fritzbox-cloudflare-dyndns
fritzbox-cloudflare-dyndns copied to clipboard
cromefire
Feature request: Read secrets from files
I'm deploying this service on NixOS as a systemd unit and I manage secrets using sops. A common practice in this space is for applications to read the location of a file containing a secret from the system environment, instead of reading the secret itself from the environment.
For this reason I'd like to be able to configure DYNDNS_SERVER_PASSWORD_FILE environment variable that contains the path to a file with the password. The application should inspect this variable in case DYNDNS_SERVER_PASSWORD is not set and try to read the password from the file specified that way. Same for CLOUDFLARE_API_TOKEN: The application should try to read the token from a file specified via CLOUDFLARE_API_TOKEN_FILE in case CLOUDFLARE_API_TOKEN is not set.
If this is something the maintainers would be willing to include, I'd like to give implementing this a try.
Would be good for Docker as well as then you can use Docker & Kubernetes secrets.
Just to chime in: It adds additional security risks of secrets being included in system backups and alike (like actual .env files instead of native environmental variables). Docker already comes with docker secret and the respective secret managment.
Could this be something a simple $(cat whatever) could do beforehand?
Docker already comes with docker secret and the respective secret managment.
Which requires you to read the secret from a file (Kubernetes as well), which is exactly why more and more apps support reading secrets from files. In the end it's just an option as well, so you don't need to do it this way.
A big issue with environment variables in docker though is that they are just floating around in the container metadata, making it easy to accidentally leak somewhere.