gamevault-backend icon indicating copy to clipboard operation
gamevault-backend copied to clipboard
verified publisher icon Phalcode

Support for Docker Secrets

Open ShadowPeo opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. It is not a problem per se with the application but more so with the security of credentials included in the docker-compose file.

Describe the solution you'd like Support for the Docker Secrets functions, specifically on user/pass/API key fields utilising the _FILE suffix to the variable name as per the standard for most containers.

Describe alternatives you've considered There are no real alternatives to this apart from a sequestered environment file that can be referenced by importing the environment variables, but this is not the official method of handling this.

I can provide an example YAML from another service that does support this if required

ShadowPeo avatar Jan 08 '25 06:01 ShadowPeo

Yes please!

an0t8 avatar Jan 08 '25 17:01 an0t8

@ShadowPeo I've never heard of this, but it sounds awesome! I'd gladly accept the offer to get a YAML from another service that does this to look deeper into it.

Alfagun74 avatar Feb 02 '25 13:02 Alfagun74

Sorry have only just seen the response to this request, so I assume you have already gotten a copy, if not I have attached one I used for Forgejo here


networks:

  Public:
    name: Public
    external: true

  Adminer:
    name: Adminer
    external: true

  forgejo_internal:
    name: Forgejo_Internal
    external: false
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.1.24/29

secrets:

  FORGEJO_DB_USER:
    name: FORGEJO_DB_USER
    file: ./Secrets/DB_USER

  FORGEJO_DB_PASSWORD:
    name: FORGEJO_DB_PASSWORD
    file: ./Secrets/DB_PASSWORD

volumes:

  forgejo_pg17_data:
    name: Forgejo-DB_PG17

services:
  forgejo-server:
    container_name: Forgejo-App
    image: codeberg.org/forgejo/forgejo:10
    depends_on:
      forgejo_postgres17:
        condition: service_healthy
    env_file:
      - ./Secrets/app.senv
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - FORGEJO__server__DOMAIN=git.redacted
      - FORGEJO__server__SSH_DOMAIN=git.redacted
      - FORGEJO__server__SSH_PORT=2229
      - FORGEJO__database__DB_TYPE=postgres
      - FORGEJO__database__HOST=forgejo_postgres17:5432
      - FORGEJO__database__NAME=forgejo
      - FORGEJO__database__USER_FILE=/run/secrets/FORGEJO_DB_USER
      - FORGEJO__database__PASSWD_FILE=/run/secrets/FORGEJO_DB_PASSWORD
      - FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE=true
      - FORGEJO__service__NO_REPLY_ADDRESS=no-reply@redacted
      - FORGEJO__mailer__ENABLED=true
      - FORGEJO__mailer__PROTOCOL=smtp+starttls
      - FORGEJO__mailer__SMTP_ADDR=mail.smtp2go.com
      - FORGEJO__mailer__SMTP_PORT=587
      - FORGEJO__mailer__FROM= git@redacted
      - FORGEJO__mailer__SUBJECT_PREFIX=[REDACTED GIT]
    networks:
      - forgejo_internal
      - Public
    ports:
#      - 5082:3000
      - 2229:22
    restart: unless-stopped
    secrets:
      - FORGEJO_DB_PASSWORD
    volumes:
      - ./Data:/data
      - /etc/TZ:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

  forgejo_postgres17:
    container_name: Forgejo-DB
    image: docker.io/library/postgres:17-alpine
    environment:
      POSTGRES_USER_FILE: /run/secrets/FORGEJO_DB_USER
      POSTGRES_DB: forgejo
      POSTGRES_PASSWORD_FILE: /run/secrets/FORGEJO_DB_PASSWORD
#    ports:
#      - 5432:5432
    volumes:
      - forgejo_pg17_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$(cat $${POSTGRES_USER_FILE}) -d forgejo"]
      interval: 5s
      timeout: 5s
      retries: 5
    secrets:
      - FORGEJO_DB_USER
      - FORGEJO_DB_PASSWORD
    networks:
      - Adminer
      - forgejo_internal

ShadowPeo avatar Apr 05 '25 18:04 ShadowPeo