search

ttionya / vaultwarden-backup

Backup vaultwarden (formerly known as bitwarden_rs) SQLite3/PostgreSQL/MySQL/MariaDB database by rclone. (Docker)
MIT License
1.04k stars 119 forks source link

Here is a way to use docker secrets or secure way to set passwords ? #14

Closed thib3113 closed 3 years ago

thib3113 commented 3 years ago

Hello,

can I set environment variables, without writing them directly at env ?

like creating a .env file ? or using docker secrets ?

ttionya commented 3 years ago

Hello.

We have no plans to support docker secret.

The main content of docker-compose.yml will remain largely unchanged, only the annotated environment variables will be added. I don't think it would be a problem to write environment variables directly in docker-compose.yml.

But if you want, you can add a new .env file in the docker-compose.yml sibling directory and put the environment variables there, because docker-compse will automatically read the .env file in the current directory.

Hope this helps!

thib3113 commented 3 years ago

In fact, because I use a swarm mode, and portainer to manage it, I can't directly use your docker-compose.yml, and can't use .env to get environnements variables . ( and I need to use docker swarm, and not docker compose compose formats, with some specifications, like the secrets only available for swarm )

In general, repos act like this :

mustaphazorgati commented 3 years ago

Hey @thib3113,

thanks for your ideas! Suggesion: Do you want to create a PR containing the the ZIP_PASSWORD_FILE environment variable which overrides ZIP_PASSWORD?

thib3113 commented 3 years ago

hey @mustaphazorgati , else I found this :

ttionya commented 3 years ago

hey @thib3113 ,

I checked the portainer documentation and found that I can use docker-compose.yml with stacks, can you give it a try?

https://documentation.portainer.io/v2.0/stacks/create/

thib3113 commented 3 years ago

hey @thib3113 ,

I checked the portainer documentation and found that I can use docker-compose.yml with stacks, can you give it a try?

https://documentation.portainer.io/v2.0/stacks/create/

no, it just support the "swarm way" of docker-compose . docker stack deploy -c docker-compose.yml . But doesn't support adding an .env file . I need to add env manually, and finally they are easyly readable on the container .

ttionya commented 3 years ago

hey @thib3113 , I checked the portainer documentation and found that I can use docker-compose.yml with stacks, can you give it a try? https://documentation.portainer.io/v2.0/stacks/create/

no, it just support the "swarm way" of docker-compose . docker stack deploy -c docker-compose.yml . But doesn't support adding an .env file . I need to add env manually, and finally they are easyly readable on the container .

Sorry I haven't used docker swarm, but if it says it supports docker-compose.yml, then why can't you just put the environment variables in docker-compose.yml?

thib3113 commented 3 years ago

I can put the environment variables in the yaml of the stack (or docker-compose.yml if you prefer, but some little things doesn't works in the same way) .... But your password are readable ...

And thats why docker swarm add "secrets", to hide this kind of informations .

And as I said before, I prefer to let default password instead of adding it in the docker compose.yml . Because it's more secure (people need to find the github documentation, instead of reading environments variables of the container) .

mustaphazorgati commented 3 years ago

Hey @thib3113,

I have created a PR which allows the user to access a secret. Here is an example creation call without any other parameters.

docker service create --name backup --secret zip_password --env ZIP_PASSWORD_SECRET=zip_password ttionya/bitwardenrs-backup:latest

We now have to wait for @ttionya to approve the changes and release a new version for you.

ttionya commented 3 years ago

hey, @thib3113 ,

I understand roughly what you want, you don't want to pass in the configuration via environment variables for security reasons, but prefer to introduce the configuration via docker config or docker secret (when using docker swarm). Am I misunderstanding?

One more question, we sync backup files to remote storage system via Rclone, we need to configure Rclone information via docker run repo rclone config, I wonder if docker swarm can do it simply? I am equally concerned about the possible restore operations.

thib3113 commented 3 years ago

@ttionya yes . ( and I know some people prefer to bind a file in the container, instead of passing env ) .

About the docker run repo rclone config, on my configuration, I've just run the command to generate the rclone.conf the first time, then I create a docker configs and I set tot push the config in rclone.conf ...

my "compose" is like that : 

version: "3.7"

services:
  backup:
    image: ttionya/bitwardenrs-backup:latest
    volumes:
      - bitwarden_data:/bitwarden/data
    secrets:
      - source: BITWARDEN_RCLONE_CONFIG
        target: /config/rclone/rclone.conf
    environment:
      RCLONE_REMOTE_NAME: my_ftp
      RCLONE_REMOTE_DIR: /bitwarden
      BACKUP_KEEP_DAYS: 30
      TIMEZONE: Europe/Paris

secrets:
  BITWARDEN_RCLONE_CONFIG:
    external: true

what are your concerns about restore ?

@mustaphazorgati thank you, but I prefer to talk about this before doing a pull request :) . ( and just some remarks, in general people add a var with __FILE so people can bind the file where they want, and not only on docker secrets folders . Other things, what about MAIL_SMTP_VARIABLES ? because it will contain password too if the SMTP need authentication ) . ( docker use it for basics images, like mysql : https://hub.docker.com/_/mysql the password can be set with MYSQL_ROOT_PASSWORD_FILE )

ttionya commented 3 years ago

hey @thib3113 , @mustaphazorgati ,

Before I said I didn't plan to support Docker Secret because I hadn't used Docker Swarm. Now I think I have some knowledge about Docker Swarm, Docker Secret and Docker Config and I have changed my mind.

To satisfy some people who would like to use env files or use docker secret to hide credentials, I modified the script and it will now read the config from the /.env file.

Now you can use docker config or map the local env file to /.env. If you need to use Docker Secret, you can also add the environment variable ZIP_PASSWORD_FILE=/run/secrets/zip-password or put it in the env file.

This change #16 has not been merged into master yet, as I don't know if there are any scenarios I haven't considered, so please review the code and give feedback when you have time.

Thanks!

thib3113 commented 3 years ago

Hey @ttionya than you . And no problem about configs / secrets, they exists "only" on docker swarm, so if you never try, you doesn't knwow .

About the changes, thats seems fine, but I can't test before the image is push to a repository ( docker swarm doesn't allow the build in the yaml )

mustaphazorgati commented 3 years ago

Hey @ttionya!

Thanks for the PR. I suggested some minor comments. Overall it looks good! :)

@thib3113 thanks for the suggestion / idea contribution

ttionya commented 3 years ago

hey @thib3113 @mustaphazorgati ,

I merged the PR #16 and released the beta version v1.6.0-beta.2, I simply tested the .env file (not via Docker Swarm) and it works fine.

I don't know how it actually works in Docker Swarm with Docker Secret and Docker Config. Could you please test it for me? Looking forward to your feedback. Thank you.

mustaphazorgati commented 3 years ago

Alright. I will test the image with docker swarm and a secret file for ZIP_PASSWORD later tonight

mustaphazorgati commented 3 years ago

Setting ZIP_PASSWORD_FILE using docker swarm and secrets works fine for me.

thib3113 commented 3 years ago

tested for me, and it's good too :) . Thank you :)

ttionya commented 3 years ago

Hey @thib3113 @mustaphazorgati ,

This change is already in stable v1.6.0, please let me know if you have any questions.