immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 11 Packages Projects Releases 10 Wiki Activity

Support docker secrets #7

New Issue
Closed
opened 2026-02-04 16:29:05 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2026-02-04 16:29:05 +03:00
Owner
Copy Link

Originally created by @schklom on GitHub (Feb 9, 2022).

Originally assigned to: @alextran1502 on GitHub.

Hi!

Would you please implement extra Docker environment variables called *_FILE or something in that fashion, and feed them /run/secrets/immich_*, at least for the database password and the jwt secret?
Doing otherwise can be unsafe. Ideally, the database name and username can also be read as secrets.

The docker-compose.yml would look like (only included the relevant parts)

services:
  server:
    environment:
      # STAGE
      NODE_ENV: development

      # Database
      DB_USERNAME_FILE: /run/secrets/immich_db_user
      DB_PASSWORD_FILE: /run/secrets/immich_db_password
      DB_DATABASE_NAME_FILE: /run/secrets/immich_db_db

      # Upload File Config
      UPLOAD_LOCATION: ./upload

      # JWT SECRET
      JWT_SECRET_FILE: /run/secrets/immich_jwt
    secrets:
      - immich_db_db
      - immich_db_user
      - immich_db_password
      - immich_jwt

  database:
    environment:
      TZ: ${TZ}
      POSTGRES_DB_FILE: /run/secrets/immich_db_db
      POSTGRES_USER: /run/secrets/immich_db_user
      POSTGRES_PASSWORD_FILE: /run/secrets/immich_db_password
    secrets:
      - immich_db_db
      - immich_db_user
      - immich_db_password

secrets:
  immich_db_db:
    file: /secrets_path/immich_db_db
  immich_db_user:
    file: /secrets_path/immich_db_user
  immich_db_password:
    file: /secrets_path/immich_db_password
  immich_jwt:
    file: /secrets_path/immich_jwt

I don't know Dart and TypeScript, but some possible code to read them in bash and store the contents in variables is:

[[ -z "${JWT_SECRET_FILE}" ]] && [[ -f "${JWT_SECRET_FILE}" ]] && JWT_SECRET='$(head -n 1 "${JWT_SECRET_FILE}")'

Hopefully this helps

Originally created by @schklom on GitHub (Feb 9, 2022). Originally assigned to: @alextran1502 on GitHub. Hi! Would you please implement extra Docker environment variables called `*_FILE` or something in that fashion, and feed them `/run/secrets/immich_*`, at least for the database password and the jwt secret? Doing otherwise can be unsafe. Ideally, the database name and username can also be read as secrets. The docker-compose.yml would look like (only included the relevant parts) ```yaml services: server: environment: # STAGE NODE_ENV: development # Database DB_USERNAME_FILE: /run/secrets/immich_db_user DB_PASSWORD_FILE: /run/secrets/immich_db_password DB_DATABASE_NAME_FILE: /run/secrets/immich_db_db # Upload File Config UPLOAD_LOCATION: ./upload # JWT SECRET JWT_SECRET_FILE: /run/secrets/immich_jwt secrets: - immich_db_db - immich_db_user - immich_db_password - immich_jwt database: environment: TZ: ${TZ} POSTGRES_DB_FILE: /run/secrets/immich_db_db POSTGRES_USER: /run/secrets/immich_db_user POSTGRES_PASSWORD_FILE: /run/secrets/immich_db_password secrets: - immich_db_db - immich_db_user - immich_db_password secrets: immich_db_db: file: /secrets_path/immich_db_db immich_db_user: file: /secrets_path/immich_db_user immich_db_password: file: /secrets_path/immich_db_password immich_jwt: file: /secrets_path/immich_jwt ``` I don't know Dart and TypeScript, but some possible code to read them in bash and store the contents in variables is: ```bash [[ -z "${JWT_SECRET_FILE}" ]] && [[ -f "${JWT_SECRET_FILE}" ]] && JWT_SECRET='$(head -n 1 "${JWT_SECRET_FILE}")' ``` Hopefully this helps
OVERLORD commented 2026-02-04 16:29:14 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Feb 9, 2022):

Thank you for the suggestion, I will take a look at this.

@alextran1502 commented on GitHub (Feb 9, 2022): Thank you for the suggestion, I will take a look at this.
OVERLORD commented 2026-02-04 16:29:24 +03:00
Author
Owner
Copy Link

@kaysond commented on GitHub (Mar 29, 2022):

LSIO does this for all their containers and its great

@kaysond commented on GitHub (Mar 29, 2022): LSIO does this for all their containers and its great
OVERLORD commented 2026-02-04 16:29:28 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Mar 29, 2022):

@kaysond Can you help me find one that I can refer to?

@alextran1502 commented on GitHub (Mar 29, 2022): @kaysond Can you help me find one that I can refer to?
OVERLORD commented 2026-02-04 16:29:32 +03:00
Author
Owner
Copy Link

@kaysond commented on GitHub (Mar 29, 2022):

They've set it up in a very generic way in all of their base images. You can see an example of their bash script here and here is an example of the usage.

@kaysond commented on GitHub (Mar 29, 2022): They've set it up in a very generic way in all of their base images. You can see an example of their bash script [here](https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile) and [here](https://github.com/linuxserver/docker-nextcloud#environment-variables-from-files-docker-secrets) is an example of the usage.
OVERLORD commented 2026-02-04 16:29:41 +03:00
Author
Owner
Copy Link

@kaysond commented on GitHub (Mar 29, 2022):

Oh and MariaDB's official image also does the same thing (though they use a suffix instead of prefix)

@kaysond commented on GitHub (Mar 29, 2022): Oh and [MariaDB's official image](https://github.com/MariaDB/mariadb-docker) also does the same thing (though they use a suffix instead of prefix)
OVERLORD commented 2026-02-04 16:29:52 +03:00
Author
Owner
Copy Link

@EnochPrime commented on GitHub (Jan 4, 2023):

They've set it up in a very generic way in all of their base images. You can see an example of their bash script here and here is an example of the usage.

LSIO's method requires s6-overlay. The code is here.

Oh and MariaDB's official image also does the same thing (though they use a suffix instead of prefix)

This method is less dynamic, but done purely with bash script. Unfortunately the variable expansion method used is not supported by sh and the immich containers don't have bash currently.

# usage: file_env VAR [DEFAULT]
#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
		mysql_error "Both $var and $fileVar are set (but are exclusive)"
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
		val="${!var}"
	elif [ "${!fileVar:-}" ]; then
		val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
}
@EnochPrime commented on GitHub (Jan 4, 2023): > They've set it up in a very generic way in all of their base images. You can see an example of their bash script [here](https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/01-envfile) and [here](https://github.com/linuxserver/docker-nextcloud#environment-variables-from-files-docker-secrets) is an example of the usage. LSIO's method requires [s6-overlay](https://github.com/just-containers/s6-overlay). The code is [here](https://github.com/linuxserver/docker-baseimage-alpine/blob/855ddee1027da3c2a57eaa8026c3b7b8b5f2055f/root/etc/s6-overlay/s6-rc.d/init-envfile/run). > Oh and [MariaDB's official image](https://github.com/MariaDB/mariadb-docker) also does the same thing (though they use a suffix instead of prefix) This method is less dynamic, but done purely with bash script. Unfortunately the variable expansion method used is not supported by sh and the immich containers don't have bash currently. ``` bash # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' # (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of # "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) file_env() { local var="$1" local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then mysql_error "Both $var and $fileVar are set (but are exclusive)" fi local val="$def" if [ "${!var:-}" ]; then val="${!var}" elif [ "${!fileVar:-}" ]; then val="$(< "${!fileVar}")" fi export "$var"="$val" unset "$fileVar" } ```
OVERLORD commented 2026-02-04 16:30:04 +03:00
Author
Owner
Copy Link

@EnochPrime commented on GitHub (Jan 4, 2023):

Also, definitely not an expert, but I think we can't use the MariaDB method verbatim anyway since they are under GPL2 license and this project is under MIT.

Edit: And the LSIO is under GPL3 too.

@EnochPrime commented on GitHub (Jan 4, 2023): Also, definitely not an expert, but I think we can't use the MariaDB method verbatim anyway since they are under GPL2 license and this project is under MIT. Edit: And the LSIO is under GPL3 too.
OVERLORD commented 2026-02-04 16:30:11 +03:00
Author
Owner
Copy Link

@EnochPrime commented on GitHub (Jan 4, 2023):

Actually I just found the identical code over in the postgres docker which is MIT license. So I believe it is fair to copy.

@EnochPrime commented on GitHub (Jan 4, 2023): Actually I just found the identical code over in the [postgres docker](https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh) which is MIT license. So I believe it is fair to copy.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#7
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?