Skip to content

Managing secrets

danecreekphotography edited this page Nov 6, 2020 · 1 revision

How to manage secrets

A security best practice is to keep sensitive information, commonly called "secrets", out of configuration files. These secrets are mainly passwords or tokens, but you may use them for other information you may consider sensitive like ip addresses, URIs, etc.

This project supports separating secrets from configuration files through the use of a secrets.json file. The file contains a list of key/value pairs which can then be referred to in the secrets.json and triggers.json file via mustache templates.

Here is an example of how to use it:

  1. Add a reference to your secrets.json file by adding to the docker-compose.yaml secrets here:
secrets:
  # This should point to the location of the secrets.json configuration file
  file: ./secrets.json
  1. Add a reference to your newly added secret file by adding to the docker-compose container's secrets here:
    - secrets
  1. Modify your settings.json or triggers.json file to use values from the secrets file. The value inside the double curly-brace ({{}}) is the secret's key and will be replaced with the secret's value from secrets.json.
{
    "deepstackUri": "http://deepstack-ai:5000/",
    "enableAnnotations": false,
    "enableWebServer": false,
    "verbose": true,
    "awaitWriteFinish": false,
    "mqtt": {
      "uri": "mqtt://mqtt:1883",
      "username": "{{mqttUsername}}",
      "password": "{{mqttPassword}}",
      "enabled": false
    },
    "telegram": {
      "botToken": "{{telegramBotToken}}",
      "enabled": false
    },
    "pushbullet": {
      "accessToken": "{{pushbulletAccessToken}}",
      "enabled": false
    },
    "pushover": {
      "apiKey": "{{pushoverApiKey}}",
      "userKey": "{{pushoverUserKey}}",
      "enabled": false
    }
}
  1. Add a secrets.json file, which will be used for mustache templating in settings.json. The string value on the left, "mqttUsername" for example, is the secret's key. The string value on the right, "mqttPassword" for example, is the secret's value.
{
    "mqttUsername": "user",
    "mqttPassword": "pass",
    "telegramBotToken": "insert bot token here",
    "pushbulletAccessToken": "access token here",
    "pushoverApiKey": "api key here",
    "pushoverUserKey": "user key here"
}
  1. Add a .gitignore that excludes secrets.json. This prevents the file from getting submitted to git.
secrets.json
Clone this wiki locally