zerobyte/examples/secrets-placeholders/README.md
2025-12-19 14:39:57 +01:00

61 lines
2.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Secret placeholders (env:// and file://) + Docker secrets
Zerobyte supports **secret placeholders** in many configuration fields (repositories, volumes, notifications).
Instead of storing raw secrets in the database, you can store a reference that gets resolved at runtime.
Supported formats:
- `env://VAR_NAME` → reads `process.env.VAR_NAME`
- `file://name` → reads `/run/secrets/name` (Docker Compose / Docker secrets)
This example shows how to run Zerobyte with:
- an environment variable you can reference via `env://...`
- a Docker secret you can reference via `file://...`
## Prerequisites
- Docker + Docker Compose
This example includes `SYS_ADMIN` and `/dev/fuse` because its intended for SMB volumes (remote mounts).
## Setup
1. Copy the env file:
```bash
cp .env.example .env
```
2. Create a Docker secret file.
⚠️ **Important**: never commit real credentials. This folder includes a `.gitignore` to help prevent accidentally committing secret files.
```bash
printf "your-smb-password" > smb-password.txt
```
3. Start Zerobyte:
```bash
docker compose up -d
```
## Using placeholders in Zerobyte
You can now use the placeholders for example in these Zerobyte configuration fields:
| UI section | Type | Field | Example value |
| --- | --- | --- | --- |
| Volumes → Create volume | SMB | Password | `file://smb_password` or `env://ZEROBYTE_SMB_PASSWORD` |
| Volumes → Create volume | WebDAV | Password | `file://webdav_password` or `env://ZEROBYTE_WEBDAV_PASSWORD` |
| Repositories → Create repository | S3 | Secret access key | `file://aws_secret_access_key` or `env://AWS_SECRET_ACCESS_KEY` |
| Repositories → Create repository | SFTP | SSH Private key | `file://sftp_private_key` or `env://SFTP_PRIVATE_KEY` |
| Notifications → Create notification | Telegram | Bot token | `file://telegram_bot_token` or `env://TELEGRAM_BOT_TOKEN` |
Notes:
- Placeholder names used in these examples are arbitrary; you can choose any valid name.
- Placeholder names are case-sensitive.
- With `file://...`, the secret name must be a single path segment (no `/` or `\\`).
- You can still paste a raw secret, but placeholders can be considered safer and easier to rotate.