Skip to main content

secrets

Daployi uses secrets for sensitive values such as database passwords and JWT signing keys. When using Docker Compose, these are stored as files and mounted as Docker secrets into containers.

Secret files (Compose)

  • .secrets/redis_password: Password used by the Redis server and clients
  • .secrets/mongo_root_password: MongoDB root user password
  • .secrets/jwt_secret: Secret key used by the API for signing JWTs

Creating secrets

  • mkdir -p .secrets
  • echo "strong-redis-password" > .secrets/redis_password
  • echo "strong-mongo-root-password" > .secrets/mongo_root_password
  • openssl rand -hex 32 > .secrets/jwt_secret
  • chmod 600 .secrets/*

Using secrets

  • Docker Compose mounts these files at /run/secrets/... in the respective containers, as configured in docker-compose.yml.
  • Environment variables reference these secrets either via *_FILE envs (Mongo) or by reading files at runtime (Redis command) or passing values through your .env (server/worker/web).

Standard Docker (docker run)

  • Docker secrets are not supported in standalone docker run. You must pass sensitive values using -e (environment variables) or mount files and reference them in commands.
  • Consider using a private host and restricting shell history (HISTCONTROL=ignorespace) to avoid leaking secrets.

Encoding Mongo password

  • The MongoDB URI requires URL-encoding for passwords. To generate an encoded value:

    • Node:

      PW=$(cat .secrets/mongo_root_password)
      node -e 'console.log(encodeURIComponent(process.env.PW))'

    • Python:

      PW=$(cat .secrets/mongo_root_password)
      python3 - <<'PY'
      import os, urllib.parse
      print(urllib.parse.quote(os.environ['PW']))
      PY

  • Put the output into MONGO_PASSWORD_ENC in your .env.

Security tips

  • Never commit .secrets to version control; .gitignore should exclude it.
  • Rotate secrets periodically. To rotate,
    • Stop the stack, update the secret files, update MONGO_PASSWORD_ENC if needed, then start the stack.
  • Restrict OS-level file permissions: chmod 600 .secrets/* and limit directory access to admins.
  • Keep backups of secrets securely (password manager or vault).