Skip to content

runtime-secrets.md

Latest commit

 

History

History
95 lines (66 loc) · 2.45 KB

runtime-secrets.md

File metadata and controls

95 lines (66 loc) · 2.45 KB

Runtime Secrets

.env.example is a list of variables the application needs. It is not a recommendation to commit or bake real secrets into Docker images.

Simple VPS Mode

For one Debian/VPS server with Docker Compose, a server-side .env file is acceptable:

cp .env.example .env
nano .env
chmod 600 .env

Compose reads it through:

env_file:
  - .env

This is simple, but the server filesystem now contains secrets. Keep access limited, avoid copying .env into backups without encryption and never commit it.

Orchestrator Mode

For Kubernetes, BeCloud-like platforms, Docker Swarm or hosted container platforms, use the platform's runtime configuration mechanism:

  • Secrets for passwords, tokens, API keys and private credentials
  • ConfigMaps or plain environment variables for non-secret settings
  • External secret managers such as Vault, Doppler, Infisical, 1Password or a cloud secret manager when central rotation and audit are required

The container should receive variables such as:

APP_KEY
DB_PASSWORD
REDIS_PASSWORD
MAIL_PASSWORD
KAFKA_SASL_PASSWORD

at runtime. They should not be copied into the image and should not exist in git.

Backup Runtime Secrets

Backup upload and notification secrets are separate from the app .env.

For a simple VPS, use a root-only systemd environment file:

/etc/october-backup.env

Minimum keys for backup notifications:

BACKUP_NOTIFY_ENABLED=1
TELEGRAM_BOT_TOKEN=
TELEGRAM_CHAT_ID=
TELEGRAM_THREAD_ID=

Optional S3 upload keys:

BACKUP_S3_ENABLED=1
BACKUP_S3_URI=s3://bucket/path/project/production
BACKUP_S3_REGION=eu-central-1
BACKUP_S3_STORAGE_CLASS=STANDARD_IA
BACKUP_S3_ENDPOINT=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=eu-central-1
AWS_SESSION_TOKEN=

For stronger deployments, render those same variables from Vault, a cloud secret manager or platform secrets into the backup service runtime. The backup script only needs environment variables; the source can change without changing backup behavior.

Build Secrets Are Separate

OctoberCMS Composer credentials are build-time secrets, not runtime app settings.

Use BuildKit secrets for Composer:

docker build --secret id=composer_auth,src=auth.json --target app -t october-app:test .

or in CI:

docker build --secret id=composer_auth,env=COMPOSER_AUTH --target app -t october-app:$IMAGE_TAG .

Do not pass Composer credentials through Dockerfile ARG or ENV.