Support docker secrets

[schklom]

Hi!

Would you please implement extra Docker environment variables called *_FILE or something in that fashion, and feed them /run/secrets/immich_*, at least for the database password and the jwt secret?
Doing otherwise can be unsafe. Ideally, the database name and username can also be read as secrets.

The docker-compose.yml would look like (only included the relevant parts)

services:
  server:
    environment:
      # STAGE
      NODE_ENV: development

      # Database
      DB_USERNAME_FILE: /run/secrets/immich_db_user
      DB_PASSWORD_FILE: /run/secrets/immich_db_password
      DB_DATABASE_NAME_FILE: /run/secrets/immich_db_db

      # Upload File Config
      UPLOAD_LOCATION: ./upload

      # JWT SECRET
      JWT_SECRET_FILE: /run/secrets/immich_jwt
    secrets:
      - immich_db_db
      - immich_db_user
      - immich_db_password
      - immich_jwt

  database:
    environment:
      TZ: ${TZ}
      POSTGRES_DB_FILE: /run/secrets/immich_db_db
      POSTGRES_USER: /run/secrets/immich_db_user
      POSTGRES_PASSWORD_FILE: /run/secrets/immich_db_password
    secrets:
      - immich_db_db
      - immich_db_user
      - immich_db_password

secrets:
  immich_db_db:
    file: /secrets_path/immich_db_db
  immich_db_user:
    file: /secrets_path/immich_db_user
  immich_db_password:
    file: /secrets_path/immich_db_password
  immich_jwt:
    file: /secrets_path/immich_jwt

I don't know Dart and TypeScript, but some possible code to read them in bash and store the contents in variables is:

[[ -z "${JWT_SECRET_FILE}" ]] && [[ -f "${JWT_SECRET_FILE}" ]] && JWT_SECRET='$(head -n 1 "${JWT_SECRET_FILE}")'

Hopefully this helps

[alextran1502]

Thank you for the suggestion, I will take a look at this.

[kaysond]

LSIO does this for all their containers and its great

[alextran1502]

@kaysond Can you help me find one that I can refer to?

[kaysond]

They've set it up in a very generic way in all of their base images. You can see an example of their bash script here and here is an example of the usage.

[kaysond]

Oh and MariaDB's official image also does the same thing (though they use a suffix instead of prefix)

[EnochPrime]

They've set it up in a very generic way in all of their base images. You can see an example of their bash script here and here is an example of the usage.

LSIO's method requires s6-overlay. The code is here.

Oh and MariaDB's official image also does the same thing (though they use a suffix instead of prefix)

This method is less dynamic, but done purely with bash script. Unfortunately the variable expansion method used is not supported by sh and the immich containers don't have bash currently.

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		mysql_error "Both $var and $fileVar are set (but are exclusive)"
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}

[EnochPrime]

Also, definitely not an expert, but I think we can't use the MariaDB method verbatim anyway since they are under GPL2 license and this project is under MIT.

Edit: And the LSIO is under GPL3 too.

[EnochPrime]

Actually I just found the identical code over in the postgres docker which is MIT license. So I believe it is fair to copy.