move SSO client secret to Docker secret, gate SSO entrypoint on SSO_ENABLED

compose.yml

@@ -4,7 +4,7 @@ version: "3.8"
 services:
   app:
     image: cryptpad/cryptpad:version-2026.2.0
-    entrypoint: ["/bin/bash", "/sso-entrypoint.sh"]
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
     command: ["npm", "start"]
     networks:
       - backend
@@ -19,14 +19,14 @@ services:
       - "CPAD_CONF=/cryptpad/config/config.js"
       # SSO plugin
       - SSO_PLUGIN_VERSION
-      - SSO_ENABLED
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
       - SSO_ENFORCED
       - SSO_PROVIDER_NAME
       - SSO_OIDC_URL
       - SSO_CLIENT_ID
-      - SSO_CLIENT_SECRET
       - SSO_JWT_ALG
-
+    secrets:
+      - sso_client_s
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -52,7 +52,6 @@ services:
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "coop-cloud.${STACK_NAME}.version=0.5.0+v2026.2.0"
         - "backupbot.backup=true"
-        - "backupbot.backup.volumes.cryptpad_config=false"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
       interval: 30s
@@ -96,6 +95,11 @@ volumes:
   cryptpad_config:
   cryptpad_plugins:
 
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
+
 configs:
   config_js:
     name: ${STACK_NAME}_config_${CONFIG_VERSION}