Skip to content

Support standard docker individual secrets #1413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Rycochet wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Support standard docker individual secrets #1413

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 45 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,9 +130,13 @@ If all goes well you should be prompted with the license agreement, and then
## Using secrets ##

This container also supports passing sensitive values via [Docker
secrets](https://docs.docker.com/engine/swarm/secrets/). Passing sensitive
secrets](https://docs.docker.com/compose/how-tos/use-secrets/). Passing sensitive
values like your credentials can be more secure using secrets than using
environment variables. Your secrets json file can have any name. This example
environment variables.

### Config file ###

Your secrets json file can have any name. This example
uses `secrets.json`. Regardless of the name you choose it must be targeted to
`config.json` within the container as in the example below. See the
[secrets](#secrets) section below for a table of all supported secret keys.
Expand Down Expand Up @@ -173,6 +177,45 @@ uses `secrets.json`. Regardless of the name you choose it must be targeted to
target: config.json
```

> [!NOTE]
> A config file variable will override an environment variable.

### Environment variable files ###

The environment variables that are listed in the [secrets](#secrets)
section below can have `_FILE` appended to them, and then the contents of the
file can be used instead, this can be more useful when you store them in a
`.env` file outside of docker:

```yaml
---
secrets:
foundry_username:
environment: "FOUNDRY_USERNAME"
foundry_password:
environment: "FOUNDRY_PASSWORD"

services:
foundry:
image: ghcr.io/felddy/foundryvtt:14
hostname: my_foundry_host
volumes:
- type: bind
source: <your_data_dir>
target: /data
environment:
- FOUNDRY_USERNAME_FILE="/run/secrets/foundry_username"
- FOUNDRY_PASSWORD_FILE="/run/secrets/foundry_password"
ports:
- target: 30000
published: 30000
protocol: tcp
secrets:
- foundry_username
- foundry_password
```


## Updating your container ##

The Foundry "Update Software" tab is disabled by default in this container. To
Expand Down
50 changes: 50 additions & 0 deletions src/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,56 @@ if [[ ${image_version%.*} != "${FOUNDRY_VERSION}" ]]; then
log_warn "The container may not function properly with this version mismatch."
fi

# Check if running docker secrets
if [[ "${FOUNDRY_ADMIN_KEY_FILE:-}" ]]; then
if [ -f "${FOUNDRY_ADMIN_KEY_FILE}" ]; then
log_debug "Loading FOUNDRY_ADMIN_KEY from file"
FOUNDRY_ADMIN_KEY="$(<${FOUNDRY_ADMIN_KEY_FILE})"
else
log_warn "Trying to load FOUNDRY_ADMIN_KEY from file but it does not exist"
fi
fi
if [[ "${FOUNDRY_LICENSE_KEY_FILE:-}" ]]; then
if [ -f "${FOUNDRY_LICENSE_KEY_FILE}" ]; then
log_debug "Loading FOUNDRY_LICENSE_KEY from file"
FOUNDRY_LICENSE_KEY="$(<${FOUNDRY_LICENSE_KEY_FILE})"
else
log_warn "Trying to load FOUNDRY_LICENSE_KEY from file but it does not exist"
fi
fi
if [[ "${FOUNDRY_PASSWORD_FILE:-}" ]]; then
if [ -f "${FOUNDRY_PASSWORD_FILE}" ]; then
log_debug "Loading FOUNDRY_PASSWORD from file"
FOUNDRY_PASSWORD="$(<${FOUNDRY_PASSWORD_FILE})"
else
log_warn "Trying to load FOUNDRY_PASSWORD from file but it does not exist"
fi
fi
if [[ "${FOUNDRY_PASSWORD_SALT_FILE:-}" ]]; then
if [ -f "${FOUNDRY_PASSWORD_SALT_FILE}" ]; then
log_debug "Loading FOUNDRY_PASSWORD_SALT from file"
FOUNDRY_PASSWORD_SALT="$(<${FOUNDRY_PASSWORD_SALT_FILE})"
else
log_warn "Trying to load FOUNDRY_PASSWORD_SALT from file but it does not exist"
fi
fi
if [[ "${FOUNDRY_SERVICE_KEY_FILE:-}" ]]; then
if [ -f "${FOUNDRY_SERVICE_KEY_FILE}" ]; then
log_debug "Loading FOUNDRY_SERVICE_KEY from file"
FOUNDRY_SERVICE_KEY="$(<${FOUNDRY_SERVICE_KEY_FILE})"
else
log_warn "Trying to load FOUNDRY_SERVICE_KEY from file but it does not exist"
fi
fi
if [[ "${FOUNDRY_USERNAME_FILE:-}" ]]; then
if [ -f "${FOUNDRY_USERNAME_FILE}" ]; then
log_debug "Loading FOUNDRY_USERNAME from file"
FOUNDRY_USERNAME="$(<${FOUNDRY_USERNAME_FILE})"
else
log_warn "Trying to load FOUNDRY_USERNAME from file but it does not exist"
fi
fi

# Check for raft secrets
if [ -f "${secret_file}" ]; then
log "Reading configured secrets from: ${secret_file}"
Expand Down