move env.secrets into data/ subdir

grafana/docker-compose.yaml

@@ -23,4 +23,4 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/grafana/env.secrets

grafana/setup

@@ -7,8 +7,9 @@ source ../env.production || die "no top level env?"
 source env.production || die "no local env?"
 
 BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
+SECRETS="../data/grafana/env.secrets"
 
-if [ -r "env.secrets" ]; then
+if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "grafana: unable to start container"
 	exit 0
 fi
@@ -19,7 +20,8 @@ GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
 GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
 
 echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
-cat <<EOF > env.secrets
+mkdir -p "$(dirname "$SECRETS")"
+cat <<EOF > "$SECRETS"
 # Do not check in!
 GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD
 GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/

hedgedoc/docker-compose.yaml

@@ -15,7 +15,7 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/hedgedoc/env.secrets
     environment:
       - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
       - CMD_PROTOCOL_USESSL=true

hedgedoc/setup

@@ -6,7 +6,9 @@ cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
 
-if [ -r "./env.secrets" ]; then
+SECRETS="../data/hedgedoc/env.secrets"
+
+if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "hedgedoc: unable to start"
 	exit 0
 fi
@@ -17,7 +19,8 @@ docker-compose down 2>/dev/null
 CLIENT_SECRET="$(openssl rand -hex 20)"
 SESSION_SECRET="$(openssl rand -hex 20)"
 
-cat <<EOF > env.secrets
+mkdir -p "$(dirname "$SECRETS")"
+cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
 CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
 CMD_SESSION_SECRET=$SESSION_SECRET

keycloak/client-create

@@ -6,7 +6,7 @@ cd "$DIRNAME"
 
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
-source env.secrets || die "no local secrets?"
+source "../data/keycloak/env.secrets" || die "no local secrets?"
 
 sudo docker-compose exec -T keycloak \
   /opt/keycloak/bin/kcadm.sh \

keycloak/client-delete

@@ -6,7 +6,7 @@ cd "$DIRNAME"
 
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
-source env.secrets || die "no local secrets?"
+source "../data/keycloak/env.secrets" || die "no local secrets?"
 
 # try to get the clients by name
 CLIENT_NAME="$1"

keycloak/docker-compose.yaml

@@ -22,7 +22,7 @@ services:
       env_file:
         - ../env.production
         - env.production
-        - env.secrets
+        - ../data/keycloak/env.secrets
       environment:
         DB_VENDOR: MYSQL
         DB_ADDR: mysql

keycloak/setup

@@ -7,7 +7,9 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-if [ -r "./env.secrets" ]; then
+SECRETS="../data/keycloak/env.secrets"
+
+if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "keycloak: unable to start container"
 	exit 0
 fi
@@ -17,7 +19,8 @@ docker-compose down 2>/dev/null
 KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
 echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
 
-cat <<EOF > env.secrets
+mkdir -p "$(dirname "$SECRETS")"
+cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
 KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
 EOF

mastodon/docker-compose.yaml

@@ -52,7 +52,7 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/mastodon/env.secrets
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
     networks:
       - external_network
@@ -75,7 +75,7 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/mastodon/env.secrets
     command: node ./streaming
     networks:
       - external_network
@@ -95,7 +95,7 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/mastodon/env.secrets
     command: bundle exec sidekiq
     depends_on:
       - database

mastodon/setup

@@ -10,7 +10,9 @@ source ./env.production
 mkdir -p ../data/mastodon/system
 chmod 777 ../data/mastodon/system
 
-if [ -r "./env.secrets" ]; then
+SECRETS="../data/mastodon/env.secrets"
+
+if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "unable to restart mastodon"
 	exit 0
 fi
@@ -22,7 +24,8 @@ OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
 
 # create the secrets file,
 # along with some parameters that should be in the environment
-cat <<EOF > env.secrets
+mkdir -p "$(dirname "$SECRETS")"
+cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
 LOCAL_DOMAIN=$MASTODON_HOSTNAME
 OIDC_DISPLAY_NAME=$REALM
@@ -36,7 +39,7 @@ EOF
 info "mastodon: creating push keys"
 docker-compose run --rm mastodon \
 	rails mastodon:webpush:generate_vapid_key \
-	>> env.secrets \
+	>> "$SECRETS" \
 || die "unable to generate vapid key"
 
 info "mastodon: setting up database"
@@ -44,7 +47,7 @@ docker-compose run --rm mastodon \
 	rails db:setup \
 || die "unable to login"
 
-source ./env.secrets
+source "$SECRETS"
 
 info "mastodon: creating keycloak interface"
 ../keycloak/client-delete mastodon

nextcloud/docker-compose.yaml

@@ -19,7 +19,7 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/nextcloud/env.secrets
     environment:
       POSTGRES_HOST: database
       POSTGRES_DB: nextcloud

nextcloud/setup

@@ -6,7 +6,8 @@ cd "$DIRNAME"
 source ../env.production || die "no top level env?"
 source env.production || die "no local env?"
 
-if [ -r "./env.secrets" ]; then
+SECRETS="../data/nextcloud/env.secrets"
+if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "nextcloud: unable to start"
 	exit 0
 fi
@@ -17,7 +18,8 @@ NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
 NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"
 
 echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
-cat <<EOF > env.secrets
+mkdir -p "$(dirname "$SECRETS")"
+cat <<EOF > "$SECRETS"
 # Do not check in!
 NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
 NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME