From eef0021366541cd2c6e06ac4871b45d56c83b6a8 Mon Sep 17 00:00:00 2001 From: Kailash Nadh Date: Sat, 9 Aug 2025 14:41:13 +0530 Subject: [PATCH] Add support for loading secrets from *_FILE env vars in Docker environment. Closes #2455. Co-Authored-By: Michael Redig --- docker-compose.yml | 3 +++ docker-entrypoint.sh | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 86fb47cf..6eaca1fb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,6 @@ +# All LISTMONK_* env variables also support the LISTMONK_*_FILE pattern for loading secrets from files with Docker secrets and Podman +# eg: LISTMONK_ADMIN_USER -> LISTMONK_ADMIN_USER_FILE=/path/to/file_with_value + x-db-credentials: &db-credentials # Use the default POSTGRES_ credentials if they're available or simply default to "listmonk" POSTGRES_USER: &db-user listmonk # for database user, password, and database name POSTGRES_PASSWORD: &db-password listmonk diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 15e0aa61..4c1f78cd 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -34,6 +34,31 @@ create_user() { create_group create_user +load_secret_files() { + # Save and restore IFS + old_ifs="$IFS" + IFS=' +' + # Capture all env variables starting with LISTMONK_ and ending with _FILE. + # It's value is assumed to be a file path with its actual value. + for line in $(env | grep '^LISTMONK_.*_FILE='); do + var="${line%%=*}" + fpath="${line#*=}" + + # If it's a valid file, read its contents and assign it to the var + # without the _FILE suffix. + # Eg: LISTMONK_DB_USER_FILE=/run/secrets/user -> LISTMONK_DB_USER=$(contents of /run/secrets/user) + if [ -f "$fpath" ]; then + new_var="${var%_FILE}" + export "$new_var"="$(cat "$fpath")" + fi + done + IFS="$old_ifs" +} + +# Load env variables from files if LISTMONK_*_FILE variables are set. +load_secret_files + # Try to set the ownership of the app directory to the app user. if ! chown -R ${PUID}:${PGID} /listmonk 2>/dev/null; then echo "Warning: Failed to change ownership of /listmonk. Readonly volume?"