From a2e9b642bc6ff0713d7a8dd13abe18274a0ba08b Mon Sep 17 00:00:00 2001
From: Amras <amras@ciaszczyk.pl>
Date: Thu, 23 Apr 2026 16:17:22 +0000
Subject: [PATCH] [feat] server and superuser passwords

Impl note: server-pw can be ignored for a password-less server,
 e.g. if operator wants to run a publicly registered server:
 https://www.mumble.info/documentation/administration/config-file/#server-registration

Impl note: secret names (-pw rather than -password) are shortened due to R015.
---
 .env.sample                |  9 +++++++++
 compose.serverpassword.yml | 12 ++++++++++++
 compose.yml                |  8 ++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 compose.serverpassword.yml

diff --git a/.env.sample b/.env.sample
index dc1c153..d3d4040 100644
--- a/.env.sample
+++ b/.env.sample
@@ -12,3 +12,12 @@ COMPOSE_FILE="compose.yml"
 
 ## Web client
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mumbleweb.yml"
+
+## Server Password
+# remember to set the server-pw secret:
+#  abra app secret insert <domain> server-pw v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.serverpassword.yml"
+#SECRET_SERVER_PASSWORD_VERSION=v1
+
+## SuperUser Password
+SECRET_SUPERUSER_PASSWORD_VERSION=v1
diff --git a/compose.serverpassword.yml b/compose.serverpassword.yml
new file mode 100644
index 0000000..ef2f925
--- /dev/null
+++ b/compose.serverpassword.yml
@@ -0,0 +1,12 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - source: server-pw
+        target: MUMBLE_CONFIG_SERVER_PASSWORD
+
+secrets:
+  server-pw:
+    external: true
+    name: ${STACK_NAME}_server-pw_${SECRET_SERVER_PASSWORD_VERSION}
diff --git a/compose.yml b/compose.yml
index 286f2e0..ba77208 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,6 +8,9 @@ services:
       - proxy
     volumes:
       - "mumble_data:/data"
+    secrets:
+      - source: superuser-pw
+        target: MUMBLE_SUPERUSER_PASSWORD
     deploy:
       restart_policy:
         condition: on-failure
@@ -23,6 +26,11 @@ services:
         - "traefik.udp.services.${STACK_NAME}-udp-service.loadbalancer.server.port=64738"
         - "coop-cloud.${STACK_NAME}.version=0.1.0+v1.6.870-0"
 
+secrets:
+  superuser-pw:
+    external: true
+    name: ${STACK_NAME}_superuser-pw_${SECRET_SUPERUSER_PASSWORD_VERSION}
+
 networks:
   proxy:
     external: true