Read secrets dir from CREDENTIALS_DIRECTORY (#19327)

This supports systemd credentials, see https://systemd.io/CREDENTIALS/. Default to `/run/secrets` (the Docker Secrets dir) for backwards compatibility.
2025-09-23 17:52:05 +02:00 · 2025-09-19 08:34:23 -04:00 · 2025-09-19 08:34:23 -04:00 · a7bbca5014
commit a7bbca5014
parent dc96940eb9
2 changed files with 6 additions and 5 deletions
--- a/docs/docs/configuration/authentication.md
+++ b/docs/docs/configuration/authentication.md
@ -81,7 +81,7 @@ python3 -c 'import secrets; print(secrets.token_hex(64))'
 Frigate looks for a JWT token secret in the following order:
 1. An environment variable named `FRIGATE_JWT_SECRET`
-2. A docker secret named `FRIGATE_JWT_SECRET` in `/run/secrets/`
+2. A file named `FRIGATE_JWT_SECRET` in the directory specified by the `CREDENTIALS_DIRECTORY` environment variable (defaults to the Docker Secrets directory: `/run/secrets/`)
 3. A `jwt_secret` option from the Home Assistant Add-on options
 4. A `.jwt_secret` file in the config directory
--- a/frigate/config/env.py
+++ b/frigate/config/env.py
@ -5,12 +5,13 @@ from typing import Annotated
 from pydantic import AfterValidator, ValidationInfo
 FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
-# read docker secret files as env vars too
+secrets_dir = os.environ.get("CREDENTIALS_DIRECTORY", "/run/secrets")
-if os.path.isdir("/run/secrets") and os.access("/run/secrets", os.R_OK):
+# read secret files as env vars too
-    for secret_file in os.listdir("/run/secrets"):
+if os.path.isdir(secrets_dir) and os.access(secrets_dir, os.R_OK):
    for secret_file in os.listdir(secrets_dir):
        if secret_file.startswith("FRIGATE_"):
            FRIGATE_ENV_VARS[secret_file] = (
-                Path(os.path.join("/run/secrets", secret_file)).read_text().strip()
+                Path(os.path.join(secrets_dir, secret_file)).read_text().strip()
            )