tale
Can't configure server.cookie_secret via ENV
Description
Hi :)
I can't configure the config for server.cookie_secret via ENV variable. By using HEADPLANE_SERVER__COOKIE_SECRET I thought it would use that value according the docs https://github.com/tale/headplane/blob/main/docs/Configuration.md#environment-variables
headscale part of the compose.yaml:
headplane:
container_name: headplane
image: ghcr.io/tale/headplane:latest
restart: unless-stopped
volumes:
- "./data:/var/lib/headscale"
- "./configs/headscale:/etc/headscale"
- "./configs/headplane:/etc/headplane"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
HEADPLANE_LOAD_ENV_OVERRIDES: true
HEADPLANE_DEBUG_LOG: true
HEADPLANE_SERVER__COOKIE_SECRET: ${HEADPLANE_COOKIE_SECRET}
HEADSCALE_PUBLIC_URL: ${HEADSCALE_SERVER_URL}
# This is always required for Headplane to work
COOKIE_SECRET: ${HEADPLANE_COOKIE_SECRET}
HEADSCALE_INTEGRATION: "docker"
HEADSCALE_CONTAINER: "headscale"
DISABLE_API_KEY_LOGIN: "false"
HOST: "0.0.0.0"
PORT: "3000"
# Only set this to false if you aren't behind a reverse proxy
COOKIE_SECURE: "true"
.env-file:
HEADPLANE_COOKIE_SECRET=asdf
HEADSCALE_SERVER_URL=https://example.com
HEADSCALE_DOMAIN=example.com
and the config.yaml:
# Configuration for the Headplane server and web application
server:
host: "0.0.0.0"
port: 3000
# The secret used to encode and decode web sessions
# Ensure that this is exactly 32 characters long
# Should be overridden by the env variable
# cookie_secret: ${HEADPLANE_COOKIE_SECERT}
# cookie_secret_path: /etc/headplane/cookie_secret
# Should the cookies only work over HTTPS?
# Set to false if running via HTTP without a proxy
# (I recommend this is true in production)
cookie_secure: true
and the error message:
headplane | 2025-10-13T21:19:53.698Z [server] INFO: Running Node.js 22.20.0
headplane | 2025-10-13T21:19:53.717Z [config] INFO: Found a valid configuration file at /etc/headplane/config.yaml
headplane | 2025-10-13T21:19:53.737Z [config] ERROR: - (0): server must be Either "cookie_secret" or "cookie_secret_path" must be provided for cookie_secret. (was {"host":"0.0.0.0","port":3000,"cookie_secure":true,"data_path":"/var/lib/headplane/"})
headplane | file:///app/build/server/assets/loader-CU58LTK4.js:281
headplane | throw new ConfigError(errorMessages.join("\n"));
headplane | ^
headplane |
headplane | ConfigError: server must be Either "cookie_secret" or "cookie_secret_path" must be provided for cookie_secret. (was {"host":"0.0.0.0","port":3000,"cookie_secure":true,"data_path":"/var/lib/headplane/"})
headplane | at validateConfig (file:///app/build/server/assets/loader-CU58LTK4.js:281:9)
headplane | at loadConfig (file:///app/build/server/assets/loader-CU58LTK4.js:186:15)
headplane | at async file:///app/build/server/index.js:15:16
headplane |
headplane | Node.js v22.20.0
headplane exited with code 1
Also setting the value in the config to server.cookie_secret: ${HEADPLANE_COOKIE_SECRET} won't work. It doesn't seem to be interpolated.
Headplane Version
v0.6.1
Headscale Version
v0.26.1
Variables are interpolated when using the _path variants only. This does seem like a bug and I will investigate but please just mount it into a secrets file using docker secrets for now and run that way. Thank you for raising this.
