Allow to use STRAVA_CLIENT_SECRET_FILE and STRAVA_REFRESH_TOKEN_FIL…

[llaumgui]

Instead of passing secrets directly via the STRAVA_CLIENT_SECRET and STRAVA_REFRESH_TOKEN environment variables, you can use Docker Compose secrets.

Define STRAVA_CLIENT_SECRET_FILE and STRAVA_REFRESH_TOKEN_FILE to point to the secret files (typically located in /run/secrets/). When the standard environment variables are not set, the application will automatically read the values from these files.

This approach is recommended when running the application with Docker Compose, as it avoids exposing sensitive values in environment variables.

What type of PR is this? (check all applicable)

• Refactor
• Feature
• Bug Fix
• Improvement
• Translations
• Documentation Update

Description

Fixes #1832

[robiningelbrecht]

@llaumgui I don't think I'm going to merge this. Using environment variables to setup Docker images is the way to go in a lot of self-hosted projects and in SFS as well.
I don’t see much benefit in introducing separate configuration files compared to using environment variables via an .env file.

[llaumgui]

Hi @robiningelbrecht,

The benefit is to move from this:

services:
  app:
    image: robiningelbrecht/strava-statistics:latest
    container_name: statistics-for-strava
    restart: unless-stopped
    volumes:
      - ./config:/var/www/config/app
      - ./build:/var/www/build
      - ./storage/database:/var/www/storage/database
      - ./storage/files:/var/www/storage/files
    environment:
      STRAVA_CLIENT_ID: 'YOUR_CLIENT_ID'
      STRAVA_CLIENT_SECRET: 'YOUR_CLIENT_SECRET'
      STRAVA_REFRESH_TOKEN: 'YOUR_REFRESH_TOKEN_OBTAINED_AFTER_AUTH_FLOW'
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:2019/metrics"]
      start_period: 60s
    ports:
      - 8080:8080
    networks:
      - statistics-for-strava-network

networks:
  statistics-for-strava-network:

Having secrets in Compose or in an env file to:

services:
  app:
    image: robiningelbrecht/strava-statistics:latest
    container_name: statistics-for-strava
    restart: unless-stopped
    volumes:
      - ./config:/var/www/config/app
      - ./build:/var/www/build
      - ./storage/database:/var/www/storage/database
      - ./storage/files:/var/www/storage/files
    secrets:
      - strava_client_secret
      - strava_refresh_token
    environment:
      STRAVA_CLIENT_ID: 'YOUR_CLIENT_ID'
      STRAVA_CLIENT_SECRET_FILE: '/run/secrets/strava_client_secret'
      STRAVA_REFRESH_TOKEN_FILE: '/run/secrets/strava_refresh_token'
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:2019/metrics"]
      start_period: 60s
    ports:
      - 8080:8080
    networks:
      - statistics-for-strava-network

secrets:
 strava_client_secret:
    file: /arcane/secrets/selfhosted_strava_statistics_strava_client_secret.txt
  strava_refresh_token:
    file: /arcane/secrets/selfhosted_strava_statistics_strava_refresh_token.txt


networks:
  statistics-for-strava-network:

Storing the secrets in a directory with 0740 permissions and each secret file with 0444 permissions.

[robiningelbrecht]

@llaumgui nothing stops you from using a separate .env file with 0444 permissions?

services:
  app:
    image: robiningelbrecht/strava-statistics:latest
    container_name: statistics-for-strava
    restart: unless-stopped
    volumes:
      - ./config:/var/www/config/app
      - ./build:/var/www/build
      - ./storage/database:/var/www/storage/database
      - ./storage/files:/var/www/storage/files
    env_file: 'your/path/to/.env'

[llaumgui]

yes but you separate secret and env variable with the secret : https://docs.docker.com/compose/how-tos/use-secrets/

All officials images use _FILE suffix. S6 overlay use FILE__ prefix. The best way is to use vault but for a home lab, secrets can be suffisant.

[robiningelbrecht]

I have set up a lot of Docker images for self-hosting as well as development and I have never came across the usage of FILE__?

The thing is that I don't want to have infrastructure code (processing of FILE__ secrets) in the code base. They don't belong there. If there is a solution out there that "just works", I'd be happy to document and support it.

[llaumgui]

I have tried to edit entry point with :

# Handle STRAVA_CLIENT_SECRET_FILE
if [ -n "$STRAVA_CLIENT_SECRET_FILE" ] && [ -f "$STRAVA_CLIENT_SECRET_FILE" ]; then
    export STRAVA_CLIENT_SECRET="$(tr -d '\r\n' < "$STRAVA_CLIENT_SECRET_FILE")"
fi

# Handle STRAVA_REFRESH_TOKEN_FILE
if [ -n "$STRAVA_REFRESH_TOKEN_FILE" ] && [ -f "$STRAVA_REFRESH_TOKEN_FILE" ]; then
    export STRAVA_REFRESH_TOKEN="$(tr -d '\r\n' < "$STRAVA_REFRESH_TOKEN_FILE")"
fi

But:

docker exec -it strava_statistics printenv | grep STR             
STRAVA_REFRESH_TOKEN_FILE=/run/secrets/strava_refresh_token
STRAVA_CLIENT_SECRET_FILE=/run/secrets/strava_client_secret

and:

docker exec -i strava_statistics bin/console app:debug:environment
...                  

+----------------------+--------------+
| ENV variable         | Value        |
+----------------------+--------------+
| APP_VERSION          | v4.7.1       |
| STRAVA_CLIENT_ID     | xxx          |
| STRAVA_CLIENT_SECRET |              |
| STRAVA_REFRESH_TOKEN |              |
| TZ                   | Europe/Paris |
+----------------------+--------------+

Using s6-overlay would also make it possible to:

• reintegrate the cron jobs into the main image,
• running the process in rootless
• in addition to handling this kind of issue.

[robiningelbrecht]

We definitely won't re-introduce s6

• reintegrate the cron jobs into the main image

We don't want cronjobs in the main image, the daemon container can handle those: https://statistics-for-strava-docs.robiningelbrecht.be/#/getting-started/installation?id=docker-composeyml

• running the process in rootless

That should be possible: https://statistics-for-strava-docs.robiningelbrecht.be/#/getting-started/installation?id=env

• in addition to handling this kind of issue.

To me, this is not an issue, it's more of a preference. It's common to use .env files to handle secrets and environment specific variables