Feature Request: Allow passing sensitive options via file in the docker container, to allow the use of docker secrets

[kennethso168]

What is the problem you are trying to solve with this feature?

The docs currently mentions that

OIDC Security

• Store HBOX_OIDC_CLIENT_SECRET securely (use environment variables, not config files).

However, docker docs specifically advises against storing sensitive information in environment variables, and suggests using docker secrets instead

Tip
Don't use environment variables to pass sensitive information, such as passwords, in to your containers. Use secrets instead.

More discussion on the security implications using environment variables vs secrets

• Understanding security implications of secrets vs. env vars in Docker Compose (Docker Community Forums)
• How are docker secrets more secure than .env files? (Reddit)

When a docker secret is used, the value is mounted as a plaintext file at /run/secrets/<name of secret> inside the container. There should be a mechanism for the application to read the contents of the file instead of using an environment file for that configuration value.

What is the solution you are proposing?

Many containers support an alternate environment variable (e.g. MYVAR_FILE, FILE__MYVAR, etc.), whose value should be a file path with the file containing the actual value of MYVAR:

• Authelia
• Immich
• All LinuxServer.io images

It would be great if HomeBox's docker image also supports this

What alternatives have you considered?

Currently I implemented this by overriding the image entrypoint in my docker compose, as detailed here

services:
  homebox:
    image: ghcr.io/sysadminsmedia/homebox:0.22.3-rootless
    restart: unless-stopped
    secrets:
      - homebox_oauth_client_secret
    ...
    entrypoint: ['/bin/sh', '-c', 'export HBOX_OIDC_CLIENT_SECRET=$$(cat /run/secrets/homebox_oauth_client_secret); wget --tries=1 -qO - https://authelia.${COMMON_DOMAIN_NAME:?}/api/health | grep -q OK && /app/api']

secrets:
  homebox_oauth_client_secret:
    <secret definition>

Additional context

No response

Contributions

• I have searched through existing ideas in the discussions to check if this is a duplicate

[ricardopaiva]

This would be very welcome. Following this discussion.