add user
@@ -54,16 +54,20 @@ RUN set -x \
     # Create the /data folder
     && mkdir /data && chown app:app /data
 
+RUN apk add --no-cache bash
+
 USER app
 WORKDIR /app
 
 COPY --chown=app:app --from=builder /app/app/index.html /app/app/main.js app/
 COPY --chown=app:app --from=builder /app/app/pkg app/pkg
 COPY --chown=app:app --from=builder /app/target/release/lldap lldap
+COPY docker-entrypoint.sh .
 
 ENV LDAP_PORT=3890
 ENV HTTP_PORT=17170
 
 EXPOSE ${LDAP_PORT} ${HTTP_PORT}
 
-CMD ["/app/lldap", "run", "--config-file", "/data/lldap_config.toml"]
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["run", "--config-file", "/data/lldap_config.toml"]
diff --git a/README.md b/README.md
index d744b08..30a13a9 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,8 @@ Configure the server by copying the `lldap_config.docker_template.toml` to
 Environment variables should be prefixed with `LLDAP_` to override the
 configuration.
 
+Secrets can also be set through a file. The filename should be specified by the variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_USER_PASS_FILE`, and the file contents are loaded into the respective configuration parameters. Note that `_FILE` variables take precedence.
+
 Example for docker compose:
 
 ```yaml
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 0000000..46cdfcf
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+for SECRET in LLDAP_JWT_SECRET LLDAP_LDAP_USER_PASS; do
+    FILE_VAR="${SECRET}_FILE"
+    SECRET_FILE="${!FILE_VAR:-}"
+    if [[ -n "$SECRET_FILE" ]]; then
+        if [[ -f "$SECRET_FILE" ]]; then
+            declare "$SECRET=$(cat $SECRET_FILE)"
+            export "$SECRET"
+            echo "[entrypoint] Set $SECRET from $SECRET_FILE"
+        else
+            echo "[entrypoint] Could not read contents of $SECRET_FILE (specified in $FILE_VAR)" >&2
+        fi
+    fi
+done
+
+exec /app/lldap "$@"