From 4cae15f28da78b772f469d6066a4f5720d2bb929 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Tue, 29 Jul 2025 16:43:11 -0400 Subject: [PATCH] feat: support config via systemd credentials (#20406) feat: Support config via Systemd Credentials See https://systemd.io/CREDENTIALS/. This is used as a fallback, so will only be used if the `$*_FILE` var is empty. This could also be used to implicitly use Docker Secrets by settings `CREDENTIALS_DIRECTORY=/run/secrets` rather than setting individual `$_*FILE` environment variables. --- docs/docs/install/environment-variables.md | 8 ++++---- server/bin/start.sh | 8 ++++++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/docs/install/environment-variables.md b/docs/docs/install/environment-variables.md index 939c42439d..d070e3485a 100644 --- a/docs/docs/install/environment-variables.md +++ b/docs/docs/install/environment-variables.md @@ -199,12 +199,11 @@ Additional machine learning parameters can be tuned from the admin UI. | `IMMICH_TELEMETRY_INCLUDE` | Collect these telemetries. List of `host`, `api`, `io`, `repo`, `job`. Note: You can also specify `all` to enable all | | server | api, microservices | | `IMMICH_TELEMETRY_EXCLUDE` | Do not collect these telemetries. List of `host`, `api`, `io`, `repo`, `job` | | server | api, microservices | -## Docker Secrets +## Secrets -The following variables support the use of [Docker secrets][docker-secrets] for additional security. +The following variables support reading from files, either via [Systemd Credentials][systemd-creds] or [Docker secrets][docker-secrets] for additional security. -To use any of these, replace the regular environment variable with the equivalent `_FILE` environment variable. The value of -the `_FILE` variable should be set to the path of a file containing the variable value. +To use any of these, either set `CREDENTIALS_DIRECTORY` to a directory that contains files whose name is the “regular variable” name, and whose content is the secret. If using Docker Secrets, setting `CREDENTIALS_DIRECTORY=/run/secrets` will cause all secrets present to be used. Alternatively, replace the regular variable with the equivalent `_FILE` environment variable as below. The value of the `_FILE` variable should be set to the path of a file containing the variable value. | Regular Variable | Equivalent Docker Secrets '\_FILE' Variable | | :----------------- | :------------------------------------------ | @@ -226,3 +225,4 @@ to use a Docker secret for the password in the Redis container. [docker-secrets-docs]: https://github.com/docker-library/docs/tree/master/postgres#docker-secrets [docker-secrets]: https://docs.docker.com/engine/swarm/secrets/ [ioredis]: https://ioredis.readthedocs.io/en/latest/README/#connect-to-redis +[systemd-creds]: https://systemd.io/CREDENTIALS/ diff --git a/server/bin/start.sh b/server/bin/start.sh index 2b4351a6bc..10f897dd8e 100755 --- a/server/bin/start.sh +++ b/server/bin/start.sh @@ -11,8 +11,12 @@ export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/lib/jellyfin-ffmpeg/lib" SERVER_HOME=/usr/src/app/server read_file_and_export() { - if [ -n "${!1}" ]; then - content="$(cat "${!1}")" + fname="${!1}" + if [[ -z $fname ]] && [[ -e "$CREDENTIALS_DIRECTORY/$2" ]]; then + fname="${CREDENTIALS_DIRECTORY}/$2" + fi + if [[ -n $fname ]]; then + content="$(< "$fname")" export "$2"="${content}" unset "$1" fi