Docker: improve docker compose structure

backend/entrypoint.sh

@@ -16,12 +16,14 @@ check_postgres() {
   local db_host
   local db_user
   local db_name
-  local db_pass
+  #local db_pass
 
   db_host=$(get_env PGHOST)
   db_user=$(get_env PGUSER POSTGRES_USER)
   db_name=$(get_env PGDATABASE POSTGRES_DB)
-  db_pass=$(get_env PGPASSWORD POSTGRES_PASSWORD)
+  #db_pass=$(get_env PGPASSWORD POSTGRES_PASSWORD)
+  db_pass=$(< /run/secrets/POSTGRES_PASSWORD)
+  # NOTE: password should be handled with more care
 
   PGPASSWORD="$db_pass" psql -h "$db_host" -U "$db_user" -d "$db_name" -c '\q' >/dev/null 2>&1
 }
@@ -42,7 +44,8 @@ done
 python manage.py migrate
 
 # Create superuser if environment variables are set and there are no users present at all.
-if [ -n "$DJANGO_ADMIN_USERNAME" ] && [ -n "$DJANGO_ADMIN_PASSWORD" ] && [ -n "$DJANGO_ADMIN_EMAIL" ]; then
+# NOTE: unsure if this checks if a password actually exists
+if [ -n "$DJANGO_ADMIN_USERNAME" ] && [ -f /run/secrets/DJANGO-ADMIN-PASSWORD ] && [ -n "$DJANGO_ADMIN_EMAIL" ]; then
   echo "Creating superuser..."
   python manage.py shell << EOF
 from django.contrib.auth import get_user_model
@@ -56,7 +59,7 @@ if not User.objects.filter(username='$DJANGO_ADMIN_USERNAME').exists():
     superuser = User.objects.create_superuser(
         username='$DJANGO_ADMIN_USERNAME',
         email='$DJANGO_ADMIN_EMAIL',
-        password='$DJANGO_ADMIN_PASSWORD'
+        password='$(cat /run/secrets/DJANGO-ADMIN-PASSWORD)'
     )
     print("Superuser created successfully.")
 

backend/server/main/settings.py

@@ -24,7 +24,9 @@
 # See https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = getenv('SECRET_KEY')
+with open('/run/secret/DJANGO-ADMIN-PASSWORD') as fp:
+  v = fp.read()
+SECRET_KEY = v.decode('base64')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = getenv('DEBUG', 'true').lower() == 'true'
@@ -112,12 +114,16 @@ def env(*keys, default=None):
             return value
     return default
 
+with open('/run/secrets/POSTGRES_PASSWORD') as fp:
+  v = fp.read()
+POSTGRES_PASSWORD = v.decode('base64')
+
 DATABASES = {
     'default': {
         'ENGINE': 'django.contrib.gis.db.backends.postgis',
         'NAME': env('PGDATABASE', 'POSTGRES_DB'),
         'USER': env('PGUSER', 'POSTGRES_USER'),
-        'PASSWORD': env('PGPASSWORD', 'POSTGRES_PASSWORD'),
+        'PASSWORD': POSTGRES_PASSWORD,
         'HOST': env('PGHOST', default='localhost'),
         'PORT': int(env('PGPORT', default='5432')),
         'OPTIONS': {
@@ -126,6 +132,8 @@ def env(*keys, default=None):
     }
 }
 
+POSTGRES_PASSWORD = ""
+
 # Internationalization
 # https://docs.djangoproject.com/en/1.7/topics/i18n/
 
@@ -259,7 +267,7 @@ def env(*keys, default=None):
     EMAIL_PORT = getenv('EMAIL_PORT', 587)
     EMAIL_USE_SSL = getenv('EMAIL_USE_SSL', 'false').lower() == 'true'
     EMAIL_HOST_USER = getenv('EMAIL_HOST_USER')
-    EMAIL_HOST_PASSWORD = getenv('EMAIL_HOST_PASSWORD')
+    EMAIL_HOST_PASSWORD = '$(< /run/secrets/EMAIL-HOST-PASSWORD)'
     DEFAULT_FROM_EMAIL = getenv('DEFAULT_FROM_EMAIL')
 
 # EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
@@ -327,4 +335,6 @@ def env(*keys, default=None):
 # https://github.com/dr5hn/countries-states-cities-database/tags
 COUNTRY_REGION_JSON_VERSION = 'v2.6'
 
-GOOGLE_MAPS_API_KEY = getenv('GOOGLE_MAPS_API_KEY', '')
+with open('/run/secrets/GMAPS_API_KEY') as fp:
+  v = fp.read()
+GOOGLE_MAPS_API_KEY = v.decode('base64')

docker-compose.yml

@@ -4,7 +4,10 @@ services:
     image: ghcr.io/seanmorley15/adventurelog-frontend:latest
     container_name: adventurelog-frontend
     restart: unless-stopped
-    env_file: .env
+    environment:
+      - PUBLIC_SERVER_URL=http://server:8000 # PLEASE DON'T CHANGE :) - Should be the service name of the backend with port 8000, even if you change the port in the backend service. Only change if you are using a custom more complex setup.
+      - ORIGIN=${FRONTENT_URL:-http://localhost:8015}
+      - BODY_SIZE_LIMIT=${BODY_SIZE_LIMIT:-Infinity}
     ports:
       - "${FRONTEND_PORT:-8015}:3000"
     depends_on:
@@ -14,7 +17,13 @@ services:
     image: postgis/postgis:16-3.5
     container_name: adventurelog-db
     restart: unless-stopped
-    env_file: .env
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB:-database}
+      - POSTGRES_USER=${POSTGRES_USER:-adventure}
+      #- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-changeme123}
+      - POSTGRES_PASSWORD_FILE=/run/secrets/POSTGRES_PASSWORD
+    secrets:
+      - POSTGRES_PASSWORD
     volumes:
       - postgres_data:/var/lib/postgresql/data/
 
@@ -23,14 +32,55 @@ services:
     image: ghcr.io/seanmorley15/adventurelog-backend:latest
     container_name: adventurelog-backend
     restart: unless-stopped
-    env_file: .env
+    environment:
+      - PGHOST=db
+      - POSTGRES_DB=${POSTGRES_DB:-database}
+      - POSTGRES_USER=${POSTGRES_USER:-adventure}
+      #- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-changeme123}
+      - SECRET_KEY=${SECRET_KEY:-changeme123}
+      - DJANGO_ADMIN_USERNAME=${DJANGO_ADMIN_USERNAME:-admin}
+      #- DJANGO_ADMIN_PASSWORD=${DJANGO_ADMIN_PASSWORD:-admin}
+      - DJANGO_ADMIN_EMAIL=${DJANGO_ADMIN_EMAIL:-admin@example.com}
+      - PUBLIC_URL=${BACKEND_URL:-http://localhost:8016}
+      - CSRF_TRUSTED_ORIGINS=${FRONTEND_URL:-http://localhost:8015},${BACKEND_URL:-http://localhost:8016}
+      - DEBUG=False
+      - FRONTEND_URL=${FRONTEND_URL:-http://localhost:8015} # Used for email generation. This should be the url of the frontend
+      - BACKEND_PORT=${BACKEND_PORT:-8016}
+      - DISABLE_REGISTRATION=${DISABLE_REGISTRATION:-False}
+      - DISABLE_REGISTRATION_MESSAGE=${DISABLE_REGISTRATION_MESSAGE}
+      - EMAIL_BACKEND=${EMAIL_BACKEND:-console}
+      - EMAIL_HOST=${EMAIL_HOST}
+      - EMAIL_USE_TLS=${EMAIL_USE_TLS}
+      - EMAIL_PORT=${EMAIL_PORT}
+      - EMAIL_USE_SSL=${EMAIL_USE_SSL}
+      - EMAIL_HOST_USER=${EMAIL_HOST_USER}
+      #- EMAIL_HOST_PASSWORD=${EMAIL_HOST_PASSWORD}
+      - DEFAULT_FROM_EMAIL=${DEFAULT_FROM_EMAIL}
+      #- GOOGLE_MAPS_API_KEY=${GOOGLE_MAPS_API_KEY}
+      - PUBLIC_UMAMI_SRC=${PUBLIC_UMAMI_SRC}
+      - PUBLIC_UMAMI_WEBSITE_ID=${PUBLIC_UMAMI_WEBSITE_ID}
+    secrets:
+      - DJANGO-ADMIN-PASSWORD
+      - POSTGRES_PASSWORD
+      - EMAIL-HOST-PASSWORD
+      - GMAPS-API-KEY
     ports:
       - "${BACKEND_PORT:-8016}:80"
     depends_on:
       - db
     volumes:
       - adventurelog_media:/code/media/
 
+secrets:
+  GMAPS-API-KEY:
+    file: gmaps-api-key.txt
+  EMAIL-HOST-PASSWORD:
+    file: email-host-password.txt
+  DJANGO-ADMIN-PASSWORD:
+    file: django-admin-password.txt
+  POSTGRES_PASSWORD:
+    file: postgres-password.txt
+
 volumes:
   postgres_data:
   adventurelog_media:

documentation/docs/install/docker.md

@@ -10,15 +10,16 @@ Docker is the preferred way to run AdventureLog on your local machine. It is a l
 
 ## Getting Started
 
-Get the `docker-compose.yml` and `.env.example` files from the AdventureLog repository. You can download them here:
+Get the `docker-compose.yml` and `example.env` files from the AdventureLog repository. You can download them here:
 
 - [Docker Compose](https://github.com/seanmorley15/AdventureLog/blob/main/docker-compose.yml)
-- [Environment Variables](https://github.com/seanmorley15/AdventureLog/blob/main/.env.example)
+- [Environment Variables](https://github.com/seanmorley15/AdventureLog/blob/main/example.env)
 
 ```bash
 wget https://raw.githubusercontent.com/seanmorley15/AdventureLog/main/docker-compose.yml
-wget https://raw.githubusercontent.com/seanmorley15/AdventureLog/main/.env.example
-cp .env.example .env
+wget https://raw.githubusercontent.com/seanmorley15/AdventureLog/main/example.env
+cp example.env. .env
+nano .env
 ```
 
 ::: tip
@@ -35,33 +36,28 @@ The `.env` file contains all the configuration settings for your AdventureLog in
 
 | Name                | Required  | Description                                                                                                                        | Default Value           |
 | ------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
-| `PUBLIC_SERVER_URL` | Yes       | Used by the frontend SSR server to connect to the backend. Almost every user user will **never have to change this from default**! | `http://server:8000`    |
-| `ORIGIN`            | Sometimes | Needed only if not using HTTPS. Set it to the domain or IP you'll use to access the frontend.                                      | `http://localhost:8015` |
+| `FRONTEND_URL`      | Yes       | Set it to the domain or IP you'll use to access the frontend.                                                                      | `http://localhost:8015` |
 | `BODY_SIZE_LIMIT`   | Yes       | Maximum upload size in bytes.                                                                                                      | `Infinity`              |
-| `FRONTEND_PORT`     | Yes       | Port that the frontend will run on inside Docker.                                                                                  | `8015`                  |
+| `FRONTEND_PORT`     | Yes       | Port that the frontend will run on in the internal network.                                                                        | `8015`                  |
 
 ### 🐘 PostgreSQL Database
 
 | Name                | Required | Description           | Default Value |
 | ------------------- | -------- | --------------------- | ------------- |
-| `PGHOST`            | Yes      | Internal DB hostname. | `db`          |
 | `POSTGRES_DB`       | Yes      | DB name.              | `database`    |
 | `POSTGRES_USER`     | Yes      | DB user.              | `adventure`   |
 | `POSTGRES_PASSWORD` | Yes      | DB password.          | `changeme123` |
 
 ### 🔒 Backend (server)
 
-| Name                    | Required | Description                                                                        | Default Value                                 |
-| ----------------------- | -------- | ---------------------------------------------------------------------------------- | --------------------------------------------- |
-| `SECRET_KEY`            | Yes      | Django secret key. Change this in production!                                      | `changeme123`                                 |
-| `DJANGO_ADMIN_USERNAME` | Yes      | Default Django admin username.                                                     | `admin`                                       |
-| `DJANGO_ADMIN_PASSWORD` | Yes      | Default Django admin password.                                                     | `admin`                                       |
-| `DJANGO_ADMIN_EMAIL`    | Yes      | Default admin email.                                                               | `admin@example.com`                           |
-| `PUBLIC_URL`            | Yes      | Publicly accessible URL of the **backend**. Used for generating image URLs.        | `http://localhost:8016`                       |
-| `CSRF_TRUSTED_ORIGINS`  | Yes      | Comma-separated list of frontend/backend URLs that are allowed to submit requests. | `http://localhost:8016,http://localhost:8015` |
-| `FRONTEND_URL`          | Yes      | URL to the **frontend**, used for email generation.                                | `http://localhost:8015`                       |
-| `BACKEND_PORT`          | Yes      | Port that the backend will run on inside Docker.                                   | `8016`                                        |
-| `DEBUG`                 | No       | Should be `False` in production.                                                   | `False`                                       |
+| Name                    | Required | Description                                                                                                            | Default Value                               |
+| ----------------------- | -------- | -----------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
+| `SECRET_KEY`            | Yes      | Django secret key. Change this in production!                                                                          | `changeme123`                               |
+| `DJANGO_ADMIN_USERNAME` | Yes      | Default Django admin username.                                                                                         | `admin`                                     |
+| `DJANGO_ADMIN_PASSWORD` | Yes      | Default Django admin password.                                                                                         | `admin`                                     |
+| `DJANGO_ADMIN_EMAIL`    | Yes      | Default admin email.                                                                                                   | `admin@example.com`                         |
+| `BACKEND_URL`           | Yes      | Publicly accessible URL of the **backend**. Used for generating image URLs, the admin UI, and OIDC/Social Auth.        | `http://localhost:8016`                     |
+| `BACKEND_PORT`          | Yes      | Port that the backend will run on inside Docker.                                                                       | `8016`                                      |
 
 ## Optional Configuration
 

.env.example → example.env

@@ -1,11 +1,9 @@
 # 🌐 Frontend
-PUBLIC_SERVER_URL=http://server:8000 # PLEASE DON'T CHANGE :) - Should be the service name of the backend with port 8000, even if you change the port in the backend service. Only change if you are using a custom more complex setup.
-ORIGIN=http://localhost:8015
+FRONTEND_URL=http://localhost:8015 # URL that is allowed to be used for accessing the frontend
 BODY_SIZE_LIMIT=Infinity
-FRONTEND_PORT=8015
+FRONTEND_PORT=8015 # port used in the internal network (outside docker)
 
 # 🐘 PostgreSQL Database
-PGHOST=db
 POSTGRES_DB=database
 POSTGRES_USER=adventure
 POSTGRES_PASSWORD=changeme123
@@ -15,11 +13,8 @@ SECRET_KEY=changeme123
 DJANGO_ADMIN_USERNAME=admin
 DJANGO_ADMIN_PASSWORD=admin
 DJANGO_ADMIN_EMAIL=admin@example.com
-PUBLIC_URL=http://localhost:8016 # Match the outward port, used for the creation of image urls
-CSRF_TRUSTED_ORIGINS=http://localhost:8016,http://localhost:8015
-DEBUG=False
-FRONTEND_URL=http://localhost:8015 # Used for email generation. This should be the url of the frontend
-BACKEND_PORT=8016
+BACKEND_URL=http://localhost:8016 # URL that is allowed to be used for accessing the backend, used for the creation of image urls
+BACKEND_PORT=8016 # port exposed to the internal network (outside docker)
 
 # Optional: use Google Maps integration
 # https://adventurelog.app/docs/configuration/google_maps_integration.html
@@ -44,4 +39,4 @@ DISABLE_REGISTRATION=False
 # Optional: Use Umami for analytics
 # https://adventurelog.app/docs/configuration/analytics.html
 # PUBLIC_UMAMI_SRC=https://cloud.umami.is/script.js # If you are using the hosted version of Umami
-# PUBLIC_UMAMI_WEBSITE_ID=
+# PUBLIC_UMAMI_WEBSITE_ID=