[Feature] Ability to Read Postgres-Pass from File

[felixw7k]

Use case

As a system administrator i want to check my headscale-config into a git repository. Having secrets in git is considered bad practice, so any headscale-configuration with postgres.pass set, should not be pushed into a git-repo.

Description

If you want to have your configuration versioned, at the moment you are left with the options "using postgres via socket" or "using sqlite" since the password to your database-server would also be checked in.

Being able to read the postgres-password from a file in the headscale-config let's us treat the configuration as "non-secret".

In Docker this file could be bind-mounted by the admin , in a kubernetes-enviromnent it could be set as a secret; which both would no longer be headscale's concern.

Contribution

• [ ] I can write the design doc for this feature
• [ ] I can contribute this feature

How can it be implemented?

In my opinion, treating the postgres-password the same as the oidc-client-secret would be perfect: Equivalent to oidc.client_secret_path i could imagine an option like postgres.pass_path to read the password from a file.

[kradalby]

All the configuration options are also settable via environment variables, e.g. HEADSCALE_DATABASE_POSTGRES_PASS.

I dont disagree that it can also be read by file, but I think that solves the majority of problems.

Please also note that we do not actively support or improve postgres and strongly recommend the use of SQLite.