Merge pull request #3 from solution-libre/2-use-secret-for-smtp-service

Use secret for SMTP service
solution-libre · Mar 25, 2022 · 2c97e6d · 2c97e6d
2 parents 8ef94c2 + 4f549bd
commit 2c97e6d
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 4 deletions.
diff --git a/.env.dist b/.env.dist
@@ -17,6 +17,4 @@ ADMIN_MAIL=your@mail.address # Change me!
 SMTP_RELAY_DOMAINS=domain.tld
 SMTP_HOSTNAME=mail.domain.tld
 SMTP_PORT=465
-SMTP_USERNAME=user@domain.tld
-SMTP_PASSWORD=ChangeMe!
 SMTP_ALIASES=mail.domain.tld
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .env
+.secrets
 docker-compose.override.yml
diff --git a/.secrets.dist/smtpd_password.secret b/.secrets.dist/smtpd_password.secret
@@ -0,0 +1 @@
+ChangeMe!
diff --git a/.secrets.dist/smtpd_user.secret b/.secrets.dist/smtpd_user.secret
@@ -0,0 +1 @@
+user@domain.tld
diff --git a/README.md b/README.md
@@ -23,10 +23,13 @@ great [Docker images of Baroes](https://github.com/barcus/bareos).
 cd /opt
 git clone https://github.com/solution-libre/docker-bareos.git bareos
 cd bareos
+cp -r .secrets.dist .secrets
 ```
 
 Declare environment variables or copy the `.env.dist` to `.env` and adjust its values.
 
+Change the value of the secrets in the `.secrets` folder.
+
 Register a domain like 'bareos.domain.tld'.
 
 ## Usage

diff --git a/docker-compose-barcus.override.yml b/docker-compose-barcus.override.yml
@@ -90,16 +90,22 @@ services:
 
   smtpd:
     restart: unless-stopped
+    command: ["exim", "-bd", "-q15m", "-v"]
+    entrypoint: /usr/local/bin/docker-entrypoint.sh
     hostname: "smtpd.${HOSTNAME}"
     volumes:
       - ../docker-volumes/smtpd/_docker_additional_macros:/etc/exim4/_docker_additional_macros
       - ../docker-volumes/smtpd/exim4.conf.template:/etc/exim4/exim4.conf.template
+      - ../docker-volumes/smtpd/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
+    secrets:
+      - smtpd-user
+      - smtpd-password
     environment:
       RELAY_DOMAINS: ${SMTP_RELAY_DOMAINS}
       SMARTHOST_ADDRESS: ${SMTP_HOSTNAME}
       SMARTHOST_PORT: ${SMTP_PORT}
-      SMARTHOST_USER: ${SMTP_USERNAME}
-      SMARTHOST_PASSWORD: ${SMTP_PASSWORD}
+      SMARTHOST_USER_FILE: '/run/secrets/smtpd-user'
+      SMARTHOST_PASSWORD_FILE: '/run/secrets/smtpd-password'
       SMARTHOST_ALIASES: ${SMTP_ALIASES}
     networks:
       default:
@@ -116,6 +122,12 @@ networks:
         - subnet: "${NETWORK_PREFIX}.0/20"
           gateway: "${NETWORK_PREFIX}.1"
 
+secrets:
+  smtpd-user:
+    file: ../.secrets/smtpd_user.secret
+  smtpd-password:
+    file: ../.secrets/smtpd_password.secret
+
 volumes:
   director_config:
   director_data:

diff --git a/docker-volumes/smtpd/docker-entrypoint.sh b/docker-volumes/smtpd/docker-entrypoint.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -eo pipefail
+shopt -s nullglob
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both ${varName} and ${fileVarName} are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env SMARTHOST_USER
+file_env SMARTHOST_PASSWORD
+
+exec /bin/entrypoint.sh "$@"