From 107e2ac90043138ea8aa09aadd92f4af355289c0 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Fri, 10 Oct 2025 23:46:48 +0300
Subject: [PATCH] Add support for Docker/Compose Secrets for passwords to
 Docker/Snap/Bundle platforms.

Thanks to Roemer and xet7 !

Fixes #5724
---
 Dockerfile                        |  7 +++-
 Dockerfile.arm64v8                |  7 +++-
 Dockerfile.s390x                  |  7 +++-
 docker-compose.yml                | 31 +++++++++++++++++
 docker-compose.yml-arm64          | 31 +++++++++++++++++
 secrets/README.md                 | 57 +++++++++++++++++++++++++++++++
 secrets/ldap_auth_password.txt    |  1 +
 secrets/mail_service_password.txt |  1 +
 secrets/mongo_password.txt        |  1 +
 secrets/oauth2_secret.txt         |  1 +
 secrets/s3_secret.txt             |  1 +
 snap-src/bin/config               | 23 ++++++++++++-
 snap-src/bin/wekan-help           | 17 +++++++++
 stacksmith/user-scripts/boot.sh   | 23 +++++++++++++
 start-wekan.bat                   | 15 ++++++++
 start-wekan.sh                    | 15 ++++++++
 16 files changed, 234 insertions(+), 4 deletions(-)
 create mode 100644 secrets/README.md
 create mode 100644 secrets/ldap_auth_password.txt
 create mode 100644 secrets/mail_service_password.txt
 create mode 100644 secrets/mongo_password.txt
 create mode 100644 secrets/oauth2_secret.txt
 create mode 100644 secrets/s3_secret.txt

diff --git a/Dockerfile b/Dockerfile
index 4db358d0b..ff6ba5027 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -66,6 +66,7 @@ ENV \
     OAUTH2_LOGIN_STYLE=redirect \
     OAUTH2_CLIENT_ID="" \
     OAUTH2_SECRET="" \
+    OAUTH2_SECRET_FILE="" \
     OAUTH2_SERVER_URL="" \
     OAUTH2_AUTH_ENDPOINT="" \
     OAUTH2_USERINFO_ENDPOINT="" \
@@ -91,6 +92,7 @@ ENV \
     LDAP_AUTHENTIFICATION=false \
     LDAP_AUTHENTIFICATION_USERDN="" \
     LDAP_AUTHENTIFICATION_PASSWORD="" \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
     LDAP_LOG_ENABLED=false \
     LDAP_BACKGROUND_SYNC=false \
     LDAP_BACKGROUND_SYNC_INTERVAL="" \
@@ -156,7 +158,10 @@ ENV \
     ORACLE_OIM_ENABLED=false \
     WAIT_SPINNER="" \
     WRITABLE_PATH=/data \
-    S3=""
+    S3="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""
 
 #   NODE_OPTIONS="--max_old_space_size=4096"
 
diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8
index c19a5c23d..06a0bb2e1 100644
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@@ -53,7 +53,12 @@ ENV QEMU_ARCHITECTURE=aarch64 \
     WITH_API=true \
     PORT=8080 \
     ROOT_URL=http://localhost \
-    MONGO_URL=mongodb://127.0.0.1:27017/wekan
+    MONGO_URL=mongodb://127.0.0.1:27017/wekan \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
+    OAUTH2_SECRET_FILE="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""
 
 # Copy qemu-static to image
 COPY --from=builder qemu-${QEMU_ARCHITECTURE}-static /usr/bin
diff --git a/Dockerfile.s390x b/Dockerfile.s390x
index 6229bba87..5c44ff6ce 100644
--- a/Dockerfile.s390x
+++ b/Dockerfile.s390x
@@ -56,7 +56,12 @@ ENV QEMU_ARCHITECTURE=s390x \
     WITH_API=true \
     PORT=8080 \
     ROOT_URL=http://localhost \
-    MONGO_URL=mongodb://127.0.0.1:27017/wekan
+    MONGO_URL=mongodb://127.0.0.1:27017/wekan \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
+    OAUTH2_SECRET_FILE="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""
 
 # Copy qemu-static to image
 COPY --from=builder qemu-${QEMU_ARCHITECTURE}-static /usr/bin
diff --git a/docker-compose.yml b/docker-compose.yml
index 9c198186c..8c9f44b6b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -163,9 +163,12 @@ services:
       #   ap-southeast-1,ap-northeast-1,sa-east-1
       #
       #- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      #- S3_SECRET_FILE=/run/secrets/s3_secret
       #-----------------------------------------------------------------
       # ==== MONGO_URL ====
       - MONGO_URL=mongodb://wekandb:27017/wekan
+      #- MONGO_URL=mongodb://username:password@wekandb:27017/wekan
+      #- MONGO_PASSWORD_FILE=/run/secrets/mongo_password
       #---------------------------------------------------------------
       # ==== ROOT_URL SETTING ====
       # Change ROOT_URL to your real Wekan URL, for example:
@@ -194,6 +197,7 @@ services:
       #- MAIL_SERVICE=Outlook365
       #- MAIL_SERVICE_USER=firstname.lastname@hotmail.com
       #- MAIL_SERVICE_PASSWORD=SecretPassword
+      #- MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
       #---------------------------------------------------------------
       # https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132
       # Add more Node heap, this is done by default at Dockerfile:
@@ -397,6 +401,7 @@ services:
       #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
       # Secret key generated during app registration:
       #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
       #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
       #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@@ -423,6 +428,7 @@ services:
       #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
       # Secret key generated during app registration:
       #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #- OAUTH2_SERVER_URL=https://your-nextcloud.tld
       #- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
       #- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
@@ -447,6 +453,7 @@ services:
       #- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
       #- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
       #- OAUTH2_SECRET=<keycloak client secret>
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #- OAUTH2_ID_MAP=sub
       #- OAUTH2_USERNAME_MAP=preferred_username
       #- OAUTH2_EMAIL_MAP=email
@@ -464,6 +471,7 @@ services:
       #- OAUTH2_CLIENT_ID=abcde12345
       # OAuth2 Secret.
       #- OAUTH2_SECRET=54321abcde
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       # OAuth2 Server URL.
       #- OAUTH2_SERVER_URL=https://chat.example.com
       # OAuth2 Authorization Endpoint.
@@ -570,6 +578,7 @@ services:
       #
       # The password for the search user
       #- LDAP_AUTHENTIFICATION_PASSWORD=pwd
+      #- LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
       #
       # Enable logs for the module
       #- LDAP_LOG_ENABLED=true
@@ -725,6 +734,12 @@ services:
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - wekan-files:/data:rw
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret
 
 #---------------------------------------------------------------------------------
 # ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
@@ -786,3 +801,19 @@ volumes:
 networks:
   wekan-tier:
     driver: bridge
+
+# Docker Compose Secrets
+# Create secret files on the host system before running docker-compose up
+# Example: echo "your_password_here" > ldap_auth_password.txt
+# Then use: docker-compose up -d
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
diff --git a/docker-compose.yml-arm64 b/docker-compose.yml-arm64
index ab0ae56d9..a57668403 100644
--- a/docker-compose.yml-arm64
+++ b/docker-compose.yml-arm64
@@ -167,9 +167,12 @@ services:
       #   ap-southeast-1,ap-northeast-1,sa-east-1
       #
       #- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      #- S3_SECRET_FILE=/run/secrets/s3_secret
       #-----------------------------------------------------------------
       # ==== MONGO_URL ====
       - MONGO_URL=mongodb://wekandb:27017/wekan
+      #- MONGO_URL=mongodb://username:password@wekandb:27017/wekan
+      #- MONGO_PASSWORD_FILE=/run/secrets/mongo_password
       #---------------------------------------------------------------
       # ==== ROOT_URL SETTING ====
       # Change ROOT_URL to your real Wekan URL, for example:
@@ -198,6 +201,7 @@ services:
       #- MAIL_SERVICE=Outlook365
       #- MAIL_SERVICE_USER=firstname.lastname@hotmail.com
       #- MAIL_SERVICE_PASSWORD=SecretPassword
+      #- MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
       #---------------------------------------------------------------
       # https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132
       # Add more Node heap, this is done by default at Dockerfile:
@@ -399,6 +403,7 @@ services:
       #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
       # Secret key generated during app registration:
       #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
       #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
       #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@@ -425,6 +430,7 @@ services:
       #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
       # Secret key generated during app registration:
       #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #- OAUTH2_SERVER_URL=https://your-nextcloud.tld
       #- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
       #- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
@@ -449,6 +455,7 @@ services:
       #- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
       #- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
       #- OAUTH2_SECRET=<keycloak client secret>
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       #-----------------------------------------------------------------
       # ==== OAUTH2 DOORKEEPER ====
       # https://github.com/wekan/wekan/issues/1874
@@ -462,6 +469,7 @@ services:
       #- OAUTH2_CLIENT_ID=abcde12345
       # OAuth2 Secret.
       #- OAUTH2_SECRET=54321abcde
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
       # OAuth2 Server URL.
       #- OAUTH2_SERVER_URL=https://chat.example.com
       # OAuth2 Authorization Endpoint.
@@ -568,6 +576,7 @@ services:
       #
       # The password for the search user
       #- LDAP_AUTHENTIFICATION_PASSWORD=pwd
+      #- LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
       #
       # Enable logs for the module
       #- LDAP_LOG_ENABLED=true
@@ -723,6 +732,12 @@ services:
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - wekan-files:/data:rw
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret
 
 #---------------------------------------------------------------------------------
 # ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
@@ -784,3 +799,19 @@ volumes:
 networks:
   wekan-tier:
     driver: bridge
+
+# Docker Compose Secrets
+# Create secret files on the host system before running docker-compose up
+# Example: echo "your_password_here" > ldap_auth_password.txt
+# Then use: docker-compose up -d
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
diff --git a/secrets/README.md b/secrets/README.md
new file mode 100644
index 000000000..9fbca0dd1
--- /dev/null
+++ b/secrets/README.md
@@ -0,0 +1,57 @@
+# Wekan Docker Compose Secrets
+
+This directory contains example secret files for Wekan Docker Compose deployment. These files should be used instead of environment variables for better security and GitOps compatibility.
+
+## Secret Files
+
+- `ldap_auth_password.txt` - LDAP authentication password
+- `oauth2_secret.txt` - OAuth2 secret key
+- `mail_service_password.txt` - Mail service password
+- `mongo_password.txt` - MongoDB password
+- `s3_secret.txt` - S3 configuration (JSON format)
+
+## Usage
+
+1. Copy the example files and replace the placeholder values with your actual secrets
+2. Update your `docker-compose.yml` to use the `_FILE` environment variables
+3. Ensure the secret files are properly secured with appropriate file permissions
+
+## Security Notes
+
+- Never commit actual secret values to version control
+- Set appropriate file permissions (e.g., `chmod 600 secrets/*.txt`)
+- Consider using a secrets management system in production
+- The secret files are mounted as read-only in the container
+
+## Docker Compose Configuration
+
+Example configuration in `docker-compose.yml`:
+
+```yaml
+services:
+  wekan:
+    environment:
+      - LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+      - OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+      - MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+      - MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+      - S3_SECRET_FILE=/run/secrets/s3_secret
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret
+
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
+```
diff --git a/secrets/ldap_auth_password.txt b/secrets/ldap_auth_password.txt
new file mode 100644
index 000000000..ae00a7584
--- /dev/null
+++ b/secrets/ldap_auth_password.txt
@@ -0,0 +1 @@
+your_ldap_password_here
diff --git a/secrets/mail_service_password.txt b/secrets/mail_service_password.txt
new file mode 100644
index 000000000..a28e44a56
--- /dev/null
+++ b/secrets/mail_service_password.txt
@@ -0,0 +1 @@
+your_mail_service_password_here
diff --git a/secrets/mongo_password.txt b/secrets/mongo_password.txt
new file mode 100644
index 000000000..a2fc63d78
--- /dev/null
+++ b/secrets/mongo_password.txt
@@ -0,0 +1 @@
+your_mongo_password_here
diff --git a/secrets/oauth2_secret.txt b/secrets/oauth2_secret.txt
new file mode 100644
index 000000000..ec2180bdb
--- /dev/null
+++ b/secrets/oauth2_secret.txt
@@ -0,0 +1 @@
+your_oauth2_secret_here
diff --git a/secrets/s3_secret.txt b/secrets/s3_secret.txt
new file mode 100644
index 000000000..2b8a5d1e3
--- /dev/null
+++ b/secrets/s3_secret.txt
@@ -0,0 +1 @@
+{"s3":{"key": "your_s3_key_here", "secret": "your_s3_secret_here", "bucket": "your_s3_bucket_here", "region": "eu-west-1"}}
diff --git a/snap-src/bin/config b/snap-src/bin/config
index 3265f3aa0..f79a82fea 100755
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values
 
 # list of supported keys
-keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS"
+keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS LDAP_AUTHENTIFICATION_PASSWORD_FILE OAUTH2_SECRET_FILE MAIL_SERVICE_PASSWORD_FILE MONGO_PASSWORD_FILE S3_SECRET_FILE"
 
 DESCRIPTION_S3='AWS S3 for files. Example: {"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "eu-west-1"}}'
 DEFAULT_S3=""
@@ -638,3 +638,24 @@ KEY_RESULTS_PER_PAGE="results-per-page"
 DESCRIPTION_WAIT_SPINNER="Default wait spinner to use"
 DEFAULT_WAIT_SPINNER="Bounce"
 KEY_WAIT_SPINNER="wait-spinner"
+
+# Docker Compose Secrets Support
+DESCRIPTION_LDAP_AUTHENTIFICATION_PASSWORD_FILE="LDAP authentication password file (Docker secrets). Example: /run/secrets/ldap_auth_password"
+DEFAULT_LDAP_AUTHENTIFICATION_PASSWORD_FILE=""
+KEY_LDAP_AUTHENTIFICATION_PASSWORD_FILE="ldap-authentification-password-file"
+
+DESCRIPTION_OAUTH2_SECRET_FILE="OAuth2 secret file (Docker secrets). Example: /run/secrets/oauth2_secret"
+DEFAULT_OAUTH2_SECRET_FILE=""
+KEY_OAUTH2_SECRET_FILE="oauth2-secret-file"
+
+DESCRIPTION_MAIL_SERVICE_PASSWORD_FILE="Mail service password file (Docker secrets). Example: /run/secrets/mail_service_password"
+DEFAULT_MAIL_SERVICE_PASSWORD_FILE=""
+KEY_MAIL_SERVICE_PASSWORD_FILE="mail-service-password-file"
+
+DESCRIPTION_MONGO_PASSWORD_FILE="MongoDB password file (Docker secrets). Example: /run/secrets/mongo_password"
+DEFAULT_MONGO_PASSWORD_FILE=""
+KEY_MONGO_PASSWORD_FILE="mongo-password-file"
+
+DESCRIPTION_S3_SECRET_FILE="S3 secret file (Docker secrets). Example: /run/secrets/s3_secret"
+DEFAULT_S3_SECRET_FILE=""
+KEY_S3_SECRET_FILE="s3-secret-file"
diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help
index 32365cf28..13bfec2db 100755
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@@ -20,6 +20,9 @@ echo -e "\t$ snap set $NAP_NAME s3='{\"s3\":{\"key\": \"xxx\", \"secret\": \"xxx
 echo -e "Disable S3:"
 echo -e "\t$ snap unset $SNAP_NAME s3"
 echo -e "\n"
+echo -e "S3 Secret File (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME s3-secret-file='/run/secrets/s3_secret'"
+echo -e "\n"
 #echo -e "Writable path. Snap can not write outside of /var/snap/wekan/common sandbox directory."
 #echo -e "Default:"
 #echo -e "\t$ snap set $SNAP_NAME writable-path='\$SNAP_COMMON\files'"
@@ -35,6 +38,9 @@ echo -e "\t$ snap set $SNAP_NAME mongo-url='...'"
 echo -e "\t-Disable the MONGO_URL of Wekan:"
 echo -e "\t$ snap unset $SNAP_NAME mongo-url"
 echo -e "\n"
+echo -e "MongoDB Password File (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME mongo-password-file='/run/secrets/mongo_password'"
+echo -e "\n"
 echo -e "Make sure you have connected all interfaces, check more by calling $ snap interfaces ${SNAP_NAME}"
 echo -e "\n"
 echo -e "${SNAP_NAME} has multiple services, to check status use systemctl"
@@ -78,6 +84,9 @@ echo -e "\t$ snap set $SNAP_NAME mail-service-user='firstname.lastname@hotmail.c
 echo -e "mail-service-password:"
 echo -e "\t$ snap set $SNAP_NAME mail-service-password='SecretPassword'"
 echo -e "\n"
+echo -e "mail-service-password-file (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME mail-service-password-file='/run/secrets/mail_service_password'"
+echo -e "\n"
 echo -e "Number of search results to show per page by default:"
 echo -e "\t$ snap set $SNAP_NAME results-per-page='20'"
 echo -e "\t-Restore default:"
@@ -334,6 +343,10 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-secret='54321abcde'"
 echo -e "\t-Disable the OAuth2 Secret of Wekan:"
 echo -e "\t$ snap unset $SNAP_NAME oauth2-secret"
 echo -e "\n"
+echo -e "OAuth2 Secret File (Docker Compose secrets)."
+echo -e "Secret key file for OAuth2 (Docker secrets):"
+echo -e "\t$ snap set $SNAP_NAME oauth2-secret-file='/run/secrets/oauth2_secret'"
+echo -e "\n"
 echo -e "OAuth2 Server URL."
 echo -e "To enable the OAuth2 Server URL of Wekan:"
 echo -e "\t$ snap set $SNAP_NAME oauth2-server-url='https://chat.example.com'"
@@ -457,6 +470,10 @@ echo -e "Ldap Authentication Password."
 echo -e "The password for the search user:"
 echo -e "\t$ snap set $SNAP_NAME ldap-authentication-password='admin'"
 echo -e "\n"
+echo -e "Ldap Authentication Password File (Docker Compose secrets)."
+echo -e "The password file for the search user (Docker secrets):"
+echo -e "\t$ snap set $SNAP_NAME ldap-authentication-password-file='/run/secrets/ldap_auth_password'"
+echo -e "\n"
 echo -e "Ldap Log Enabled."
 echo -e "Enable logs for the module:"
 echo -e "\t$ snap set $SNAP_NAME ldap-log-enabled='true'"
diff --git a/stacksmith/user-scripts/boot.sh b/stacksmith/user-scripts/boot.sh
index bd95102f0..44d4cc2e3 100755
--- a/stacksmith/user-scripts/boot.sh
+++ b/stacksmith/user-scripts/boot.sh
@@ -11,6 +11,29 @@ cat >"${CONF}" <<'EOF'
 export MONGO_URL=mongodb://{{DATABASE_USER}}:{{DATABASE_PASSWORD}}@{{DATABASE_HOST}}:{{DATABASE_PORT}}/{{DATABASE_NAME}}
 export ROOT_URL=http://localhost
 export PORT=3000
+
+# Docker Compose Secrets Support
+# If secret files exist, read passwords from them instead of environment variables
+if [ -f "/run/secrets/mongo_password" ]; then
+    export MONGO_PASSWORD=$(cat /run/secrets/mongo_password)
+    export MONGO_URL=mongodb://{{DATABASE_USER}}:${MONGO_PASSWORD}@{{DATABASE_HOST}}:{{DATABASE_PORT}}/{{DATABASE_NAME}}
+fi
+
+if [ -f "/run/secrets/ldap_auth_password" ]; then
+    export LDAP_AUTHENTIFICATION_PASSWORD=$(cat /run/secrets/ldap_auth_password)
+fi
+
+if [ -f "/run/secrets/oauth2_secret" ]; then
+    export OAUTH2_SECRET=$(cat /run/secrets/oauth2_secret)
+fi
+
+if [ -f "/run/secrets/mail_service_password" ]; then
+    export MAIL_SERVICE_PASSWORD=$(cat /run/secrets/mail_service_password)
+fi
+
+if [ -f "/run/secrets/s3_secret" ]; then
+    export S3_SECRET=$(cat /run/secrets/s3_secret)
+fi
 EOF
 
 sed -i -e "s/{{DATABASE_USER}}/${DATABASE_USER}/" "${CONF}"
diff --git a/start-wekan.bat b/start-wekan.bat
index 8a4543e08..a3f1a2984 100644
--- a/start-wekan.bat
+++ b/start-wekan.bat
@@ -10,6 +10,9 @@ SET WRITABLE_PATH=..
 
 REM # MongoDB database URL required
 SET MONGO_URL=mongodb://127.0.0.1:27017/wekan
+REM # MONGO_PASSWORD_FILE : MongoDB password file (Docker secrets)
+REM # example : SET MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+REM SET MONGO_PASSWORD_FILE=
 
 REM # If port is 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS , like http://192.168.0.100
 REM # If port is not 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS:YOUR-PORT-NUMBER , like http://192.168.0.100:2000
@@ -40,6 +43,9 @@ REM #   eu-west-1,eu-central-1,
 REM #   ap-southeast-1,ap-northeast-1,sa-east-1
 REM #
 REM SET S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "eu-west-1"}}'
+REM # S3_SECRET_FILE : S3 secret file (Docker secrets)
+REM # example : SET S3_SECRET_FILE=/run/secrets/s3_secret
+REM SET S3_SECRET_FILE=
 
 REM # https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
 REM SET MAIL_URL=smtps://username:password@email-smtp.eu-west-1.amazonaws.com:587/
@@ -48,6 +54,9 @@ REM # Currently MAIL_SERVICE is not in use.
 REM SET MAIL_SERVICE=Outlook365
 REM SET MAIL_SERVICE_USER=firstname.lastname@hotmail.com
 REM SET MAIL_SERVICE_PASSWORD=SecretPassword
+REM # MAIL_SERVICE_PASSWORD_FILE : Password file for mail service (Docker secrets)
+REM # example : SET MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+REM SET MAIL_SERVICE_PASSWORD_FILE=
 
 REM # ==== NUMBER OF SEARCH RESULTS PER PAGE BY DEFAULT ====
 REM SET RESULTS_PER_PAGE=20
@@ -202,6 +211,9 @@ REM ## Application GUID captured during app registration:
 REM SET OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
 REM ## Secret key generated during app registration:
 REM SET OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+REM # OAUTH2_SECRET_FILE : Secret key file for OAuth2 (Docker secrets)
+REM # example : SET OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+REM SET OAUTH2_SECRET_FILE=
 REM SET OAUTH2_SERVER_URL=https://login.microsoftonline.com/
 REM SET OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
 REM SET OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@@ -449,6 +461,9 @@ REM SET LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,O
 REM # LDAP_AUTHENTIFICATION_PASSWORD : The password for the search user
 REM # example : AUTHENTIFICATION_PASSWORD=admin
 REM SET LDAP_AUTHENTIFICATION_PASSWORD=
+REM # LDAP_AUTHENTIFICATION_PASSWORD_FILE : The password file for the search user (Docker secrets)
+REM # example : SET LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+REM SET LDAP_AUTHENTIFICATION_PASSWORD_FILE=
 
 REM # LDAP_LOG_ENABLED : Enable logs for the module
 REM # example : LDAP_LOG_ENABLED=true
diff --git a/start-wekan.sh b/start-wekan.sh
index 3bf00af06..8d91b7df4 100755
--- a/start-wekan.sh
+++ b/start-wekan.sh
@@ -9,6 +9,9 @@
       #-----------------------------------------------------------------
       # MongoDB database URL required
       export MONGO_URL=mongodb://127.0.0.1:27017/wekan
+      # MONGO_PASSWORD_FILE : MongoDB password file (Docker secrets)
+      # example : export MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+      #export MONGO_PASSWORD_FILE=
       #-----------------------------------------------------------------
       # If port is 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS , like http://192.168.0.100
       # If port is not 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS:YOUR-PORT-NUMBER , like http://192.168.0.100:2000
@@ -37,6 +40,9 @@
       #   ap-southeast-1,ap-northeast-1,sa-east-1
       #
       #export S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      # S3_SECRET_FILE : S3 secret file (Docker secrets)
+      # example : export S3_SECRET_FILE=/run/secrets/s3_secret
+      #export S3_SECRET_FILE=
       #-----------------------------------------------------------------
       # https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
       # https://github.com/wekan/wekan-mongodb/blob/master/docker-compose.yml
@@ -46,6 +52,9 @@
       #export MAIL_SERVICE=Outlook365
       #export MAIL_SERVICE_USER=firstname.lastname@hotmail.com
       #export MAIL_SERVICE_PASSWORD=SecretPassword
+      # MAIL_SERVICE_PASSWORD_FILE : Password file for mail service (Docker secrets)
+      # example : export MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+      #export MAIL_SERVICE_PASSWORD_FILE=
       #---------------------------------------------
       #export KADIRA_OPTIONS_ENDPOINT=http://127.0.0.1:11011
       #---------------------------------------------
@@ -207,6 +216,9 @@
       #
       # Secret key generated during app registration:
       #export OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      # OAUTH2_SECRET_FILE : Secret key file for OAuth2 (Docker secrets)
+      # example : export OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+      #export OAUTH2_SECRET_FILE=
       #export OAUTH2_SERVER_URL=https://login.microsoftonline.com/
       #export OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
       #export OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@@ -375,6 +387,9 @@
       # LDAP_AUTHENTIFICATION_PASSWORD : The password for the search user
       # example : AUTHENTIFICATION_PASSWORD=admin
       #export LDAP_AUTHENTIFICATION_PASSWORD=
+      # LDAP_AUTHENTIFICATION_PASSWORD_FILE : The password file for the search user (Docker secrets)
+      # example : export LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+      #export LDAP_AUTHENTIFICATION_PASSWORD_FILE=
       #
       # LDAP_LOG_ENABLED : Enable logs for the module
       # example :  export LDAP_LOG_ENABLED=true