feat: Support for Docker secrets (#1132)

Closes #1001

server/start.sh

@@ -1,2 +1,49 @@
 #!/bin/bash
-export NODE_ENV=production && set -e && node db/init.js && node app.js --prod
+
+set -eu
+
+# Load secrets from files if *__FILE variables are provided.
+# Only the first line of each file is read (newline excluded).
+
+# DATABASE_PASSWORD (used to dynamically inject into DATABASE_URL)
+if [[ -n "${DATABASE_URL}" ]]; then
+  if [[ -z "${DATABASE_PASSWORD:-}" && -e "${DATABASE_PASSWORD__FILE:-}" ]]; then
+    read DATABASE_PASSWORD < "${DATABASE_PASSWORD__FILE}"
+    export DATABASE_URL="${DATABASE_URL/\$\{DATABASE_PASSWORD\}/${DATABASE_PASSWORD}}"
+  fi
+fi
+
+# SECRET_KEY
+if [[ -z "${SECRET_KEY:-}" && -e "${SECRET_KEY__FILE:-}" ]]; then
+  read SECRET_KEY < "${SECRET_KEY__FILE}"
+  export SECRET_KEY
+fi
+
+# DEFAULT_ADMIN_PASSWORD
+if [[ -z "${DEFAULT_ADMIN_PASSWORD:-}" && -e "${DEFAULT_ADMIN_PASSWORD__FILE:-}" ]]; then
+  read DEFAULT_ADMIN_PASSWORD < "${DEFAULT_ADMIN_PASSWORD__FILE}"
+  export DEFAULT_ADMIN_PASSWORD
+fi
+
+# S3_SECRET_ACCESS_KEY
+if [[ -z "${S3_SECRET_ACCESS_KEY:-}" && -e "${S3_SECRET_ACCESS_KEY__FILE:-}" ]]; then
+  read S3_SECRET_ACCESS_KEY < "${S3_SECRET_ACCESS_KEY__FILE}"
+  export S3_SECRET_ACCESS_KEY
+fi
+
+# OIDC_CLIENT_SECRET
+if [[ -z "${OIDC_CLIENT_SECRET:-}" && -e "${OIDC_CLIENT_SECRET__FILE:-}" ]]; then
+  read OIDC_CLIENT_SECRET < "${OIDC_CLIENT_SECRET__FILE}"
+  export OIDC_CLIENT_SECRET
+fi
+
+# SMTP_PASSWORD
+if [[ -z "${SMTP_PASSWORD:-}" && -e "${SMTP_PASSWORD__FILE:-}" ]]; then
+  read SMTP_PASSWORD < "${SMTP_PASSWORD__FILE}"
+  export SMTP_PASSWORD
+fi
+
+export NODE_ENV=production
+
+node db/init.js
+exec node app.js --prod