Feature request: Allow WIREGUARD_PRIVATE_KEY to be specified via a secret file

[Sn0wCrack]

What's the feature? 🧐

Allow WIREGUARD_PRIVATE_KEY to be specified via a Docker Compose secret file.

Optional extra information 🚀

I usually like to do this so I can have any sensitive data I'd normally put in my docker-compose file in a permission controlled directory.

[jathek]

Also WIREGUARD_PRESHARED_KEY and WIREGUARD_ADDRESS, I would think.

[qdm12]

• WIREGUARD_PRIVATE_KEY yes
• WIREGUARD_PRESHARED_KEY I guess so
• WIREGUARD_ADDRESS meh not really, an attacker can't do much with it anyway right?

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

[Sn0wCrack]

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

Honestly you're right, I could just separate out all of my variables into a separate environment file the same way the secrets files work on my system.

[jathek]

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

Removing sensitive items from my default .env means other containers won't see the variables. I could use an .env specifically for gluetun, but having separate files also lets me write to a file from command-line easily and change the value without messing around with nano.

[qdm12]

See #1348 (comment) I'll get to it soon.

[qdm12]

This is possible with WIREGUARD_PRIVATE_KEY_SECRETFILE now, thanks for your patience!

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.