Support of secrets files

[JohnCytron]

Hi,

It will be nice to add a support of Secrets files for environment like the official mysql container. for passwords.

Easy to deploy and more secure than exposing clear password.

Something like this will be perfect:

version: "3.7"

services:
  borgmatic:
    image: b3vis/borgmatic:latest
    container_name: borgmatic
    restart: always
    env_file:
      - "./env/common.env"
      - "./env/borgmatic.env"
    environment:
      - BORG_PASSPHRASE_FILE: /run/secrets/borgmatic-secret1
      - MAIL_PASSWORD_FILE: /run/secrets/borgmatic-secret2
    secrets:
      - borgmatic-secret1
      - borgmatic-secret2
    volumes:
      - "/my/path/source:/mnt/source:ro"
      - "/my/path/borgmatic/borgmatic.d:/etc/borgmatic.d/"
      - "/my/path/borgmatic/sshkeys:/root/.ssh"
      - "/my/path/borgmatic/config:/root/.config/borg"
      - "/my/path/borgmatic/cache:/root/.cache/borg"

secrets:
  borgmatic-secret1:
    external: true
  borgmatic-secret2:
    file: /my/path/secret/MAIL_PASSWORD.txt

Cheers,

[toastie89]

@JohnCytron, do secrets also work also without swarm? I didn't try it yet and found different statements about.

[JohnCytron]

Yes, if you declare as a file:

borgmatic-secret2:
    file: /my/path/secret/MAIL_PASSWORD.txt

It will create a file inside the container:
/run/secrets/borgmatic-secret2 with the value.

But you need to create a file for each environments

[toastie89]

@JohnCytron, thanks for getting back!

Somehow I didn't get where the extra safety comes from. What is the difference between storing the password in .env or a separate file? Both have same permission and both end up as environment variable, isn't it? Don't get me wrong, I'm not against if it makes sense, just didn't get the trick yet.

[JohnCytron]

After some research, like you I don't really get it. The only difference I found, you don't expose your secret with docker inspect, portainer... So is not a huge security.