Add support for Docker/Compose Secrets for passwords to Docker/Snap/Bundle platforms.

Thanks to Roemer and xet7 ! Fixes #5724
2025-12-16 07:20:12 +01:00 · 2025-10-10 23:46:48 +03:00 · 2025-10-10 23:46:48 +03:00 · 107e2ac900
commit 107e2ac900
parent 3b60bdea14
16 changed files with 234 additions and 4 deletions
--- a/7
+++ b/7
@ -66,6 +66,7 @@ ENV \
    OAUTH2_LOGIN_STYLE=redirect \
    OAUTH2_CLIENT_ID="" \
    OAUTH2_SECRET="" \
+    OAUTH2_SECRET_FILE="" \
    OAUTH2_SERVER_URL="" \
    OAUTH2_AUTH_ENDPOINT="" \
    OAUTH2_USERINFO_ENDPOINT="" \
@ -91,6 +92,7 @@ ENV \
    LDAP_AUTHENTIFICATION=false \
    LDAP_AUTHENTIFICATION_USERDN="" \
    LDAP_AUTHENTIFICATION_PASSWORD="" \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
    LDAP_LOG_ENABLED=false \
    LDAP_BACKGROUND_SYNC=false \
    LDAP_BACKGROUND_SYNC_INTERVAL="" \
@ -156,7 +158,10 @@ ENV \
    ORACLE_OIM_ENABLED=false \
    WAIT_SPINNER="" \
    WRITABLE_PATH=/data \
-    S3=""
+    S3="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""

 #   NODE_OPTIONS="--max_old_space_size=4096"

--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@ -53,7 +53,12 @@ ENV QEMU_ARCHITECTURE=aarch64 \
    WITH_API=true \
    PORT=8080 \
    ROOT_URL=http://localhost \
-    MONGO_URL=mongodb://127.0.0.1:27017/wekan
+    MONGO_URL=mongodb://127.0.0.1:27017/wekan \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
+    OAUTH2_SECRET_FILE="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""

 # Copy qemu-static to image
 COPY --from=builder qemu-${QEMU_ARCHITECTURE}-static /usr/bin
--- a/Dockerfile.s390x
+++ b/Dockerfile.s390x
@ -56,7 +56,12 @@ ENV QEMU_ARCHITECTURE=s390x \
    WITH_API=true \
    PORT=8080 \
    ROOT_URL=http://localhost \
-    MONGO_URL=mongodb://127.0.0.1:27017/wekan
+    MONGO_URL=mongodb://127.0.0.1:27017/wekan \
+    LDAP_AUTHENTIFICATION_PASSWORD_FILE="" \
+    OAUTH2_SECRET_FILE="" \
+    MAIL_SERVICE_PASSWORD_FILE="" \
+    MONGO_PASSWORD_FILE="" \
+    S3_SECRET_FILE=""

 # Copy qemu-static to image
 COPY --from=builder qemu-${QEMU_ARCHITECTURE}-static /usr/bin
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -163,9 +163,12 @@ services:
      #   ap-southeast-1,ap-northeast-1,sa-east-1
      #
      #- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      #- S3_SECRET_FILE=/run/secrets/s3_secret
      #-----------------------------------------------------------------
      # ==== MONGO_URL ====
      - MONGO_URL=mongodb://wekandb:27017/wekan
+      #- MONGO_URL=mongodb://username:password@wekandb:27017/wekan
+      #- MONGO_PASSWORD_FILE=/run/secrets/mongo_password
      #---------------------------------------------------------------
      # ==== ROOT_URL SETTING ====
      # Change ROOT_URL to your real Wekan URL, for example:
@ -194,6 +197,7 @@ services:
      #- MAIL_SERVICE=Outlook365
      #- MAIL_SERVICE_USER=firstname.lastname@hotmail.com
      #- MAIL_SERVICE_PASSWORD=SecretPassword
+      #- MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
      #---------------------------------------------------------------
      # https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132
      # Add more Node heap, this is done by default at Dockerfile:
@ -397,6 +401,7 @@ services:
      #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
      # Secret key generated during app registration:
      #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
      #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
      #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@ -423,6 +428,7 @@ services:
      #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
      # Secret key generated during app registration:
      #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #- OAUTH2_SERVER_URL=https://your-nextcloud.tld
      #- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
      #- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
@ -447,6 +453,7 @@ services:
      #- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
      #- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
      #- OAUTH2_SECRET=<keycloak client secret>
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #- OAUTH2_ID_MAP=sub
      #- OAUTH2_USERNAME_MAP=preferred_username
      #- OAUTH2_EMAIL_MAP=email
@ -464,6 +471,7 @@ services:
      #- OAUTH2_CLIENT_ID=abcde12345
      # OAuth2 Secret.
      #- OAUTH2_SECRET=54321abcde
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      # OAuth2 Server URL.
      #- OAUTH2_SERVER_URL=https://chat.example.com
      # OAuth2 Authorization Endpoint.
@ -570,6 +578,7 @@ services:
      #
      # The password for the search user
      #- LDAP_AUTHENTIFICATION_PASSWORD=pwd
+      #- LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
      #
      # Enable logs for the module
      #- LDAP_LOG_ENABLED=true
@ -725,6 +734,12 @@ services:
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - wekan-files:/data:rw
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret

 #---------------------------------------------------------------------------------
 # ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
@ -786,3 +801,19 @@ volumes:
 networks:
  wekan-tier:
    driver: bridge
+
+# Docker Compose Secrets
+# Create secret files on the host system before running docker-compose up
+# Example: echo "your_password_here" > ldap_auth_password.txt
+# Then use: docker-compose up -d
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
--- a/docker-compose.yml-arm64
+++ b/docker-compose.yml-arm64
@ -167,9 +167,12 @@ services:
      #   ap-southeast-1,ap-northeast-1,sa-east-1
      #
      #- S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      #- S3_SECRET_FILE=/run/secrets/s3_secret
      #-----------------------------------------------------------------
      # ==== MONGO_URL ====
      - MONGO_URL=mongodb://wekandb:27017/wekan
+      #- MONGO_URL=mongodb://username:password@wekandb:27017/wekan
+      #- MONGO_PASSWORD_FILE=/run/secrets/mongo_password
      #---------------------------------------------------------------
      # ==== ROOT_URL SETTING ====
      # Change ROOT_URL to your real Wekan URL, for example:
@ -198,6 +201,7 @@ services:
      #- MAIL_SERVICE=Outlook365
      #- MAIL_SERVICE_USER=firstname.lastname@hotmail.com
      #- MAIL_SERVICE_PASSWORD=SecretPassword
+      #- MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
      #---------------------------------------------------------------
      # https://github.com/wekan/wekan/issues/3585#issuecomment-1021522132
      # Add more Node heap, this is done by default at Dockerfile:
@ -399,6 +403,7 @@ services:
      #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
      # Secret key generated during app registration:
      #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #- OAUTH2_SERVER_URL=https://login.microsoftonline.com/
      #- OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
      #- OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@ -425,6 +430,7 @@ services:
      #- OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
      # Secret key generated during app registration:
      #- OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #- OAUTH2_SERVER_URL=https://your-nextcloud.tld
      #- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
      #- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
@ -449,6 +455,7 @@ services:
      #- OAUTH2_USERINFO_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/userinfo
      #- OAUTH2_TOKEN_ENDPOINT=/realms/<keycloak realm>/protocol/openid-connect/token
      #- OAUTH2_SECRET=<keycloak client secret>
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      #-----------------------------------------------------------------
      # ==== OAUTH2 DOORKEEPER ====
      # https://github.com/wekan/wekan/issues/1874
@ -462,6 +469,7 @@ services:
      #- OAUTH2_CLIENT_ID=abcde12345
      # OAuth2 Secret.
      #- OAUTH2_SECRET=54321abcde
+      #- OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
      # OAuth2 Server URL.
      #- OAUTH2_SERVER_URL=https://chat.example.com
      # OAuth2 Authorization Endpoint.
@ -568,6 +576,7 @@ services:
      #
      # The password for the search user
      #- LDAP_AUTHENTIFICATION_PASSWORD=pwd
+      #- LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
      #
      # Enable logs for the module
      #- LDAP_LOG_ENABLED=true
@ -723,6 +732,12 @@ services:
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - wekan-files:/data:rw
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret

 #---------------------------------------------------------------------------------
 # ==== OPTIONAL: SHARE DATABASE TO OFFICE LAN AND REMOTE VPN ====
@ -784,3 +799,19 @@ volumes:
 networks:
  wekan-tier:
    driver: bridge
+
+# Docker Compose Secrets
+# Create secret files on the host system before running docker-compose up
+# Example: echo "your_password_here" > ldap_auth_password.txt
+# Then use: docker-compose up -d
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,57 @@
+# Wekan Docker Compose Secrets
+
+This directory contains example secret files for Wekan Docker Compose deployment. These files should be used instead of environment variables for better security and GitOps compatibility.
+
+## Secret Files
+
+- `ldap_auth_password.txt` - LDAP authentication password
+- `oauth2_secret.txt` - OAuth2 secret key
+- `mail_service_password.txt` - Mail service password
+- `mongo_password.txt` - MongoDB password
+- `s3_secret.txt` - S3 configuration (JSON format)
+
+## Usage
+
+1. Copy the example files and replace the placeholder values with your actual secrets
+2. Update your `docker-compose.yml` to use the `_FILE` environment variables
+3. Ensure the secret files are properly secured with appropriate file permissions
+
+## Security Notes
+
+- Never commit actual secret values to version control
+- Set appropriate file permissions (e.g., `chmod 600 secrets/*.txt`)
+- Consider using a secrets management system in production
+- The secret files are mounted as read-only in the container
+
+## Docker Compose Configuration
+
+Example configuration in `docker-compose.yml`:
+
+```yaml
+services:
+  wekan:
+    environment:
+      - LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+      - OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+      - MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+      - MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+      - S3_SECRET_FILE=/run/secrets/s3_secret
+    secrets:
+      - ldap_auth_password
+      - oauth2_secret
+      - mail_service_password
+      - mongo_password
+      - s3_secret
+
+secrets:
+  ldap_auth_password:
+    file: ./secrets/ldap_auth_password.txt
+  oauth2_secret:
+    file: ./secrets/oauth2_secret.txt
+  mail_service_password:
+    file: ./secrets/mail_service_password.txt
+  mongo_password:
+    file: ./secrets/mongo_password.txt
+  s3_secret:
+    file: ./secrets/s3_secret.txt
+```
--- a/secrets/ldap_auth_password.txt
+++ b/secrets/ldap_auth_password.txt
@ -0,0 +1 @@
+your_ldap_password_here
--- a/secrets/mail_service_password.txt
+++ b/secrets/mail_service_password.txt
@ -0,0 +1 @@
+your_mail_service_password_here
--- a/secrets/mongo_password.txt
+++ b/secrets/mongo_password.txt
@ -0,0 +1 @@
+your_mongo_password_here
--- a/secrets/oauth2_secret.txt
+++ b/secrets/oauth2_secret.txt
@ -0,0 +1 @@
+your_oauth2_secret_here
--- a/secrets/s3_secret.txt
+++ b/secrets/s3_secret.txt
@ -0,0 +1 @@
+{"s3":{"key": "your_s3_key_here", "secret": "your_s3_secret_here", "bucket": "your_s3_bucket_here", "region": "eu-west-1"}}
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values

 # list of supported keys
-keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS"
+keys="DEBUG S3 MONGO_LOG_DESTINATION MONGO_URL MONGODB_BIND_UNIX_SOCKET MONGO_URL MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM MAIL_SERVICE MAIL_SERVICE_USER MAIL_SERVICE_PASSWORD ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API RICHER_CARD_COMMENT_EDITOR CARD_OPENED_WEBHOOK_ENABLED ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW ACCOUNTS_COMMON_LOGIN_EXPIRATION_IN_DAYS ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM ATTACHMENTS_UPLOAD_MIME_TYPES ATTACHMENTS_UPLOAD_MAX_SIZE AVATARS_UPLOAD_EXTERNAL_PROGRAM AVATARS_UPLOAD_MIME_TYPES AVATARS_UPLOAD_MAX_SIZE MAX_IMAGE_PIXEL IMAGE_COMPRESS_RATIO BIGEVENTS_PATTERN NOTIFICATION_TRAY_AFTER_READ_DAYS_BEFORE_REMOVE NOTIFY_DUE_DAYS_BEFORE_AND_AFTER NOTIFY_DUE_AT_HOUR_OF_DAY DEFAULT_BOARD_ID EMAIL_NOTIFICATION_TIMEOUT CORS CORS_ALLOW_HEADERS CORS_EXPOSE_HEADERS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME METRICS_ALLOWED_IP_ADDRESSES BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OIDC_REDIRECTION_ENABLED OAUTH2_CA_CERT OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_ID_TOKEN_WHITELIST_FIELDS OAUTH2_EMAIL_MAP OAUTH2_REQUEST_PERMISSIONS OAUTH2_ADFS_ENABLED OAUTH2_B2C_ENABLED LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_AD_SIMPLE_AUTH LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_AUTHENTICATION_FIELD LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD PASSWORD_LOGIN_ENABLED CAS_ENABLED CAS_BASE_URL CAS_LOGIN_URL CAS_VALIDATE_URL SAML_ENABLED SAML_PROVIDER SAML_ENTRYPOINT SAML_ISSUER SAML_CERT SAML_IDPSLO_REDIRECTURL SAML_PRIVATE_KEYFILE SAML_PUBLIC_CERTFILE SAML_IDENTIFIER_FORMAT SAML_LOCAL_PROFILE_MATCH_ATTRIBUTE SAML_ATTRIBUTES ORACLE_OIM_ENABLED RESULTS_PER_PAGE WAIT_SPINNER NODE_OPTIONS LDAP_AUTHENTIFICATION_PASSWORD_FILE OAUTH2_SECRET_FILE MAIL_SERVICE_PASSWORD_FILE MONGO_PASSWORD_FILE S3_SECRET_FILE"

 DESCRIPTION_S3='AWS S3 for files. Example: {"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "eu-west-1"}}'
 DEFAULT_S3=""
@ -638,3 +638,24 @@ KEY_RESULTS_PER_PAGE="results-per-page"
 DESCRIPTION_WAIT_SPINNER="Default wait spinner to use"
 DEFAULT_WAIT_SPINNER="Bounce"
 KEY_WAIT_SPINNER="wait-spinner"
+
+# Docker Compose Secrets Support
+DESCRIPTION_LDAP_AUTHENTIFICATION_PASSWORD_FILE="LDAP authentication password file (Docker secrets). Example: /run/secrets/ldap_auth_password"
+DEFAULT_LDAP_AUTHENTIFICATION_PASSWORD_FILE=""
+KEY_LDAP_AUTHENTIFICATION_PASSWORD_FILE="ldap-authentification-password-file"
+
+DESCRIPTION_OAUTH2_SECRET_FILE="OAuth2 secret file (Docker secrets). Example: /run/secrets/oauth2_secret"
+DEFAULT_OAUTH2_SECRET_FILE=""
+KEY_OAUTH2_SECRET_FILE="oauth2-secret-file"
+
+DESCRIPTION_MAIL_SERVICE_PASSWORD_FILE="Mail service password file (Docker secrets). Example: /run/secrets/mail_service_password"
+DEFAULT_MAIL_SERVICE_PASSWORD_FILE=""
+KEY_MAIL_SERVICE_PASSWORD_FILE="mail-service-password-file"
+
+DESCRIPTION_MONGO_PASSWORD_FILE="MongoDB password file (Docker secrets). Example: /run/secrets/mongo_password"
+DEFAULT_MONGO_PASSWORD_FILE=""
+KEY_MONGO_PASSWORD_FILE="mongo-password-file"
+
+DESCRIPTION_S3_SECRET_FILE="S3 secret file (Docker secrets). Example: /run/secrets/s3_secret"
+DEFAULT_S3_SECRET_FILE=""
+KEY_S3_SECRET_FILE="s3-secret-file"
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@ -20,6 +20,9 @@ echo -e "\t$ snap set $NAP_NAME s3='{\"s3\":{\"key\": \"xxx\", \"secret\": \"xxx
 echo -e "Disable S3:"
 echo -e "\t$ snap unset $SNAP_NAME s3"
 echo -e "\n"
+echo -e "S3 Secret File (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME s3-secret-file='/run/secrets/s3_secret'"
+echo -e "\n"
 #echo -e "Writable path. Snap can not write outside of /var/snap/wekan/common sandbox directory."
 #echo -e "Default:"
 #echo -e "\t$ snap set $SNAP_NAME writable-path='\$SNAP_COMMON\files'"
@ -35,6 +38,9 @@ echo -e "\t$ snap set $SNAP_NAME mongo-url='...'"
 echo -e "\t-Disable the MONGO_URL of Wekan:"
 echo -e "\t$ snap unset $SNAP_NAME mongo-url"
 echo -e "\n"
+echo -e "MongoDB Password File (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME mongo-password-file='/run/secrets/mongo_password'"
+echo -e "\n"
 echo -e "Make sure you have connected all interfaces, check more by calling $ snap interfaces ${SNAP_NAME}"
 echo -e "\n"
 echo -e "${SNAP_NAME} has multiple services, to check status use systemctl"
@ -78,6 +84,9 @@ echo -e "\t$ snap set $SNAP_NAME mail-service-user='firstname.lastname@hotmail.c
 echo -e "mail-service-password:"
 echo -e "\t$ snap set $SNAP_NAME mail-service-password='SecretPassword'"
 echo -e "\n"
+echo -e "mail-service-password-file (Docker Compose secrets):"
+echo -e "\t$ snap set $SNAP_NAME mail-service-password-file='/run/secrets/mail_service_password'"
+echo -e "\n"
 echo -e "Number of search results to show per page by default:"
 echo -e "\t$ snap set $SNAP_NAME results-per-page='20'"
 echo -e "\t-Restore default:"
@ -334,6 +343,10 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-secret='54321abcde'"
 echo -e "\t-Disable the OAuth2 Secret of Wekan:"
 echo -e "\t$ snap unset $SNAP_NAME oauth2-secret"
 echo -e "\n"
+echo -e "OAuth2 Secret File (Docker Compose secrets)."
+echo -e "Secret key file for OAuth2 (Docker secrets):"
+echo -e "\t$ snap set $SNAP_NAME oauth2-secret-file='/run/secrets/oauth2_secret'"
+echo -e "\n"
 echo -e "OAuth2 Server URL."
 echo -e "To enable the OAuth2 Server URL of Wekan:"
 echo -e "\t$ snap set $SNAP_NAME oauth2-server-url='https://chat.example.com'"
@ -457,6 +470,10 @@ echo -e "Ldap Authentication Password."
 echo -e "The password for the search user:"
 echo -e "\t$ snap set $SNAP_NAME ldap-authentication-password='admin'"
 echo -e "\n"
+echo -e "Ldap Authentication Password File (Docker Compose secrets)."
+echo -e "The password file for the search user (Docker secrets):"
+echo -e "\t$ snap set $SNAP_NAME ldap-authentication-password-file='/run/secrets/ldap_auth_password'"
+echo -e "\n"
 echo -e "Ldap Log Enabled."
 echo -e "Enable logs for the module:"
 echo -e "\t$ snap set $SNAP_NAME ldap-log-enabled='true'"
--- a/stacksmith/user-scripts/boot.sh
+++ b/stacksmith/user-scripts/boot.sh
@ -11,6 +11,29 @@ cat >"${CONF}" <<'EOF'
 export MONGO_URL=mongodb://{{DATABASE_USER}}:{{DATABASE_PASSWORD}}@{{DATABASE_HOST}}:{{DATABASE_PORT}}/{{DATABASE_NAME}}
 export ROOT_URL=http://localhost
 export PORT=3000
+
+# Docker Compose Secrets Support
+# If secret files exist, read passwords from them instead of environment variables
+if [ -f "/run/secrets/mongo_password" ]; then
+    export MONGO_PASSWORD=$(cat /run/secrets/mongo_password)
+    export MONGO_URL=mongodb://{{DATABASE_USER}}:${MONGO_PASSWORD}@{{DATABASE_HOST}}:{{DATABASE_PORT}}/{{DATABASE_NAME}}
+fi
+
+if [ -f "/run/secrets/ldap_auth_password" ]; then
+    export LDAP_AUTHENTIFICATION_PASSWORD=$(cat /run/secrets/ldap_auth_password)
+fi
+
+if [ -f "/run/secrets/oauth2_secret" ]; then
+    export OAUTH2_SECRET=$(cat /run/secrets/oauth2_secret)
+fi
+
+if [ -f "/run/secrets/mail_service_password" ]; then
+    export MAIL_SERVICE_PASSWORD=$(cat /run/secrets/mail_service_password)
+fi
+
+if [ -f "/run/secrets/s3_secret" ]; then
+    export S3_SECRET=$(cat /run/secrets/s3_secret)
+fi
 EOF

 sed -i -e "s/{{DATABASE_USER}}/${DATABASE_USER}/" "${CONF}"
--- a/start-wekan.bat
+++ b/start-wekan.bat
@ -10,6 +10,9 @@ SET WRITABLE_PATH=..

 REM # MongoDB database URL required
 SET MONGO_URL=mongodb://127.0.0.1:27017/wekan
+REM # MONGO_PASSWORD_FILE : MongoDB password file (Docker secrets)
+REM # example : SET MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+REM SET MONGO_PASSWORD_FILE=

 REM # If port is 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS , like http://192.168.0.100
 REM # If port is not 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS:YOUR-PORT-NUMBER , like http://192.168.0.100:2000
@ -40,6 +43,9 @@ REM #   eu-west-1,eu-central-1,
 REM #   ap-southeast-1,ap-northeast-1,sa-east-1
 REM #
 REM SET S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "eu-west-1"}}'
+REM # S3_SECRET_FILE : S3 secret file (Docker secrets)
+REM # example : SET S3_SECRET_FILE=/run/secrets/s3_secret
+REM SET S3_SECRET_FILE=

 REM # https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
 REM SET MAIL_URL=smtps://username:password@email-smtp.eu-west-1.amazonaws.com:587/
@ -48,6 +54,9 @@ REM # Currently MAIL_SERVICE is not in use.
 REM SET MAIL_SERVICE=Outlook365
 REM SET MAIL_SERVICE_USER=firstname.lastname@hotmail.com
 REM SET MAIL_SERVICE_PASSWORD=SecretPassword
+REM # MAIL_SERVICE_PASSWORD_FILE : Password file for mail service (Docker secrets)
+REM # example : SET MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+REM SET MAIL_SERVICE_PASSWORD_FILE=

 REM # ==== NUMBER OF SEARCH RESULTS PER PAGE BY DEFAULT ====
 REM SET RESULTS_PER_PAGE=20
@ -202,6 +211,9 @@ REM ## Application GUID captured during app registration:
 REM SET OAUTH2_CLIENT_ID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
 REM ## Secret key generated during app registration:
 REM SET OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+REM # OAUTH2_SECRET_FILE : Secret key file for OAuth2 (Docker secrets)
+REM # example : SET OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+REM SET OAUTH2_SECRET_FILE=
 REM SET OAUTH2_SERVER_URL=https://login.microsoftonline.com/
 REM SET OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
 REM SET OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@ -449,6 +461,9 @@ REM SET LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,O
 REM # LDAP_AUTHENTIFICATION_PASSWORD : The password for the search user
 REM # example : AUTHENTIFICATION_PASSWORD=admin
 REM SET LDAP_AUTHENTIFICATION_PASSWORD=
+REM # LDAP_AUTHENTIFICATION_PASSWORD_FILE : The password file for the search user (Docker secrets)
+REM # example : SET LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+REM SET LDAP_AUTHENTIFICATION_PASSWORD_FILE=

 REM # LDAP_LOG_ENABLED : Enable logs for the module
 REM # example : LDAP_LOG_ENABLED=true
--- a/start-wekan.sh
+++ b/start-wekan.sh
@ -9,6 +9,9 @@
      #-----------------------------------------------------------------
      # MongoDB database URL required
      export MONGO_URL=mongodb://127.0.0.1:27017/wekan
+      # MONGO_PASSWORD_FILE : MongoDB password file (Docker secrets)
+      # example : export MONGO_PASSWORD_FILE=/run/secrets/mongo_password
+      #export MONGO_PASSWORD_FILE=
      #-----------------------------------------------------------------
      # If port is 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS , like http://192.168.0.100
      # If port is not 80, must change ROOT_URL to: http://YOUR-WEKAN-SERVER-IPv4-ADDRESS:YOUR-PORT-NUMBER , like http://192.168.0.100:2000
@ -37,6 +40,9 @@
      #   ap-southeast-1,ap-northeast-1,sa-east-1
      #
      #export S3='{"s3":{"key": "xxx", "secret": "xxx", "bucket": "xxx", "region": "xxx"}}'
+      # S3_SECRET_FILE : S3 secret file (Docker secrets)
+      # example : export S3_SECRET_FILE=/run/secrets/s3_secret
+      #export S3_SECRET_FILE=
      #-----------------------------------------------------------------
      # https://github.com/wekan/wekan/wiki/Troubleshooting-Mail
      # https://github.com/wekan/wekan-mongodb/blob/master/docker-compose.yml
@ -46,6 +52,9 @@
      #export MAIL_SERVICE=Outlook365
      #export MAIL_SERVICE_USER=firstname.lastname@hotmail.com
      #export MAIL_SERVICE_PASSWORD=SecretPassword
+      # MAIL_SERVICE_PASSWORD_FILE : Password file for mail service (Docker secrets)
+      # example : export MAIL_SERVICE_PASSWORD_FILE=/run/secrets/mail_service_password
+      #export MAIL_SERVICE_PASSWORD_FILE=
      #---------------------------------------------
      #export KADIRA_OPTIONS_ENDPOINT=http://127.0.0.1:11011
      #---------------------------------------------
@ -207,6 +216,9 @@
      #
      # Secret key generated during app registration:
      #export OAUTH2_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      # OAUTH2_SECRET_FILE : Secret key file for OAuth2 (Docker secrets)
+      # example : export OAUTH2_SECRET_FILE=/run/secrets/oauth2_secret
+      #export OAUTH2_SECRET_FILE=
      #export OAUTH2_SERVER_URL=https://login.microsoftonline.com/
      #export OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
      #export OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
@ -375,6 +387,9 @@
      # LDAP_AUTHENTIFICATION_PASSWORD : The password for the search user
      # example : AUTHENTIFICATION_PASSWORD=admin
      #export LDAP_AUTHENTIFICATION_PASSWORD=
+      # LDAP_AUTHENTIFICATION_PASSWORD_FILE : The password file for the search user (Docker secrets)
+      # example : export LDAP_AUTHENTIFICATION_PASSWORD_FILE=/run/secrets/ldap_auth_password
+      #export LDAP_AUTHENTIFICATION_PASSWORD_FILE=
      #
      # LDAP_LOG_ENABLED : Enable logs for the module
      # example :  export LDAP_LOG_ENABLED=true
				`@ -0,0 +1 @@`
				`{"s3":{"key": "your_s3_key_here", "secret": "your_s3_secret_here", "bucket": "your_s3_bucket_here", "region": "eu-west-1"}}`