Allow specifying environment variables as file paths

[bmaximuml]

For self-hosted configuration with docker, configuration is provided with environment variables. It would be nice to be able to use docker secrets in order to protect sensitive values, such as ADMIN_USER_PWD, SECRET_KEY_BASE, DATABASE_URL, etc.

The simplest way to achieve this would be to introduce corresponding variables suffixed with _FILE. e.g. ADMIN_USER_PWD_FILE, SECRET_KEY_BASE_FILE, DATABASE_URL_FILE, etc. These variables should take precedence over the existing ones, and would allow docker secrets to be used as shown below. I've copied this from the example here but have only shown the plausible service for brevity:

services:
  plausible:
    image: plausible/analytics:latest
    restart: always
    command: sh -c "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh db init-admin && /entrypoint.sh run"
    depends_on:
      - plausible_db
      - plausible_events_db
      - mail
    ports:
      - 8000:8000
    environment:
      - ADMIN_USER_EMAIL=replace-me
      - ADMIN_USER_NAME=replace-me
      - ADMIN_USER_PWD_FILE=/run/secrets/plausible_admin_pwd
      - BASE_URL=replace-me
      - SECRET_KEY_BASE_FILE=/run/secrets/plausible_secret_key
    secrets:
      - plausible_admin_pwd
      - plausible_secret_key

secrets:
  plausible_admin_pwd:
    file: /secrets/plausible_admin_pwd
  plausible_secret_key:
    file: /secrets/plausible_secret_key

[ukutaht]

It's already supported, probably not just documented. There's a CONFIG_DIR config option which defaults to /run/secrets

[ukutaht]

I haven't tried it in a long time so can't give specifics at the moment

[ruslandoga]

👋 @bmaximuml

Self-hosted docs are in the process of being moved to https://github.com/plausible/community-edition

I referenced your issue in https://github.com/plausible/community-edition/issues/97

Sorry for a late reply!