Add Docker Secret support

abelfodil · abelfodil · commit 710d3e59eff3 · 2025-10-11T16:20:31.000-04:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,6 +21,7 @@ jobs:
           - "sqlite"
           - "mariadb"
           - "postgresql"
+          - "postgresql-secret"
 
     steps:
       - name: "Checkout"
diff --git a/README.md b/README.md
@@ -43,6 +43,8 @@ Default login is `wallabag:wallabag`.
 - `-e SYMFONY__ENV__SERVER_NAME=...` (defaults to "Your wallabag instance". Specifies a user-friendly name for the 2FA issuer)
 - `-e PHP_MEMORY_LIMIT=...` (allows you to change the PHP `memory_limit` value. defaults to 128M, and should be a number and unit, eg. 512K, 128M, 2G, or a number of bytes)
 
+To set any of these environment variables from a file (for instance a Docker Secret), append `__FILE` to the name of the environment variable.
+
 ## SQLite
 
 The easiest way to start wallabag is to use the SQLite backend. You can spin that up with
diff --git a/root/entrypoint.sh b/root/entrypoint.sh
@@ -2,6 +2,16 @@
 # Exit when any command fails
 set -e
 
+FILE_ENV_VARS="$(env | grep '__FILE=')"
+for env_var in $FILE_ENV_VARS; do
+    var_name="$(echo "$env_var" | grep -o '.*__FILE=' | sed 's/__FILE=//g')"
+    file_path="$(echo "$env_var" | grep -o '__FILE=.*' | sed 's/__FILE=//g')"
+    file_content="$(cat "$file_path")"
+    [ ! $? -eq 0 ] && exit 1 # Exit if last command failed
+    new_var="$(echo "$var_name=$file_content")"
+    export $(echo "$new_var" | xargs)
+done
+
 COMMAND_ARG1="$1"
 COMMAND_ARG2="$2"
 
diff --git a/tests/credentials/db_password b/tests/credentials/db_password
@@ -0,0 +1 @@
+wallapass
diff --git a/tests/credentials/env_secret b/tests/credentials/env_secret
@@ -0,0 +1 @@
+F00B4R
diff --git a/tests/credentials/postgres_password b/tests/credentials/postgres_password
@@ -0,0 +1 @@
+my-secret-pw
diff --git a/tests/docker-compose.postgresql-secret.yml b/tests/docker-compose.postgresql-secret.yml
@@ -0,0 +1,31 @@
+version: '2'
+services:
+  wallabag:
+    build:
+      context: ../
+    image: wallabag:postgresql
+    container_name: wallabag
+    environment:
+      - POSTGRES_PASSWORD__FILE=/run/secrets/postgres_password
+      - POSTGRES_USER=my-super-user
+      - SYMFONY__ENV__SECRET__FILE=/run/secrets/env_secret
+      - SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
+      - SYMFONY__ENV__DATABASE_HOST=db
+      - SYMFONY__ENV__DATABASE_PORT=5432
+      - SYMFONY__ENV__DATABASE_NAME=wallabag
+      - SYMFONY__ENV__DATABASE_USER=wallabag
+      - SYMFONY__ENV__DATABASE_PASSWORD__FILE=/run/secrets/db_password
+    ports:
+      - "127.0.0.1:80:80"
+    # Docker Secrets require Swarm Mode, so we use volumes instead to spoof the behaviour
+    volumes:
+      - ./credentials/db_password:/run/secrets/db_password
+      - ./credentials/postgres_password:/run/secrets/postgres_password
+      - ./credentials/env_secret:/run/secrets/env_secret
+  db:
+    image: postgres:18
+    environment:
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - POSTGRES_USER=my-super-user
+    volumes:
+      - ./credentials/postgres_password:/run/secrets/postgres_password
