Update confd with env vars and secrets (#3)

joecorall · web-flow · commit 3bc7df18234a · 2025-10-14T05:49:34.000-04:00
* also add shellcheck to linter
diff --git a/.github/workflows/lint-test-build-push.yaml b/.github/workflows/lint-test-build-push.yaml
@@ -11,10 +11,10 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
-
       - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
 
+      - run: shellcheck **/*.sh
+
   build-push:
     needs: [lint-test]
     uses: libops/.github/.github/workflows/build-push-ghcr.yaml@main
diff --git a/Dockerfile b/Dockerfile
@@ -7,18 +7,27 @@ EXPOSE 80
 WORKDIR /var/www/ojs
 
 ARG \
+    # renovate: datasource=repology depName=alpine_3_22/antiword
+    ANTIWORD_VERSION=0.37-r6 \
+    # renovate: datasource=repology depName=alpine_3_22/ghostscript
+    GHOSTSCRIPT_VERSION=10.05.1-r0 \
     # renovate: datasource=repology depName=alpine_3_22/npm
     NPM_VERSION=11.3.0-r1 \
     # renovate: datasource=github-tags depName=ojs packageName=pkp/ojs
     OJS_VERSION=3_5_0-1 \
     # renovate: datasource=repology depName=alpine_3_22/php83
-    PHP_VERSION=8.3.26-r0
+    PHP_VERSION=8.3.26-r0 \
+    # renovate: datasource=repology depName=alpine_3_22/poppler-utils
+    POPPLER_VERSION=25.04.0-r0
 
 RUN apk add --no-cache \
+    antiword=="${ANTIWORD_VERSION}" \
+    ghostscript=="${GHOSTSCRIPT_VERSION}" \
     npm=="${NPM_VERSION}" \
     php83-bcmath=="${PHP_VERSION}" \
     php83-ftp=="${PHP_VERSION}" \
     php83-gettext=="${PHP_VERSION}" \
+    poppler-utils=="${POPPLER_VERSION}" \
     && cleanup.sh
 
 RUN git clone https://github.com/pkp/ojs.git . \
@@ -42,13 +51,15 @@ RUN npm install \
 RUN chown -R nginx:nginx /var/www/ojs
 
 ENV \
-    OJS_DB_HOST=mariadb \
-    OJS_DB_PORT=3306 \
-    OJS_DB_NAME=ojs \
-    OJS_DB_USER=changeme \
-    OJS_DB_PASSWORD=changeme \
+    DB_HOST=mariadb \
+    DB_PORT=3306 \
+    DB_NAME=ojs \
+    DB_USER=ojs \
+    DB_PASSWORD=changeme \
     OJS_SALT=changeme \
     OJS_API_KEY_SECRET=changeme \
+    OJS_SECRET_KEY=changeme \
+    OJS_BASE_URL=http://localhost \
     OJS_ADMIN_USERNAME=admin \
     OJS_ADMIN_EMAIL=admin@localhost \
     OJS_ADMIN_PASSWORD=changeme \
@@ -57,6 +68,8 @@ ENV \
     OJS_FILES_DIR=/var/www/files \
     OJS_OAI_REPOSITORY_ID=ojs.localhost \
     OJS_ENABLE_BEACON=1 \
+    OJS_SESSION_LIFETIME=30 \
+    OJS_X_FORWARDED_FOR=Off \
     # see https://github.com/Islandora-Devops/isle-buildkit/tree/main/nginx#nginx-settings
     PHP_MAX_EXECUTION_TIME=300 \
     PHP_MAX_INPUT_TIME=300 \
diff --git a/README.md b/README.md
@@ -27,13 +27,14 @@ The installation will run automatically on first startup. The default admin cred
 
 | Environment Variable | Default | Source | Description |
 | :------------------- | :------ | :----- | :---------- |
-| OJS_DB_HOST | mariadb | environment | MariaDB/MySQL hostname |
-| OJS_DB_PORT | 3306 | environment | MariaDB/MySQL port |
-| OJS_DB_NAME | ojs | environment | Database name |
-| OJS_DB_USER | ojs | environment | Database user |
-| OJS_DB_PASSWORD | (generated) | secret | Database password (stored in `./secrets/OJS_DB_PASSWORD`) |
+| DB_HOST | mariadb | environment | MariaDB/MySQL hostname |
+| DB_PORT | 3306 | environment | MariaDB/MySQL port |
+| DB_NAME | ojs | environment | Database name |
+| DB_USER | ojs | environment | Database user |
+| DB_PASSWORD | (generated) | secret | Database password (stored in `./secrets/OJS_DB_PASSWORD`) |
 | OJS_SALT | (generated) | secret | Salt for password hashing (stored in `./secrets/OJS_SALT`) |
 | OJS_API_KEY_SECRET | (generated) | secret | Secret for API key encoding (stored in `./secrets/OJS_API_KEY_SECRET`) |
+| OJS_SECRET_KEY | (generated) | secret | Internally this is used for any encryption (specifically cookie encryption if enabled) (stored in `./secrets/OJS_SECRET_KEY`) |
 | OJS_ADMIN_USERNAME | admin | environment | Initial admin username |
 | OJS_ADMIN_EMAIL | admin@example.com | environment | Initial admin email |
 | OJS_ADMIN_PASSWORD | (generated) | secret | Initial admin password (stored in `./secrets/OJS_ADMIN_PASSWORD`) |
@@ -42,6 +43,8 @@ The installation will run automatically on first startup. The default admin cred
 | OJS_FILES_DIR | /var/www/files | environment | Directory for uploaded files |
 | OJS_OAI_REPOSITORY_ID | ojs.localhost | environment | OAI-PMH repository identifier |
 | OJS_ENABLE_BEACON | 1 | environment | Enable PKP usage statistics beacon (1=enabled, 0=disabled) |
+| OJS_SESSION_LIFETIME | 30 | environment | How long to stay logged in (in days) |
+| OJS_X_FORWARDED_FOR | Off | environment | Trust X-Forwarded-For header. Enable PKP usage statistics beacon (Off, On) |
 
 ### Nginx and PHP Settings
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -16,6 +16,8 @@ secrets:
     file: ./secrets/OJS_SALT
   OJS_ADMIN_PASSWORD:
     file: ./secrets/OJS_ADMIN_PASSWORD
+  OJS_SECRET_KEY:
+    file: ./secrets/OJS_SECRET_KEY
 
 services:
   init:
@@ -32,20 +34,14 @@ services:
     ports:
       - 80:80
     environment:
-      OJS_DB_HOST: mariadb
-      OJS_DB_NAME: ojs
-      OJS_DB_USER: ojs
-      OJS_ADMIN_USERNAME: admin
-      OJS_ADMIN_EMAIL: admin@example.com
-      OJS_LOCALE: en
-      OJS_TIMEZONE: UTC
-      OJS_FILES_DIR: /var/www/files
       OJS_OAI_REPOSITORY_ID: ojs.localhost
       OJS_ENABLE_BEACON: 1
     secrets:
       - source: DB_ROOT_PASSWORD
       - source: OJS_API_KEY_SECRET
+      - source: OJS_SECRET_KEY
       - source: OJS_DB_PASSWORD
+        target: DB_PASSWORD
       - source: OJS_SALT
       - source: OJS_ADMIN_PASSWORD
     volumes:
diff --git a/rootfs/etc/confd/templates/config.inc.tmpl b/rootfs/etc/confd/templates/config.inc.tmpl
@@ -26,14 +26,14 @@
 
 ; An application-specific key that is required for the app to run
 ; Internally this is used for any encryption (specifically cookie encryption if enabled)
-app_key =
+app_key = {{ getenv "OJS_SECRET_KEY" }}
 
 ; Set this to On once the system has been installed
 ; (This is generally done automatically by the installer)
 installed = Off
 
 ; The canonical URL to the OJS installation (excluding the trailing slash)
-base_url = "http://localhost"
+base_url = "{{ getenv "OJS_BASE_URL" }}"
 
 ; Enable strict mode. This will more aggressively cause errors/warnings when
 ; deprecated behaviour exists in the codebase.
@@ -47,7 +47,7 @@ session_cookie_name = OJSSID
 
 ; Number of days to save login cookie for if user selects to remember
 ; (set to 0 to force expiration at end of current session)
-session_lifetime = 30
+session_lifetime = {{ getenv "OJS_SESSION_LIFETIME" }}
 
 ; SameSite configuration for the cookie, see possible values and explanations
 ; at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
@@ -59,7 +59,7 @@ session_samesite = Lax
 ; time zones.
 ; I.e.: "Europe/Amsterdam"
 ; time_zone="Europe/Amsterdam"
-time_zone = "UTC"
+time_zone = "{{ getenv "OJS_TIMEZONE" }}"
 
 ; Short and long date formats
 date_format_short = "Y-m-d"
@@ -96,13 +96,17 @@ restful_urls = On
 ; An empty string indicates that all hosts should be trusted (not recommended!)
 ; Example:
 ; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]'
-allowed_hosts = '["localhost"]'
+{{- $url := getenv "OJS_BASE_URL" -}}
+{{- $cleaned := $url | replace "http://" "" | replace "https://" "" -}}
+{{- $host   := index (split $cleaned "/") 0 -}}
+{{- $domain := index (split $host    ":") 0 -}}
+allowed_hosts = '["localhost", "{{ $domain }}"]'
 
 ; Allow the X_FORWARDED_FOR header to override the REMOTE_ADDR as the source IP
 ; Set this to "On" if you are behind a reverse proxy and you control the
 ; X_FORWARDED_FOR header.
 ; Warning: This defaults to "On" if unset for backwards compatibility.
-trust_x_forwarded_for = Off
+trust_x_forwarded_for = {{ getenv "OJS_X_FORWARDED_FOR" }}
 
 ; Display a message on the site admin and journal manager user home pages if there is an upgrade available
 show_upgrade_warning = On
@@ -113,7 +117,7 @@ enable_minified = On
 
 ; Provide a unique site ID and OAI base URL to PKP for statistics and security
 ; alert purposes only.
-enable_beacon = On
+enable_beacon = {{ if getenv "OJS_ENABLE_BEACON" }}On{{ else }}Off{{ end }}
 
 ; Set this to "On" if you would like to only have a single, site-wide Privacy
 ; Statement, rather than a separate Privacy Statement for each journal. Setting
@@ -139,13 +143,13 @@ sandbox = Off
 [database]
 
 driver = mysqli
-host = {{ getenv "OJS_DB_HOST" }}
-username = {{ getenv "OJS_DB_USER" }}
-password = {{ getenv "OJS_DB_PASSWORD" }}
-name = {{ getenv "OJS_DB_NAME" }}
+host = {{ getenv "DB_HOST" }}
+username = {{ getenv "DB_USER" }}
+password = {{ getenv "DB_PASSWORD" }}
+name = {{ getenv "DB_NAME" }}
+port = {{ getenv "DB_PORT" }}
 
 ; Set the non-standard port and/or socket, if used
-; port = 3306
 ; unix_socket = /var/run/mysqld/mysqld.sock
 
 ; Database collation
@@ -208,7 +212,7 @@ connection_charset = utf8
 ; Complete path to directory to store uploaded files
 ; (This directory should not be directly web-accessible)
 ; Windows users should use forward slashes
-files_dir = files
+files_dir = {{ getenv "OJS_FILES_DIR" }}
 
 ; Path to the directory to store public uploaded files
 ; (This directory should be web-accessible and the specified path
@@ -379,14 +383,14 @@ results_per_keyword = 500
 
 ; PDF
 ; index[application/pdf] = "/usr/bin/pstotext -enc UTF-8 -nopgbrk %s - | /usr/bin/tr '[:cntrl:]' ' '"
-; index[application/pdf] = "/usr/bin/pdftotext -enc UTF-8 -nopgbrk %s - | /usr/bin/tr '[:cntrl:]' ' '"
+index[application/pdf] = "/usr/bin/pdftotext -enc UTF-8 -nopgbrk %s - | /usr/bin/tr '[:cntrl:]' ' '"
 
 ; PostScript
 ; index[application/postscript] = "/usr/bin/pstotext -enc UTF-8 -nopgbrk %s - | /usr/bin/tr '[:cntrl:]' ' '"
-; index[application/postscript] = "/usr/bin/ps2ascii %s | /usr/bin/tr '[:cntrl:]' ' '"
+index[application/postscript] = "/usr/bin/ps2ascii %s | /usr/bin/tr '[:cntrl:]' ' '"
 
 ; Microsoft Word
-; index[application/msword] = "/usr/bin/antiword %s"
+index[application/msword] = "/usr/bin/antiword %s"
 ; index[application/msword] = "/usr/bin/catdoc %s"
 
 
@@ -401,7 +405,7 @@ oai = On
 
 ; OAI Repository identifier. This setting forms part of OAI-PMH record IDs.
 ; Changing this setting may affect existing clients and is not recommended.
-repository_id = ojs.pkp.sfu.ca
+repository_id = {{ getenv "OJS_OAI_REPOSITORY_ID" }}
 
 ; Maximum number of records per request to serve via OAI
 oai_max_records = 100
diff --git a/rootfs/etc/s6-overlay/scripts/ojs-setup.sh b/rootfs/etc/s6-overlay/scripts/ojs-setup.sh
@@ -5,20 +5,20 @@ set -eou pipefail
 
 function mysql_create_database {
     cat <<-EOF | create-database.sh
-CREATE DATABASE IF NOT EXISTS ${OJS_DB_NAME} CHARACTER SET utf8 COLLATE utf8_general_ci;
+CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET utf8 COLLATE utf8_general_ci;
 
-CREATE USER IF NOT EXISTS '${OJS_DB_USER}'@'%' IDENTIFIED BY '${OJS_DB_PASSWORD}';
-GRANT ALL PRIVILEGES ON ${OJS_DB_NAME}.* to '${OJS_DB_USER}'@'%';
+CREATE USER IF NOT EXISTS '${DB_USER}'@'%' IDENTIFIED BY '${DB_PASSWORD}';
+GRANT ALL PRIVILEGES ON ${DB_NAME}.* to '${DB_USER}'@'%';
 FLUSH PRIVILEGES;
 
-SET PASSWORD FOR ${OJS_DB_USER}@'%' = PASSWORD('${OJS_DB_PASSWORD}')
+SET PASSWORD FOR ${DB_USER}@'%' = PASSWORD('${DB_PASSWORD}')
 EOF
 }
 
 function check_ojs_installed {
     # Check if OJS database tables exist
     # Query the database for one of the core OJS tables (journals table)
-    mysql -h"${OJS_DB_HOST}" -u"${OJS_DB_USER}" -p"${OJS_DB_PASSWORD}" "${OJS_DB_NAME}" \
+    mysql -h"${DB_HOST}" -u"${DB_USER}" -p"${DB_PASSWORD}" "${DB_NAME}" \
         -e "SELECT 1 FROM journals LIMIT 1" &>/dev/null
     return $?
 }
@@ -32,10 +32,10 @@ function install_ojs {
     form_data="${form_data}&timeZone=${OJS_TIMEZONE}"
     form_data="${form_data}&filesDir=${OJS_FILES_DIR}"
     form_data="${form_data}&databaseDriver=mysqli"
-    form_data="${form_data}&databaseHost=${OJS_DB_HOST}"
-    form_data="${form_data}&databaseUsername=${OJS_DB_USER}"
-    form_data="${form_data}&databasePassword=${OJS_DB_PASSWORD}"
-    form_data="${form_data}&databaseName=${OJS_DB_NAME}"
+    form_data="${form_data}&databaseHost=${DB_HOST}"
+    form_data="${form_data}&databaseUsername=${DB_USER}"
+    form_data="${form_data}&databasePassword=${DB_PASSWORD}"
+    form_data="${form_data}&databaseName=${DB_NAME}"
     form_data="${form_data}&oaiRepositoryId=${OJS_OAI_REPOSITORY_ID}"
     form_data="${form_data}&enableBeacon=${OJS_ENABLE_BEACON}"
     form_data="${form_data}&adminUsername=${OJS_ADMIN_USERNAME}"
@@ -53,7 +53,6 @@ function install_ojs {
         echo "=========================================="
         echo "OJS Installation Complete!"
         echo "=========================================="
-        chmod 440 /var/www/ojs/config.inc.php
         rm /tmp/ojs-install.log
     else
         echo "=========================================="
@@ -62,12 +61,11 @@ function install_ojs {
         cat /tmp/ojs-install.log
         echo "=========================================="
     fi
+    sed -i 's/installed = Off/installed = On/' /var/www/ojs/config.inc.php
+    chmod 440 /var/www/ojs/config.inc.php
 }
 
 function main {
-    export DB_HOST=${OJS_DB_HOST}
-    export DB_PORT=${OJS_DB_PORT}
-
     mysql_create_database
 
     # wait for nginx
