feat: Support for Docker secrets (#1132)

Closes #1001
2025-07-18 20:59:44 +02:00 · 2025-05-15 19:32:37 +02:00 · 2025-05-15 19:32:37 +02:00 · ac8361aee3
commit ac8361aee3
parent 3bd8eba416
4 changed files with 96 additions and 16 deletions
--- a/server/.env.sample
+++ b/server/.env.sample
@ -13,22 +13,27 @@ SECRET_KEY=notsecretkey
 # TOKEN_EXPIRES_IN=365 # In days

 # related: https://github.com/knex/knex/issues/2354
-# As knex does not pass query parameters from the connection string we
-# have to use environment variables in order to pass the desired values, e.g.
+# As knex does not pass query parameters from the connection string,
+# we have to use environment variables in order to pass the desired values, e.g.
 # PGSSLMODE=<value>

 # Configure knex to accept SSL certificates
 # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

-# DEFAULT_LANGUAGE=en-US # Used for per-board notifications
+# Used for per-board notifications
+# DEFAULT_LANGUAGE=en-US

-# DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
+# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted
+# DEFAULT_ADMIN_EMAIL=demo@demo.demo
 # DEFAULT_ADMIN_PASSWORD=demo
 # DEFAULT_ADMIN_NAME=Demo Demo
 # DEFAULT_ADMIN_USERNAME=demo

 # ACTIVE_USERS_LIMIT=
-# SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.
+
+# Set to true to show more detailed authentication error messages.
+# It should not be enabled without a rate limiter for security reasons.
+# SHOW_DETAILED_AUTH_ERRORS=false

 # S3_ENDPOINT=
 # S3_REGION=
--- a/server/start.sh
+++ b/server/start.sh
@ -1,2 +1,49 @@
 #!/bin/bash
-export NODE_ENV=production && set -e && node db/init.js && node app.js --prod
+
+set -eu
+
+# Load secrets from files if *__FILE variables are provided.
+# Only the first line of each file is read (newline excluded).
+
+# DATABASE_PASSWORD (used to dynamically inject into DATABASE_URL)
+if [[ -n "${DATABASE_URL}" ]]; then
+  if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then
+    read DATABASE_PASSWORD < "${DATABASE_PASSWORD__FILE}"
+    export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}"
+  fi
+fi
+
+# SECRET_KEY
+if [[ -z "${SECRET_KEY:-}" && -e "${SECRET_KEY__FILE:-}" ]]; then
+  read SECRET_KEY < "${SECRET_KEY__FILE}"
+  export SECRET_KEY
+fi
+
+# DEFAULT_ADMIN_PASSWORD
+if [[ -z "${DEFAULT_ADMIN_PASSWORD:-}" && -e "${DEFAULT_ADMIN_PASSWORD__FILE:-}" ]]; then
+  read DEFAULT_ADMIN_PASSWORD < "${DEFAULT_ADMIN_PASSWORD__FILE}"
+  export DEFAULT_ADMIN_PASSWORD
+fi
+
+# S3_SECRET_ACCESS_KEY
+if [[ -z "${S3_SECRET_ACCESS_KEY:-}" && -e "${S3_SECRET_ACCESS_KEY__FILE:-}" ]]; then
+  read S3_SECRET_ACCESS_KEY < "${S3_SECRET_ACCESS_KEY__FILE}"
+  export S3_SECRET_ACCESS_KEY
+fi
+
+# OIDC_CLIENT_SECRET
+if [[ -z "${OIDC_CLIENT_SECRET:-}" && -e "${OIDC_CLIENT_SECRET__FILE:-}" ]]; then
+  read OIDC_CLIENT_SECRET < "${OIDC_CLIENT_SECRET__FILE}"
+  export OIDC_CLIENT_SECRET
+fi
+
+# SMTP_PASSWORD
+if [[ -z "${SMTP_PASSWORD:-}" && -e "${SMTP_PASSWORD__FILE:-}" ]]; then
+  read SMTP_PASSWORD < "${SMTP_PASSWORD__FILE}"
+  export SMTP_PASSWORD
+fi
+
+export NODE_ENV=production
+
+node db/init.js
+exec node app.js --prod