diff --git a/Dockerfile b/Dockerfile index 5a571f7..c88bbb3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build image -FROM rust:alpine AS chef +FROM rust:alpine3.14 AS chef RUN set -x \ # Add user @@ -40,7 +40,7 @@ RUN cargo build --release -p lldap \ && ./app/build.sh # Final image -FROM alpine +FROM alpine:3.14 RUN set -x \ # Add user @@ -54,16 +54,20 @@ RUN set -x \ # Create the /data folder && mkdir /data && chown app:app /data +RUN apk add --no-cache bash + USER app WORKDIR /app COPY --chown=app:app --from=builder /app/app/index.html /app/app/main.js app/ COPY --chown=app:app --from=builder /app/app/pkg app/pkg COPY --chown=app:app --from=builder /app/target/release/lldap lldap +COPY docker-entrypoint.sh . ENV LDAP_PORT=3890 ENV HTTP_PORT=17170 EXPOSE ${LDAP_PORT} ${HTTP_PORT} -CMD ["/app/lldap", "run", "--config-file", "/data/lldap_config.toml"] +ENTRYPOINT ["/app/docker-entrypoint.sh"] +CMD ["run", "--config-file", "/data/lldap_config.toml"] diff --git a/README.md b/README.md index d744b08..30a13a9 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,8 @@ Configure the server by copying the `lldap_config.docker_template.toml` to Environment variables should be prefixed with `LLDAP_` to override the configuration. +Secrets can also be set through a file. The filename should be specified by the variables `LLDAP_JWT_SECRET_FILE` or `LLDAP_USER_PASS_FILE`, and the file contents are loaded into the respective configuration parameters. Note that `_FILE` variables take precedence. + Example for docker compose: ```yaml diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..46cdfcf --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +for SECRET in LLDAP_JWT_SECRET LLDAP_LDAP_USER_PASS; do + FILE_VAR="${SECRET}_FILE" + SECRET_FILE="${!FILE_VAR:-}" + if [[ -n "$SECRET_FILE" ]]; then + if [[ -f "$SECRET_FILE" ]]; then + declare "$SECRET=$(cat $SECRET_FILE)" + export "$SECRET" + echo "[entrypoint] Set $SECRET from $SECRET_FILE" + else + echo "[entrypoint] Could not read contents of $SECRET_FILE (specified in $FILE_VAR)" >&2 + fi + fi +done + +exec /app/lldap "$@"