Read secrets dir from CREDENTIALS_DIRECTORY

This supports systemd credentials, see https://systemd.io/CREDENTIALS/.
Default to `/run/secrets` (the Docker Secrets dir) for backwards
compatibility.
This commit is contained in:
Andrew Marshall 2024-11-10 10:19:38 -05:00
parent 4f4c8a4fb9
commit 1ec8f2b033
2 changed files with 6 additions and 5 deletions

View File

@ -80,7 +80,7 @@ python3 -c 'import secrets; print(secrets.token_hex(64))'
Frigate looks for a JWT token secret in the following order:
1. An environment variable named `FRIGATE_JWT_SECRET`
2. A docker secret named `FRIGATE_JWT_SECRET` in `/run/secrets/`
2. A file named `FRIGATE_JWT_SECRET` in the directory specified by the `CREDENTIALS_DIRECTORY` environment variable (defaults to Docker Secrets directory: `/run/secrets/`)
3. A `jwt_secret` option from the Home Assistant Add-on options
4. A `.jwt_secret` file in the config directory

View File

@ -5,12 +5,13 @@ from typing import Annotated
from pydantic import AfterValidator, ValidationInfo
FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
# read docker secret files as env vars too
if os.path.isdir("/run/secrets") and os.access("/run/secrets", os.R_OK):
for secret_file in os.listdir("/run/secrets"):
secrets_dir = os.environ.get("CREDENTIALS_DIRECTORY", "/run/secrets")
# read secret files as env vars too
if os.path.isdir(secrets_dir) and os.access(secrets_dir, os.R_OK):
for secret_file in os.listdir(secrets_dir):
if secret_file.startswith("FRIGATE_"):
FRIGATE_ENV_VARS[secret_file] = (
Path(os.path.join("/run/secrets", secret_file)).read_text().strip()
Path(os.path.join(secrets_dir, secret_file)).read_text().strip()
)