Merge pull request #729 from J0WI/secrets

Compatibility with docker secrets (Fix #560)

14.0/apache/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

14.0/fpm-alpine/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

14.0/fpm/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

15.0/apache/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

15.0/fpm-alpine/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

15.0/fpm/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

16.0/apache/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

16.0/fpm-alpine/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

16.0/fpm/entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"

README.md

@@ -245,6 +245,62 @@ services:
 
 Then run `docker-compose up -d`, now you can access Nextcloud at http://localhost:8080/ from your host system.
 
+# Docker Secrets
+As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/<secret_name> files. For example:
+
+```yaml
+version: '3.2'
+services:
+  db:
+    image: postgres
+    restart: always
+    volumes:
+      - db:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+    secrets:
+      - postgres_password
+  app:
+    image: nextcloud
+    restart: always
+    ports:
+      - 8080:80
+    volumes:
+      - nextcloud:/var/www/html
+    environment:
+      - POSTGRES_HOST=db
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - NEXTCLOUD_ADMIN_USER=superuser
+      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
+    depends_on:
+      - db
+    secrets:
+      - postgres_password
+      - admin_password
+  cron:
+    image: nextcloud
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+volumes:
+  db:
+  nextcloud:
+
+secrets:
+  postgres_password:
+    file: ./postgres_password.txt # put postgresql password to this file
+  admin_password:
+    file: ./admin_password.txt # put admin password to this file
+```
+Currently, this is only supported for `NEXTCLOUD_ADMIN_PASSWORD`, `MYSQL_PASSWORD`, `POSTGRES_PASSWORD`.
+
 # Make your Nextcloud available from the internet
 Until here your Nextcloud is just available from you docker host. If you want you Nextcloud available from the internet adding SSL encryption is mandatory.
 

docker-entrypoint.sh

@@ -19,6 +19,31 @@ run_as() {
     fi
 }
 
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [ "${!var:-}" ]; then
+        val="${!var}"
+    elif [ "${!fileVar:-}" ]; then
+        val="$(< "${!fileVar}")"
+    else
+        # do not define empty vars
+        return
+    fi
+    export "$var"="$val"
+    unset "$fileVar"
+}
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
@@ -67,6 +92,8 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
         if [ "$installed_version" = "0.0.0.0" ]; then
             echo "New nextcloud instance"
 
+            file_env NEXTCLOUD_ADMIN_PASSWORD
+
             if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
                 # shellcheck disable=SC2016
                 install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
@@ -81,6 +108,9 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
                     install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
                 fi
 
+                file_env MYSQL_PASSWORD
+                file_env POSTGRES_PASSWORD
+
                 install=false
                 if [  -n "${SQLITE_DATABASE+x}" ]; then
                     echo "Installing with SQLite database"