Hello meyay,
Thank you very much for your helpful input. I have delved into the topic and also found a helpful YouTube video by Techno Tim, which has been very useful to me. However, I am still stuck in some areas, which is probably because I have not yet fully understood everything.
What I have done:
- Installed SOPS (version 3.9.0)
- Installed AGE / AGE-KEYGEN (version 1.2.0)
- Created the private and public key pair and stored it in a .txt file, which is located at /home/dockeruser/.sops/key.txt
- Added the key file to the ~./bashrc
- Created a secrets.env file under /home/dockeruser/secrets/secrets.env
- The secrets.env file contains the following test entries:
TS3SERVER_DB_USER=root
TS3SERVER_DB_PASSWORD=example
MYSQL_ROOT_PASSWORD=example
- Encrypted the file with the following command:
sops --encrypt --age $(cat /home/dockeruser/.sops/key.txt | grep -oP "public key: \K(.*)") -i /home/dockeruser/secrets/secrets.env
- The file seems to have been encrypted successfully. The
cat secrets.txt
command produces the following result:
TS3SERVER_DB_PASSWORD=ENC[AES256_GCM,data:j22bHPelKQ==,iv:IBYeMhM+Dej8tth/g5q/hKx6shKXGHsuG6JyxPs82XA=,tag:utkMP6ww24aw4r68QN0d0A==,type:str]
MYSQL_ROOT_PASSWORD=ENC[AES256_GCM,data:0apgenYPoQ==,iv:Im/Pyy9Q8pDr82cIs26LtwAENp6Uzg3XVj3StyQ0FpI=,tag:/YMfGes/lJ3uL//yqbN6Kw==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRnJxLzlOVm9ybEhjU3Ja\nZ1N0QzBiT3oyam42eFhEWElzaDZSMTJGZWpzCnV3ZUxuK0dXdVoxNGMva0EvMTBU\nUDl4cm5mMGY2V2VtOXp5ZjR0OHFqdFEKLS0tIFV1TEptOUNzZkZlT0gxQkV6Q1M2\namJKZjZiVWc3d0ozTytySFpGbDRXUEEKcZrCbf2NWlv8DGqxQHQKWsduXwrAwLby\nXuXFMxdexe7bnGf4AXSL9WcjeOks/OHh9tl0SfAUvxSW0pK3c5A4/w==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age12dsd6a88qv374cwdfzugmvdzm28a8l03zdneg9jwxzrue9e6dv7q6k4l4d
sops_lastmodified=2024-06-30T10:23:23Z
sops_mac=ENC[AES256_GCM,data:FlDAAhFVReuzzykKmrleEBzzlB5FSQOILSQYvSFZwIkyiNB8hs2LEzT66H1KYfFtmk6x+TuuQHf4+7Aa+cV+69dnuWMBLEU9JixwetAQNNzDMkzbb2PFvl4UrCfgrtGSjYiJwniCvOJRnb5kH/prTqoHYjtidwSUIWdNRBYBvmM=,iv:DtgTS9ZDIQ/ig6BjjAhl+gywakDgJsRtU9OEIwzb75U=,tag:M9kqz6RL6frgnPbtiAK07g==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.9.0
So far, so good. The file can be manually encrypted and decrypted without any problems.
But from this point onward, my problems begin.
I have adjusted the config file as follows:
version: '3.1'
services:
teamspeak:
image: teamspeak
restart: always
ports:
- 9987:9987/udp
- 10011:10011
- 30033:30033
environment:
TS3SERVER_DB_PLUGIN: ts3db_mariadb
TS3SERVER_DB_SQLCREATEPATH: create_mariadb
TS3SERVER_DB_HOST: db
TS3SERVER_DB_USER: ${TS3SERVER_DB_USER}
TS3SERVER_DB_PASSWORD: ${TS3SERVER_DB_PASSWORD}
TS3SERVER_DB_NAME: teamspeak
TS3SERVER_DB_WAITUNTILREADY: 30
TS3SERVER_LICENSE: accept
volumes:
- teamspeak_data:/var/ts3server
db:
image: mariadb
restart: always
environment:
MYSQL_DATABASE: teamspeak
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
volumes:
- mariadb_data:/var/lib/mysql
volumes:
teamspeak_data:
name: teamspeak_data
mariadb_data:
name: mariadb_data
If I deploy the stack now, it technically works, meaning the containers are created, but I receive the following error message in my MariaDB container:
[ERROR] [Entrypoint]: Database is uninitialized and password option is not specified
You need to specify one of MARIADB_ROOT_PASSWORD, MARIADB_ROOT_PASSWORD_HASH, MARIADB_ALLOW_EMPTY_ROOT_PASSWORD and MARIADB_RANDOM_ROOT_PASSWORD
Of course. The credentials are encrypted, so obviously they cannot be used as is.
Thatâs where the âsops execâ command comes in, if I understand correctly. Iâve adjusted it to point to both my encrypted âsecrets.envâ and my âdocker-compose.ymlâ file paths:
sops exec-file --no-fifo /home/dockeruser/secrets/secrets.env "docker compose -f /home/dockeruser/.local/share/docker/volumes/portainer_data/_data/compose/9/v1/docker-compose.yml --env-file {} up -d"
When executing this command, however, I receive the following messages:
WARN[0000] /home/dockeruser/.local/share/docker/volumes/portainer_data/_data/compose/9/v1/docker-compose.yml: `version` is obsolete
WARN[0000] volume "teamspeak_data" already exists but was created for project "teamspeak" (expected "v1"). Use `external: true` to use an existing volume
WARN[0000] volume "mariadb_data" already exists but was created for project "teamspeak" (expected "v1"). Use `external: true` to use an existing volume
[+] Running 1/2
â Container v1-db-1 Started 0.2s
â Container v1-teamspeak-1 Starting 0.2s
Error response from daemon: driver failed programming external connectivity on endpoint v1-teamspeak-1 (5b8c2b15915788fbceb997ccbba53b9c938d8eec03259a3e115122a1dff20a02): Bind for 0.0.0.0:9987 failed: port is already allocated
exit status 1
I must be doing something obviously wrong, in the wrong order perhaps, or I havenât quite understood the dependencies correctly. Iâm slowly getting frustrated with this mental block and would appreciate it if you or someone else could shed some light on this.
I also understand that this is a Docker forum, not Portainer, but it seems my current issues arenât related to Portainer.
I sincerely thank you all for your help.
germaggus