Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Secrets configurable via environment variables #7758

Closed
ChrisLane opened this issue Jun 29, 2020 · 10 comments
Closed

Secrets configurable via environment variables #7758

ChrisLane opened this issue Jun 29, 2020 · 10 comments

Comments

@ChrisLane
Copy link

ChrisLane commented Jun 29, 2020
edited
Loading

Description:
I would like to check my homeserver.yaml file into a version-control system, unfortunately since the file contains secrets for Synapse and the database I cannot do this without distributing secrets to insecure locations or setting up a system to replace tokens in my config to create a final config.

Being able to configure all secrets that are currently in the homeserver.yaml file via environment variables would allow separation between secrets and config.
@auscompgeek
Copy link
Contributor

I store all the secrets Synapse requires in /etc/matrix-synapse/conf.d/secrets.yaml, is this not a feasible setup for you?

@ChrisLane
Copy link
Author

Possibly. I haven't seen any documentation of that, nor can I find a reference file in my docker image so I'm not sure on the usage of the file.

@auscompgeek
Copy link
Contributor

I don't know whether any of the Docker images will point Synapse to a config fragment directory; I run Synapse via systemd.

@clokep
Copy link
Member

clokep commented Jun 30, 2020

@auscompgeek I suspect this was a more general question of "what's in your secrets.yaml vs. the other files to get this to work?" I don't think this is a Synapse specific question though.

@richvdh
Copy link
Member

richvdh commented Jun 30, 2020

you can specify a directory on the synapse commandline:

rav@faith:/opt/synapse$ env3/bin/python -m synapse.app.homeserver -h
usage: homeserver.py [-h] [-c CONFIG_FILE] [--generate-config]
                     [--generate-missing-configs] [-H SERVER_NAME]
                     [--report-stats {yes,no}] [--config-directory DIRECTORY]
                     [--data-directory DIRECTORY] [--open-private-ports] [-D]
                     [--print-pidfile] [--manhole PORT]
                     [-d SQLITE_DATABASE_PATH] [-n] [--enable-registration]

Synapse Homeserver

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config-path CONFIG_FILE
                        Specify config file. Can be given multiple times and
                        may specify directories containing *.yaml files.

Note:

may specify directories containing *.yaml files.

Synapse will merge together any config files it will find. Suggestions as to where this could be documented that people would find it are welcome.

I don't think the default start script for the docker image lets you do this. This should probably be considered a bug, though it's unclear what its behaviour should be (should it allow you to add config files to the default SYNAPSE_CONFIG_PATH somehow?)

@babolivier
Copy link
Contributor

It is not currently planned to make Synapse support environment variables for configuration, and is likely not desirable as it would make the configuration management of Synapse much more difficult to maintain. On top of that, as @richvdh mentioned, we already have a way to separate secrets from Synapse's main configuration file, which should make this less of an issue. Therefore I'm going to close this for now.

@Georift
Copy link

Georift commented Jul 3, 2020

It is not currently planned to make Synapse support environment variables for configuration, and is likely not desirable as it would make the configuration management of Synapse much more difficult to maintain. On top of that, as @richvdh mentioned, we already have a way to separate secrets from Synapse's main configuration file, which should make this less of an issue. Therefore I'm going to close this for now.

Could I just weigh in as a synapse user running in docker, having environment variable support would greatly simplify the configuration of my deployment.

I've been looking recently at some kind of file injection on startup of the container. But I'm really not a fan of this approach.

An ideal solution for me would be some kind of opt-in default yaml, which I can override specific variables I need with environment variables.

@richvdh
Copy link
Member

richvdh commented Jul 3, 2020

@Georift: see #5518 (comment)

@Georift
Copy link

Georift commented Jul 3, 2020

@Georift: see #5518 (comment)

No worries, I see there are other motives. Thanks for the reply.

@yajo yajo mentioned this issue Nov 24, 2020
Closed
@rnhmjoj
Copy link

rnhmjoj commented Aug 10, 2022
edited
Loading

Some of the secrets should really be made to take a filepath, then you
don't need to fiddle with environment variables.

For instance, turn_shared_secretturn_shared_secret_file, so that it
will be possible to pass the same file to matrix-synapse and coturn, which
already has the static-auth-secret-file option.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@auscompgeek @clokep @Georift @ChrisLane @richvdh @rnhmjoj @babolivier