Support for docker secrets (#354)

* docker secrets support

---------

Co-authored-by: Bram van Dartel <[email protected]>

Dockerfile

@@ -133,11 +133,12 @@ RUN echo "**** configure nginx package ****" \
 FROM base as final
 
 COPY rootfs /
+COPY ./docker/entrypoint /
 
 # TODO: Improve healtcheck to respond on 200 only
 # TODO: Improve healtcheck so it's only valid for containers with the webinterface enabled
-# HEALTHCHECK --interval=15s --timeout=3s --retries=10 CMD curl -Lsf http://127.0.0.1/about -o /dev/null -w "HTTP_%{http_code}" || exit 1
+HEALTHCHECK --interval=15s --timeout=3s --retries=10 CMD curl -Lsf http://127.0.0.1/about -o /dev/null -w "HTTP_%{http_code}" || exit 1
 
 WORKDIR /app
 
-ENTRYPOINT [ "/init" ]
+ENTRYPOINT [

docker/entrypoint/docker-entrypoint.d/.env-from-docker-secrets

@@ -0,0 +1,56 @@
+#!/usr/bin/env sh
+
+# EXPANDING VARIABLES FROM DOCKER SECRETS
+: ${ENV_SECRETS_DIR:=/run/secrets}
+
+# Function to print debug messages for environment secrets
+env_secret_debug() {
+    if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
+        echo -e "\033[1m$@\033[0m"
+    fi
+}
+
+# This function populates environment variables from variables containing file paths
+populate_file_variables() {
+    for env_var in $(env | grep '_FILE=' | cut -d '=' -f 1); do
+        var_name="${env_var%_FILE}" # Remove the '_FILE' suffix
+        file_path=$(eval echo "\$$env_var") # Get the file path from the environment variable
+        if [ -s "$file_path" ]; then
+            val=$(cat "$file_path") # Read the file contents into the environment variable
+            export "$var_name"="$val"
+            env_secret_debug "Populated variable: $var_name"
+        else
+            env_secret_debug "File is empty or does not exist: $file_path"
+        fi
+    done
+}
+
+# This function expands variables from docker secrets
+expand_docker_secrets() {
+    for env_var in $(printenv | cut -f1 -d"="); do
+        var_value=$(eval echo "\$$env_var") # Get the value of the environment variable
+        if secret_key=$(expr match "$var_value" "DOCKER-SECRET->\([^}]\+\)$"); then
+            secret="${ENV_SECRETS_DIR}/${secret_key}"
+            if [ -f "$secret" ]; then
+                val=$(cat "$secret")
+                export "$env_var"="$val" # Expand the variable with the secret value
+                env_secret_debug "Expanded variable: $env_var"
+            else
+                env_secret_debug "Secret file does not exist! $secret"
+            fi
+        fi
+    done
+}
+
+# Populate environment variables from variables containing file paths
+# Conditionally expand variables from docker secrets
+if [ ! -z "$ENV_SECRETS_DIR" ]; then
+    populate_file_variables
+    expand_docker_secrets
+else 
+    env_secret_debug "No secrets found in /run/secrets"    
+fi
+
+
+# Execute the command provided as arguments to the script
+exec "$@"

docker/entrypoint/docker-entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+. /docker-entrypoint.d/.env-from-docker-secrets
+
+if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+    echo "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+    echo "$0: Looking for shell scripts in /docker-entrypoint.d/"
+    find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+    case "$f" in
+        *.sh)
+            if [ -x "$f" ]; then
+                echo "$0: Launching $f";
+                "$f"
+            else
+                # warn on shell scripts without exec bit
+                echo "$0: Ignoring $f, not executable";
+            fi
+            ;;
+        *) echo "$0: Ignoring $f";;
+    esac
+done
+
+echo "$0: Configuration complete; ready for start up"
+else
+    echo "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+fi
+
+exec "$@"

examples/docker-compose.secrets-example.yaml

@@ -0,0 +1,93 @@
+version: '3'
+
+services:
+  dsmrdb:
+    # When using Postgres, release 13.x, 14.x, and 15.x are supported only
+    # due to the limited availability of client packages, especially for arm32v7
+    image: postgres:15-alpine
+    container_name: dsmrdb
+    restart: always
+    secrets:
+      - postgres_user
+      - postgres_password
+    volumes:
+      - ./dsmrdb:/var/lib/postgresql/data
+    environment:
+      - TZ=Europe/Amsterdam
+      - PG_TZ=Europe/Amsterdam
+      - POSTGRES_DB=dsmrreader
+      - POSTGRES_USER_FILE=/run/secrets/postgres_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+    healthcheck:
+      # postgres is the default user, please update with
+      # the DJANGO_DATABASE_USER used for dsmr-reader-docker
+      # default for DSMR Reader is dsmrreader
+      test: [ "CMD-SHELL", "pg_isready -U dsmrreader" ]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+  dsmr:
+    image: ghcr.io/xirixiz/dsmr-reader-docker:latest
+    depends_on:
+      dsmrdb:
+        condition: service_healthy
+    container_name: dsmr
+    links:
+      - dsmrdb
+    cap_add:
+      - NET_ADMIN
+    restart: always
+    secrets:
+      - postgres_user
+      - postgres_password
+      - dsmrreader_admin_user
+      - dsmrreader_admin_password      
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ./dsmr_backups:/app/backups
+    environment:
+      - TZ=Europe/Amsterdam
+      - DJANGO_TIME_ZONE=Europe/Amsterdam
+      - VIRTUAL_HOST=localhost
+      # Postfix the environment variable with _FILE to read the secret from a file
+      - DJANGO_DATABASE_NAME=dsmrreader
+      - DJANGO_DATABASE_USER_FILE=/run/secrets/postgres_user
+      - DJANGO_DATABASE_PASSWORD_FILE=/run/secrets/postgres_password
+      # Alternatively, you can use DOCKER-SECRET->secret_key environment variables
+      - DSMRREADER_ADMIN_USER=DOCKER-SECRET->dsmrreader_admin_user
+      - DSMRREADER_ADMIN_PASSWORD=DOCKER-SECRET->dsmrreader_admin_password
+    ports:
+      - 7777:80
+      - 7779:443
+    devices:
+      - "/dev/ttyUSB1:/dev/ttyUSB0"
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "curl",
+          "-Lsf",
+          "http://127.0.0.1/about",
+          "-o",
+          "/dev/null",
+          "-w",
+          "HTTP_%{http_code}"
+        ]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+secrets:
+  postgres_user:
+    file: ./secret.txt
+  postgres_password:
+    file: ./secret.txt
+  dsmrreader_admin_user:
+    file: ./secret.txt
+  dsmrreader_admin_password:
+    file: ./secret.txt    
+
+volumes:
+  dsmrdb: null
+  dsmrdb_backups: null

examples/secret.txt

@@ -0,0 +1 @@
+dsmrreader