Use secret seed for internal mail passwords
diff --git a/.gitignore b/.gitignore
index fa0a277..c095bcb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,7 +17,6 @@
/logs/simpleid/
/mail/config/
/mail/data/
-/mail/passwd/
/mail/rspamd-override.d/
/mail/state/
/postgres/data/
diff --git a/docker-compose.yml b/docker-compose.yml
index 0b60856..603fdca 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -76,6 +76,9 @@
build:
context: .
dockerfile: gerrit/Dockerfile
+ secrets:
+ - source : seed
+ mode: 0400
hostname: review.${SA_PUBLIC_DOMAIN_NAME}
env_file:
- gerrit/environment
@@ -89,7 +92,6 @@
- gerritnet
volumes:
- ./logs/gerrit/:/var/gerrit/logs/:rw
- - ./mail/passwd/gerrit/:/var/gerrit/passwd/:rw
- ./gerrit/etc/:/var/gerrit/etc/:rw
- ./gerrit/db/:/var/gerrit/db/:rw
- ./gerrit/git/:/var/gerrit/git/:rw
@@ -98,6 +100,9 @@
- ./gerrit/gerrit-oauth-provider.jar:/var/gerrit/plugins/gerrit-oauth-provider.jar:ro
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:12
+ secrets:
+ - source : seed
+ mode: 0400
#container_name: mailserver
# Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
hostname: mail.${SA_PUBLIC_DOMAIN_NAME}
@@ -118,7 +123,6 @@
- ./logs/mail-supervisor/:/var/log/supervisor/:rw
- ./logs/mail/:/var/log/mail/:rw
- ./certs/:/etc/letsencrypt/:ro
- - ./mail/passwd/:/tmp/passwd/:ro
- ./mail/data/:/var/mail/:rw
- ./mail/state/:/var/mail-state/:rw
- ./mail/config/:/tmp/docker-mailserver/:rw
diff --git a/gerrit/Dockerfile.entrypoint b/gerrit/Dockerfile.entrypoint
index 3aa8ae1..7079792 100644
--- a/gerrit/Dockerfile.entrypoint
+++ b/gerrit/Dockerfile.entrypoint
@@ -2,8 +2,15 @@
set -e
+secret() {
+ seed=$(cat /run/secrets/seed)
+ printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
+}
+
+export GERRIT_MAIL_PASSWORD=$(secret mail:gerrit)
+
# Allows us to bind mount arbitrary owned files
-chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache,passwd}/
+chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache}/
# Drop privileges as we set `USER root` only to change file permissions
exec setpriv --reuid=gerrit --regid=gerrit --init-groups --inh-caps=-all /unprivileged.sh "$@"
diff --git a/gerrit/Dockerfile.entrypoint-unprivileged b/gerrit/Dockerfile.entrypoint-unprivileged
index 159860a..1771d81 100644
--- a/gerrit/Dockerfile.entrypoint-unprivileged
+++ b/gerrit/Dockerfile.entrypoint-unprivileged
@@ -20,24 +20,13 @@
git config -f ${config} --add auth.trustedOpenID github-oauth:
fi
-secret=/var/gerrit/passwd/secret
-
-{
- if [ ! -f ${secret} ]; then
- echo $(mktemp -u XXXXXXXXXXXXXXXX) >${secret}
- fi
- chmod 400 ${secret}
-}
-
-if [ "${GERRIT_USER_EMAIL}" ]; then
- passwd=$(cat ${secret})
-
+if [ "${GERRIT_USER_EMAIL}" -a "${GERRIT_MAIL_PASSWORD}" ]; then
git config -f ${config} user.email ${GERRIT_USER_EMAIL}
git config -f ${config} sendemail.smtpServer mail.${SA_PUBLIC_DOMAIN_NAME}
git config -f ${config} sendemail.smtpServerPort 465
git config -f ${config} sendemail.smtpEncryption ssl
git config -f ${config} sendemail.smtpUser ${GERRIT_USER_EMAIL}
- git config -f ${config} sendemail.smtpPass ${passwd}
+ git config -f ${config} sendemail.smtpPass ${GERRIT_MAIL_PASSWORD}
git config -f ${config} sendemail.html false
fi
diff --git a/mail/config/user-patches.sh b/mail/config/user-patches.sh
index 5a10bbd..4879036 100644
--- a/mail/config/user-patches.sh
+++ b/mail/config/user-patches.sh
@@ -2,6 +2,11 @@
set -e
+secret() {
+ seed=$(cat /run/secrets/seed)
+ printf "%s:%40s" "${seed}" "$*" | sha256sum | sed 's/[[:space:]].*//'
+}
+
# Add local containers as trusted for postfix relaying.
add_mynetworks_hosts() {
myhosts=
@@ -12,23 +17,13 @@
postconf "mynetworks =${myhosts}"
}
-# Create given users, requiring a plain-text password in `/tmp/passwd/`.
+# Create given users, requires a seed file for secret()
add_users_with_passwd() {
for user in "$@"; do
- i=0
- while [ -z "$(cat /tmp/passwd/${user}/secret 2>/dev/null)" ]; do
- if [ ${i} -eq 10 ]; then
- echo "ERROR: No password file for '${user}' after ${i}s."
- exit 1
- fi
- sleep 1
- i=$((i+1))
- done
-
if [ ! -d /var/mail/${HOSTNAME#mail.}/${user} ]; then
- setup email add gerrit@${HOSTNAME#mail.} $(cat /tmp/passwd/${user}/secret)
+ setup email add ${user}@${HOSTNAME#mail.} $(secret mail:${user})
else
- setup email update gerrit@${HOSTNAME#mail.} $(cat /tmp/passwd/${user}/secret)
+ setup email update ${user}@${HOSTNAME#mail.} $(secret mail:${user})
fi
done
}