search

ttionya / vaultwarden-backup

Backup vaultwarden (formerly known as bitwarden_rs) SQLite3/PostgreSQL/MySQL/MariaDB database by rclone. (Docker)
MIT License
1.1k stars 122 forks source link

Add support for reading Docker secrets from a file #143

Closed CarterKoopa closed 2 months ago

CarterKoopa commented 10 months ago

Thanks for the great work on this project - this makes Vaultwarden backup so much quicker and more reliable.

In hardening my Docker stack, I've been working on moving as much sensitive information as possible out of compose/env files and into Docker secrets. For vaultwarden-backup, I am trying to do this with the ZIP_PASSWORD and MAIL_SMTP_VARIABLES, however, it doesn't look like the code is there to parse this, as the secrets are being interpreted as string literals.

My compose file currently has the following code (non-secrets related info removed):

services:
  backup:
    environment:
       ZIP_PASSWORD: /run/secrets/zip_password
       MAIL_SMTP_VARIABLES: /run/secrets/backup_smtp
    secrets:
      - zip_password
      - backup_smtp

secrets:
  zip_password:
    file: ./vw-secrets/backup_zip.txt
  backup_smtp:
    file: ./vw-secrets/vaultwarden_backup_smtp.txt

The contents of the backup_zip.txt file is only the string I'm trying to use as the password.

Right now, the zip file is being encrypted with the literal string "/run/secrets/zip_password". The ideal behavior would be reading the contents of that file and setting the zip password to such.

Thanks for considering!

ttionya commented 10 months ago

Please try appending _FILE to the environment variable, for example, change ZIP_PASSWORD to ZIP_PASSWORD_FILE. Refer to https://github.com/ttionya/vaultwarden-backup?tab=readme-ov-file#docker-secrets for more information.