Implement docker secrets as best-practice

[DennisGaida]

First Check

• I used the GitHub search to find a similar requests and didn't find it.
• Checked the tasks tagged issues and verified my feature is not covered

Please provide a concise description of the problem that would be addressed by this feature.

I almost wanted to add this as a bug, but it isn't since there isn't really "a standard", but there is precedence how pretty much all other docker projects are doing secrets and they are not doing it like #3656.

We currently have to set a docker secret with the exact key e.g. POSTGRES_PASSWORD (see https://docs.mealie.io/documentation/getting-started/installation/backend-config/#docker-secrets). This completely fails when I have multiple docker containers in a stack that each want a different POSTGRES_PASSWORD.

One solution could be to prefix the environment variable like MEALIE_POSTGRES_PASSWORD, but ultimately the best practice is to have <...>_FILE or <...>__FILE environment variables just referencing the path to the secret (this way we could also get rid of the hardcoded /run/secrets

mealie/mealie/core/settings/settings.py

Line 49 in d05f27d

secrets_dir = "/run/secrets"

).

Please provide a concise description of the feature that would resolve your issue.

Docker secrets should be like so:

services:
  mealie:
    [...]
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/mealie_postgres_password
    secrets:
      - mealie_postgres_password

secrets:
  mealie_postgres_password:
    file: ${SECRETSDIR}/mealie_postgres_password

The settings code could just check for the environment variables and *if a _FILE variable exists, and if it exists just read the value from that file specified in the path.

Please consider and list out some caveats or tradeoffs made in your design decision

A tradeoff is that you need to specify the full path to your secret in the <...>_FILE environment variable instead of just the secret name, but it makes it more versatile and it is how everyone else is doing it.

Additional Information

• If this is accepted I'm willing to submit a PR to provide this feature
• If this is accepted I'm willing to help maintain this feature
• I'm willing to sponsor/pay a developer to do this work

[michael-genson]

There's a related discussion for this: #3773
And there's an open PR, but it's currently unfinished: #3781

I think supporting this makes sense, happy to consider a PR for it

[DennisGaida]

Whoops #3773 kind of makes this a dupe, I thought I searched for this feature. I'll have to think whether I want to re-activate that stale PR or just create a quick PR that just works. The PR doesn't use version 2.0 code so it will be refactoring anyways.

[DennisGaida]

@michael-genson I am going ahead and closing this discussion. I hope not only the old submitter of the PR can reopen it since it is pretty much done (see my comments over there)