fix: pull doppler envs into docker compose (#271)

Dao-Ho · web-flow · commit f07568b2be67 · 2026-04-04T15:37:01.000-04:00
* write from doppler and use for docker

* docker token + use that for doppler setup

* update docs
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -2,6 +2,24 @@
 
 ## Local Setup
 
+### Docker
+
+To run the backend via Docker, the container fetches secrets directly from Doppler at startup using a service token.
+
+Generate a token and export it in your shell:
+
+```bash
+eval $(make docker-token)
+```
+
+Then start the stack:
+
+```bash
+make docker-up
+```
+
+You'll need to re-run `eval $(make docker-token)` in any new shell session, or add `DOPPLER_TOKEN` to your shell profile.
+
 ### OpenSearch
 
 Run OpenSearch locally with the security plugin disabled (no TLS or auth required for local dev):
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -26,12 +26,16 @@ FROM alpine:latest
 
 WORKDIR /app
 
+# Install Doppler CLI
+RUN apk add --no-cache curl gnupg && \
+    curl -Ls https://cli.doppler.com/install.sh | sh
+
 # Copy the binary from the builder stage
 # Makefile builds to bin/selfserve
 COPY --from=builder /app/bin/selfserve .
 
 # Expose port 8080
 EXPOSE 8080
 
-# Command to run the executable
-CMD ["./selfserve"]
+# Doppler fetches secrets at runtime — DOPPLER_TOKEN must be set
+CMD ["doppler", "run", "--", "./selfserve"]
diff --git a/backend/Makefile b/backend/Makefile
@@ -6,7 +6,7 @@ ENV_FILE := config/.env
 LOAD_ENV := doppler run --
 LLM_URL := http://127.0.0.1:11434
 
-.PHONY: all build run dev test format tidy download clean docker-build docker-run docker-up docker-down \
+.PHONY: all build run dev test format tidy download clean docker-build docker-run docker-token docker-up docker-down \
         migrate-new migrate-up migrate-down migrate-status migrate-reset db-start db-stop db-reset swagger swagger-fmt docker-build docker-run llm-start genkit-run seed cli
 
 all: build
@@ -83,8 +83,11 @@ docker-run:
 		--name $(APP_NAME)-container \
 		$(DOCKER_IMAGE_NAME)
 
+docker-token:
+	@echo "export DOPPLER_TOKEN=$$(doppler configs tokens create docker --project selfserve-backend --config prd --plain)"
+
 docker-up:
-	docker compose up --build
+	@docker compose up --build
 
 docker-down:
 	docker compose down
diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
@@ -3,8 +3,8 @@ services:
     build: .
     ports:
       - "${PORT:-8080}:8080"
-    env_file:
-      - config/.env
+    environment:
+      - DOPPLER_TOKEN
     depends_on:
       - opensearch
     restart: unless-stopped
