Add support for Docker/Compose Secrets for passwords to Docker/Snap/Bundle platforms.

Thanks to Roemer and xet7 ! Fixes #5724
2025-12-16 15:30:13 +01:00 · 2025-10-10 23:46:48 +03:00 · 2025-10-10 23:46:48 +03:00 · 107e2ac900
commit 107e2ac900
parent 3b60bdea14
16 changed files with 234 additions and 4 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,57 @@
+# Wekan Docker Compose Secrets
+
+This directory contains example secret files for Wekan Docker Compose deployment. These files should be used instead of environment variables for better security and GitOps compatibility.
+
+## Secret Files
+
+- `ldap_auth_password.txt` - LDAP authentication password
+- `oauth2_secret.txt` - OAuth2 secret key
+- `mail_service_password.txt` - Mail service password
+- `mongo_password.txt` - MongoDB password
+- `s3_secret.txt` - S3 configuration (JSON format)
+
+## Usage
+
+1. Copy the example files and replace the placeholder values with your actual secrets
+2. Update your `docker-compose.yml` to use the `_FILE` environment variables
+3. Ensure the secret files are properly secured with appropriate file permissions
+
+## Security Notes
+
+- Never commit actual secret values to version control
+- Set appropriate file permissions (e.g., `chmod 600 secrets/*.txt`)
+- Consider using a secrets management system in production
+- The secret files are mounted as read-only in the container
+
+## Docker Compose Configuration
+
+Example configuration in `docker-compose.yml`:
+
+```yaml
+services:
+  wekan:
+    environment:
+      - LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+      - OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+      - MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+      - MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+      - S3_SECRET_FILE=/run/secrets/s3_secret
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret
+
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
+```
--- a/secrets/ldap_auth_password.txt
+++ b/secrets/ldap_auth_password.txt
@ -0,0 +1 @@
+your_ldap_password_here
--- a/secrets/mail_service_password.txt
+++ b/secrets/mail_service_password.txt
@ -0,0 +1 @@
+your_mail_service_password_here
--- a/secrets/mongo_password.txt
+++ b/secrets/mongo_password.txt
@ -0,0 +1 @@
+your_mongo_password_here
--- a/secrets/oauth2_secret.txt
+++ b/secrets/oauth2_secret.txt
@ -0,0 +1 @@
+your_oauth2_secret_here
--- a/secrets/s3_secret.txt
+++ b/secrets/s3_secret.txt
@ -0,0 +1 @@
+{"s3":{"key": "your_s3_key_here", "secret": "your_s3_secret_here", "bucket": "your_s3_bucket_here", "region": "eu-west-1"}}
				`@ -0,0 +1 @@`
				`{"s3":{"key": "your_s3_key_here", "secret": "your_s3_secret_here", "bucket": "your_s3_bucket_here", "region": "eu-west-1"}}`