diff --git a/README.md b/README.md index 3a68e53f9..64b3eddeb 100644 --- a/README.md +++ b/README.md @@ -130,9 +130,13 @@ If all goes well you should be prompted with the license agreement, and then ## Using secrets ## This container also supports passing sensitive values via [Docker -secrets](https://docs.docker.com/engine/swarm/secrets/). Passing sensitive +secrets](https://docs.docker.com/compose/how-tos/use-secrets/). Passing sensitive values like your credentials can be more secure using secrets than using -environment variables. Your secrets json file can have any name. This example +environment variables. + +### Config file ### + +Your secrets json file can have any name. This example uses `secrets.json`. Regardless of the name you choose it must be targeted to `config.json` within the container as in the example below. See the [secrets](#secrets) section below for a table of all supported secret keys. @@ -173,6 +177,45 @@ uses `secrets.json`. Regardless of the name you choose it must be targeted to target: config.json ``` +> [!NOTE] +> A config file variable will override an environment variable. + +### Environment variable files ### + +The environment variables that are listed in the [secrets](#secrets) +section below can have `_FILE` appended to them, and then the contents of the +file can be used instead, this can be more useful when you store them in a +`.env` file outside of docker: + +```yaml +--- +secrets: + foundry_username: + environment: "FOUNDRY_USERNAME" + foundry_password: + environment: "FOUNDRY_PASSWORD" + +services: + foundry: + image: ghcr.io/felddy/foundryvtt:14 + hostname: my_foundry_host + volumes: + - type: bind + source: + target: /data + environment: + - FOUNDRY_USERNAME_FILE="/run/secrets/foundry_username" + - FOUNDRY_PASSWORD_FILE="/run/secrets/foundry_password" + ports: + - target: 30000 + published: 30000 + protocol: tcp + secrets: + - foundry_username + - foundry_password +``` + + ## Updating your container ## The Foundry "Update Software" tab is disabled by default in this container. To diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 80503a5d1..67dc7914b 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -144,6 +144,56 @@ if [[ ${image_version%.*} != "${FOUNDRY_VERSION}" ]]; then log_warn "The container may not function properly with this version mismatch." fi +# Check if running docker secrets +if [[ "${FOUNDRY_ADMIN_KEY_FILE:-}" ]]; then + if [ -f "${FOUNDRY_ADMIN_KEY_FILE}" ]; then + log_debug "Loading FOUNDRY_ADMIN_KEY from file" + FOUNDRY_ADMIN_KEY="$(<${FOUNDRY_ADMIN_KEY_FILE})" + else + log_warn "Trying to load FOUNDRY_ADMIN_KEY from file but it does not exist" + fi +fi +if [[ "${FOUNDRY_LICENSE_KEY_FILE:-}" ]]; then + if [ -f "${FOUNDRY_LICENSE_KEY_FILE}" ]; then + log_debug "Loading FOUNDRY_LICENSE_KEY from file" + FOUNDRY_LICENSE_KEY="$(<${FOUNDRY_LICENSE_KEY_FILE})" + else + log_warn "Trying to load FOUNDRY_LICENSE_KEY from file but it does not exist" + fi +fi +if [[ "${FOUNDRY_PASSWORD_FILE:-}" ]]; then + if [ -f "${FOUNDRY_PASSWORD_FILE}" ]; then + log_debug "Loading FOUNDRY_PASSWORD from file" + FOUNDRY_PASSWORD="$(<${FOUNDRY_PASSWORD_FILE})" + else + log_warn "Trying to load FOUNDRY_PASSWORD from file but it does not exist" + fi +fi +if [[ "${FOUNDRY_PASSWORD_SALT_FILE:-}" ]]; then + if [ -f "${FOUNDRY_PASSWORD_SALT_FILE}" ]; then + log_debug "Loading FOUNDRY_PASSWORD_SALT from file" + FOUNDRY_PASSWORD_SALT="$(<${FOUNDRY_PASSWORD_SALT_FILE})" + else + log_warn "Trying to load FOUNDRY_PASSWORD_SALT from file but it does not exist" + fi +fi +if [[ "${FOUNDRY_SERVICE_KEY_FILE:-}" ]]; then + if [ -f "${FOUNDRY_SERVICE_KEY_FILE}" ]; then + log_debug "Loading FOUNDRY_SERVICE_KEY from file" + FOUNDRY_SERVICE_KEY="$(<${FOUNDRY_SERVICE_KEY_FILE})" + else + log_warn "Trying to load FOUNDRY_SERVICE_KEY from file but it does not exist" + fi +fi +if [[ "${FOUNDRY_USERNAME_FILE:-}" ]]; then + if [ -f "${FOUNDRY_USERNAME_FILE}" ]; then + log_debug "Loading FOUNDRY_USERNAME from file" + FOUNDRY_USERNAME="$(<${FOUNDRY_USERNAME_FILE})" + else + log_warn "Trying to load FOUNDRY_USERNAME from file but it does not exist" + fi +fi + # Check for raft secrets if [ -f "${secret_file}" ]; then log "Reading configured secrets from: ${secret_file}"