Skip to content

feat(api): load API key through systemd credentials with env fallback #2150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

feat(api): load API key through systemd credentials with env fallback #2150

wants to merge 2 commits into from
+32 −10

Conversation

@blackxored
Copy link

@blackxored blackxored commented Nov 13, 2025

Description

On Linux systems, be a well-behaved daemon and prefer systemd credential api-key if passed to the service. This is done through a file, access is checked by the kernel, and there's no process inheritance, TL;DR is more secure than env vars. See: systemd Credentials.

It would still fallback to the API_KEY env var as there's no need for this to be a breaking change.

To-Dos

  • Disclosed any use of AI (see our policy)
  • Successful build pnpm build
  • Translation keys pnpm i18n:extract
  • Database migration (if required)

@blackxored blackxored requested a review from a team as a code owner November 13, 2025 23:38
@blackxored
feat(api): load API key from systemd credentials with fallback
7b21613 
If provided, API key is read through systemd credential `api-key` passed
to the service and preferred, will fallback to environment var if not
present.

See: https://systemd.io/CREDENTIALS systemd.system-credentials(7)
@M0NsTeRRR
Copy link
Member

M0NsTeRRR commented Nov 22, 2025

Hi @blackxored,

Instead of creating a new apiKeyFromEnvOrCred function, could you move the stringOrReadFileFromEnv function from server/datasource.ts to server/utils/env.ts? This way, we can reuse the same logic where needed.

Additionally, since this feature is similar to Docker secrets, it would be great to support both approaches simultaneously. By default, Docker secrets are mounted at /run/secrets. I think adding ENV CREDENTIALS_DIRECTORY="/run/secrets" to the Dockerfile would be enough to make them work out of the box. What do you think?

Reference: Docker Secrets Documentation

@M0NsTeRRR M0NsTeRRR mentioned this pull request Nov 22, 2025
Draft
5 tasks
@benja1006
Copy link

benja1006 commented Nov 24, 2025

I agree, it would work nicely to place the systemd credentials into /run/secrets, then we can access them using _FILE appended to the DB username, password and name. This would integrate cleanly into the default postgres behavior as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blackxored @M0NsTeRRR @benja1006