From 2b17a05a9702732f1d5de036a1f3851fef448f5e Mon Sep 17 00:00:00 2001 From: Thomas Bruederli Date: Thu, 22 Aug 2019 21:57:31 +0200 Subject: [PATCH] Define `des_key` option in Roudcube config Use Docker secrets if available and otherwise generate a random key. Fixes issue #59. Also consider secrets for database credentials as suggested in issue #46. --- README.md | 9 +++++++++ apache/docker-entrypoint.sh | 9 +++++++++ fpm-alpine/docker-entrypoint.sh | 9 +++++++++ fpm/docker-entrypoint.sh | 9 +++++++++ 4 files changed, 36 insertions(+) diff --git a/README.md b/README.md index ad6f689..f44d896 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,15 @@ Run it with a link to the MySQL host and the username/password variables: docker run --link=mysql:mysql -d roundcube/roundcubemail ``` +## Docker Secrets + +When running the Roundcube container in a Docker Swarm, you can use [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) +to share credentials accross all instances. The following secrets are currently supported by Roundcube: + +* `roundcube_des_key`: Unique and random key for encryption purposes +* `roundcube_db_user`: Database connection username (mappend to `ROUNDCUBEMAIL_DB_USER`) +* `roundcube_db_password`: Database connection password (mappend to `ROUNDCUBEMAIL_DB_PASSWORD`) + ### Advanced configuration Apart from the above described environment variables, the Docker image also allows to add custom config files diff --git a/apache/docker-entrypoint.sh b/apache/docker-entrypoint.sh index fa69502..76d1cc7 100755 --- a/apache/docker-entrypoint.sh +++ b/apache/docker-entrypoint.sh @@ -14,6 +14,13 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then echo >&2 "Complete! ROUNDCUBEMAIL has been successfully copied to $PWD" fi + if [ -f /run/secrets/roundcube_db_user]; then + ROUNDCUBEMAIL_DB_USER=`cat /run/secrets/roundcube_db_user` + fi + if [ -f /run/secrets/roundcube_db_password]; then + ROUNDCUBEMAIL_DB_PASSWORD=`cat /run/secrets/roundcube_db_password` + fi + if [ ! -z "${!POSTGRES_ENV_POSTGRES_*}" ] || [ "$ROUNDCUBEMAIL_DB_TYPE" == "pgsql" ]; then : "${ROUNDCUBEMAIL_DB_TYPE:=pgsql}" : "${ROUNDCUBEMAIL_DB_HOST:=postgres}" @@ -58,6 +65,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then if [ ! -e config/config.inc.php ]; then ROUNDCUBEMAIL_PLUGINS_PHP=`echo "${ROUNDCUBEMAIL_PLUGINS}" | sed -E "s/[, ]+/', '/g"` + ROUNDCUBEMAIL_DES_KEY=`test -f /run/secrets/roundcube_des_key && cat /run/secrets/roundcube_des_key || head /dev/urandom | base64 | head -c 24` touch config/config.inc.php echo "Write config to $PWD/config/config.inc.php" @@ -70,6 +78,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then \$config['smtp_port'] = '${ROUNDCUBEMAIL_SMTP_PORT}'; \$config['smtp_user'] = '%u'; \$config['smtp_pass'] = '%p'; + \$config['des_key'] = '${ROUNDCUBEMAIL_DES_KEY}'; \$config['temp_dir'] = '${ROUNDCUBEMAIL_TEMP_DIR}'; \$config['plugins'] = ['${ROUNDCUBEMAIL_PLUGINS_PHP}']; \$config['zipdownload_selection'] = true; diff --git a/fpm-alpine/docker-entrypoint.sh b/fpm-alpine/docker-entrypoint.sh index fa69502..76d1cc7 100755 --- a/fpm-alpine/docker-entrypoint.sh +++ b/fpm-alpine/docker-entrypoint.sh @@ -14,6 +14,13 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then echo >&2 "Complete! ROUNDCUBEMAIL has been successfully copied to $PWD" fi + if [ -f /run/secrets/roundcube_db_user]; then + ROUNDCUBEMAIL_DB_USER=`cat /run/secrets/roundcube_db_user` + fi + if [ -f /run/secrets/roundcube_db_password]; then + ROUNDCUBEMAIL_DB_PASSWORD=`cat /run/secrets/roundcube_db_password` + fi + if [ ! -z "${!POSTGRES_ENV_POSTGRES_*}" ] || [ "$ROUNDCUBEMAIL_DB_TYPE" == "pgsql" ]; then : "${ROUNDCUBEMAIL_DB_TYPE:=pgsql}" : "${ROUNDCUBEMAIL_DB_HOST:=postgres}" @@ -58,6 +65,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then if [ ! -e config/config.inc.php ]; then ROUNDCUBEMAIL_PLUGINS_PHP=`echo "${ROUNDCUBEMAIL_PLUGINS}" | sed -E "s/[, ]+/', '/g"` + ROUNDCUBEMAIL_DES_KEY=`test -f /run/secrets/roundcube_des_key && cat /run/secrets/roundcube_des_key || head /dev/urandom | base64 | head -c 24` touch config/config.inc.php echo "Write config to $PWD/config/config.inc.php" @@ -70,6 +78,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then \$config['smtp_port'] = '${ROUNDCUBEMAIL_SMTP_PORT}'; \$config['smtp_user'] = '%u'; \$config['smtp_pass'] = '%p'; + \$config['des_key'] = '${ROUNDCUBEMAIL_DES_KEY}'; \$config['temp_dir'] = '${ROUNDCUBEMAIL_TEMP_DIR}'; \$config['plugins'] = ['${ROUNDCUBEMAIL_PLUGINS_PHP}']; \$config['zipdownload_selection'] = true; diff --git a/fpm/docker-entrypoint.sh b/fpm/docker-entrypoint.sh index fa69502..76d1cc7 100755 --- a/fpm/docker-entrypoint.sh +++ b/fpm/docker-entrypoint.sh @@ -14,6 +14,13 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then echo >&2 "Complete! ROUNDCUBEMAIL has been successfully copied to $PWD" fi + if [ -f /run/secrets/roundcube_db_user]; then + ROUNDCUBEMAIL_DB_USER=`cat /run/secrets/roundcube_db_user` + fi + if [ -f /run/secrets/roundcube_db_password]; then + ROUNDCUBEMAIL_DB_PASSWORD=`cat /run/secrets/roundcube_db_password` + fi + if [ ! -z "${!POSTGRES_ENV_POSTGRES_*}" ] || [ "$ROUNDCUBEMAIL_DB_TYPE" == "pgsql" ]; then : "${ROUNDCUBEMAIL_DB_TYPE:=pgsql}" : "${ROUNDCUBEMAIL_DB_HOST:=postgres}" @@ -58,6 +65,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then if [ ! -e config/config.inc.php ]; then ROUNDCUBEMAIL_PLUGINS_PHP=`echo "${ROUNDCUBEMAIL_PLUGINS}" | sed -E "s/[, ]+/', '/g"` + ROUNDCUBEMAIL_DES_KEY=`test -f /run/secrets/roundcube_des_key && cat /run/secrets/roundcube_des_key || head /dev/urandom | base64 | head -c 24` touch config/config.inc.php echo "Write config to $PWD/config/config.inc.php" @@ -70,6 +78,7 @@ if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ]; then \$config['smtp_port'] = '${ROUNDCUBEMAIL_SMTP_PORT}'; \$config['smtp_user'] = '%u'; \$config['smtp_pass'] = '%p'; + \$config['des_key'] = '${ROUNDCUBEMAIL_DES_KEY}'; \$config['temp_dir'] = '${ROUNDCUBEMAIL_TEMP_DIR}'; \$config['plugins'] = ['${ROUNDCUBEMAIL_PLUGINS_PHP}']; \$config['zipdownload_selection'] = true;