34
submitted 1 year ago* (last edited 1 year ago) by Nitrousoxide@lemmy.fmhy.ml to c/selfhosted@lemmy.world

I've migrated off of Portainer to standard docker compose recently so that I can script some major tasks like updating all the containers or restarting all of them. I also liked the idea of being able to put the compose files into a git repo and push it up so that they are automatically backed up. I hope to be able to turn this into more of infrastructure as code implementation where I can edit the repo and have it auto push to my server and redeploy. That's a bit further down the line though.

That said, with the compose files living in their remote, they currently still have their secrets on them, either in a corresponding .env file or in the compose file itself. I really don't like this since if someone ever gains access to the repo they have all my services' secrets. What is the best way to use a git repo for compose files while not exposing a bunch of secrets potentially?

I know podman supports secrets, though I guess I'd have to manually ssh into the server to create them in the session. Currently these services are all through docker however.

top 7 comments
sorted by: hot top controversial new old
[-] rikudou@lemmings.world 14 points 1 year ago

I usually use a .env.example file which contains all non-secret variables filled and all secret variables defined with no value.

The secrets are stored in the secret store of GitHub/GitLab (depending on what I'm using). During deploy the .env.example file is copied to .env and all the secret variables are written into the file (which itself is in .gitignore to avoid accidentally committing the local version on my machine).

[-] DrJenkem@lemmy.blugatch.tube 12 points 1 year ago

I use Ansible to deploy the docker-compose files around and do the typical operations (pull, restart, up/down). I store the secrets in my Ansible vault and it injects the secrets directly into the compose file when deploying the compose file to the host.

[-] klay@lemmy.world 8 points 1 year ago

I add .env to my .gitignore, then I can safely put secrets in my .env. If you have a big .env file, make a sample.env with the secrets removed.

[-] James@lemmy.ca 5 points 1 year ago

Ansible vault

[-] Awwab@kbin.social 2 points 1 year ago

You could have the best of both worlds and then also use GitHub secrets as well. https://github.com/marketplace/actions/deploy-a-portainer-stack

[-] g5pw@feddit.it 2 points 1 year ago

I use sops, usually with exec-env

[-] breadsmasher@lemmy.world 1 points 1 year ago

Some random suggestions - it really depends on your deployment strategy and available infrastructure

  • you can set secrets in portainer if you’re using docker swarm

https://docs.portainer.io/user/docker/secrets

  • you can provide secrets to docker (unsure about portainer) on the command line when building

https://docs.docker.com/engine/reference/commandline/buildx_build/#secret

  • Ive not used github actions but azure devops supports secret variables in libraries which can then be deployed via a pipeline without revealing any secrets, this appears similar on gh

https://docs.github.com/en/actions/security-guides/encrypted-secrets

  • azure key vault and similar can store secrets which code then accesses, although you still then need to authenticate with the vault
this post was submitted on 18 Jul 2023
34 points (100.0% liked)

Selfhosted

39964 readers
188 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS