Fix production environment to use proper secrets

[amcewen]

We'll have a few things: Postgres password; admin username and password; etc. which at present are hard-coded. They should get picked up from the environment, and that should be defined properly in the production environment.

[helicalbytes]

In the absence of a full username / password database (or some other authentication storage) we need to add the following 2 environment variables for the admin pages:

OPTIMISM_ADMIN_USERNAME
OPTIMISM_ADMIN_PASSWORD

The password in particular needs to be secure and be provided from a secret.

[helicalbytes]

When we merge develop to master this will fail.

[amcewen]

We should set these up as secrets in the same way we did for #91.

[amcewen]

We'll need to store the SMTP username and password for #7, and they should be secrets too.

I did a bit of reading up on the best way to do that in docker-compose and https://docs.docker.com/compose/how-tos/use-secrets/ seems to detail the right approach.

There's also the Github actions secret management to factor in too, and the fact that our Github action workflow kicks off docker-compose in an ssh session, for good measure 😀 We're already handling Github actions secrets, so that bit is understood.

I think we'll need to move to docker compose rather than docker-compose in the workflow if we're adding the secret options (from my experiments on my machine).

Haven't quite worked out how we access them from inside the node code yet. I think they'll show up as a file in /var/secrets/ and we'll need to read it in from there.

[amcewen]

I couldn't get the docker-compose.yml secrets pick up from environment variables, but it will pick them up fine from files.

I don't know if the secrets will show up in the Github actions log, so we'll need to check that when it's been run. I've created secrets for the email user/pass, and modified the github action to save them as files temporarily when the docker compose commands are being run.

We'll need to move any other secrets to use that system too, assuming it works correctly.

I've made a start on a PR to merge into master to test it, but need to resolve a couple of conflicts first.

[amcewen]

Got the conflicts resolved and merged develop into master. That has set up the secrets correctly (confirmed by bringing up a bash connection to the API container and checking the secrets are in /run/secrets.

We still need to check if any other secrets need passing through in the same manner.