ghost icon indicating copy to clipboard operation
ghost copied to clipboard
verified publisher icon docker-library

Add support for docker compose secrets

Open simonrolfmore opened this issue 11 months ago • 0 comments

This PR fixes #429.

Docker Compose supports secrets through mounting files in /run/secrets with appropriate permissions.

This is safer than passing them on the command line or directly through environment variables as it avoids the risk of the values showing up in execution history or logs.

Some other docker containers such as MySQL support this through the use of environment variable with _FILE appended, allowing for the variable to be set from a file rather than directly.

I have copied the same logic from the MySQL docker-entrypoint.sh, instead choosing to append _file as it fits Ghost's config variables better.

I have tested this with my own setup by swapping out the docker-entrypoint.sh file in docker compose, and selected the following variables for _file support:

  • database__connection__host
  • database__connection__user
  • database__connection__password
  • database__connection__database
  • mail__auth__user
  • mail__auth__pass

I hope this is useful to someone else, and I don't believe it adds unnecessary complexity to the containers, or removes any existing functionality.

simonrolfmore avatar Feb 08 '25 18:02 simonrolfmore