feat(compose): docker secrets for postgres env

compose.postgres.yaml

@@ -10,8 +10,11 @@ services:
       DB_HOST: 'postgres' # The host (url) of the database
       DB_PORT: '5432' # The port to connect to
       DB_USER: 'seerr' # Username used to connect to the database
+      DB_USER_FILE: '/run/secrets/postgres_user'
       DB_PASS: 'seerr' # Password of the user used to connect to the database
+      DB_PASS_FILE: '/run/secrets/postgres_password'
       DB_NAME: 'seerr' # The name of the database to connect to
+      DB_NAME_FILE: '/run/secrets/postgres_password'
       DB_LOG_QUERIES: 'false' # Whether to log the DB queries for debugging
       DB_USE_SSL: 'false' # Whether to enable ssl for database connection
     volumes:
@@ -22,15 +25,31 @@ services:
       - postgres
     links:
       - postgres
+    secrets:
+      - postgres_user
+      - postgres_password
   postgres:
     image: postgres:18
     environment:
       POSTGRES_USER: seerr
+      POSTGRES_USER_FILE: '/run/secrets/postgres_user'
       POSTGRES_PASSWORD: seerr
+      POSTGRES_PASSWORD_FILE: '/run/secrets/postgres_password'
       POSTGRES_DB: seerr
+      POSTGRES_DB_FILE: '/run/secrets/postgres_db'
     ports:
       - '5432:5432'
     volumes:
       - postgres:/var/lib/postgresql
+    secrets:
+      - postgres_user
+      - postgres_password
 volumes:
   postgres:
+secrets:
+  postgres_user:
+    file: secret_postgres_user.txt # File containing the username used to connect to the database
+  postgres_password:
+    file: secret_postgres_password.txt # File containing password used to connect to the database
+  postgres_db:
+    file: secret_postgres_db.txt # File containing the database name

server/datasource.ts

@@ -12,13 +12,13 @@ function boolFromEnv(envVar: string, defaultVal = false) {
   return defaultVal;
 }
 
-function stringOrReadFileFromEnv(envVar: string): Buffer | string | undefined {
+function stringOrReadFileFromEnv(envVar: string): string | undefined {
   if (process.env[envVar]) {
     return process.env[envVar];
   }
   const filePath = process.env[`${envVar}_FILE`];
   if (filePath) {
-    return fs.readFileSync(filePath);
+    return fs.readFileSync(filePath, 'utf-8');
   }
   return undefined;
 }
@@ -72,8 +72,8 @@ const postgresDevConfig: DataSourceOptions = {
   port: process.env.DB_SOCKET_PATH
     ? undefined
     : parseInt(process.env.DB_PORT ?? '5432'),
-  username: process.env.DB_USER,
-  password: process.env.DB_PASS,
+  username: stringOrReadFileFromEnv('DB_USER')?.trim(),
+  password: stringOrReadFileFromEnv('DB_PASS')?.trim(),
   database: process.env.DB_NAME ?? 'seerr',
   ssl: buildSslConfig(),
   synchronize: false,
@@ -90,9 +90,9 @@ const postgresProdConfig: DataSourceOptions = {
   port: process.env.DB_SOCKET_PATH
     ? undefined
     : parseInt(process.env.DB_PORT ?? '5432'),
-  username: process.env.DB_USER,
-  password: process.env.DB_PASS,
-  database: process.env.DB_NAME ?? 'seerr',
+  username: stringOrReadFileFromEnv('DB_USER')?.trim(),
+  password: stringOrReadFileFromEnv('DB_PASS')?.trim(),
+  database: stringOrReadFileFromEnv('DB_NAME')?.trim() ?? 'seerr',
   ssl: buildSslConfig(),
   synchronize: false,
   migrationsRun: false,