Store secrets in separate .env file

This allows a downstream-user to keep .env under some version control
without worrying about password leakage.

.gitignore

@@ -1,4 +1,6 @@
 *.swp
 .env
 .env.bak
+secrets.env
+secrets.env.bak
 docker-compose.override.yml

docker-compose.yml

@@ -12,6 +12,9 @@ services:
             - ${CONFIG}/web:/config:Z
             - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
+        env_file:
+            - .env
+            - secrets.env
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS
@@ -55,6 +58,9 @@ services:
         volumes:
             - ${CONFIG}/prosody/config:/config:Z
             - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
+        env_file:
+            - .env
+            - secrets.env
         environment:
             - AUTH_TYPE
             - ENABLE_AUTH
@@ -116,6 +122,9 @@ services:
         restart: ${RESTART_POLICY}
         volumes:
             - ${CONFIG}/jicofo:/config:Z
+        env_file:
+            - .env
+            - secrets.env
         environment:
             - AUTH_TYPE
             - ENABLE_AUTH
@@ -148,6 +157,9 @@ services:
             - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
         volumes:
             - ${CONFIG}/jvb:/config:Z
+        env_file:
+            - .env
+            - secrets.env
         environment:
             - DOCKER_HOST_ADDRESS
             - XMPP_AUTH_DOMAIN

gen-passwords.sh

@@ -18,4 +18,4 @@ sed -i.bak \
     -e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
     -e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
     -e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
-    "$(dirname "$0")/.env"
+    "$(dirname "$0")/secrets.env"