From 470d13444859f9f741720d3cf015c2ce455af3d9 Mon Sep 17 00:00:00 2001
From: "Amine B. Hassouna" <amine.benhassouna@gmail.com>
Date: Sun, 29 May 2022 12:01:58 +0100
Subject: [PATCH 1/2] Add support for file-based environment variables in
 environment-to-ini

---
 .../environment-to-ini/environment-to-ini.go  | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/contrib/environment-to-ini/environment-to-ini.go b/contrib/environment-to-ini/environment-to-ini.go
index ccda03fa92555..aa36a86cd2015 100644
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@@ -21,6 +21,9 @@ import (
 // EnvironmentPrefix environment variables prefixed with this represent ini values to write
 const EnvironmentPrefix = "GITEA"
 
+// FileBasedEnvironmentSuffix environment variables suffixed with this represent ini values to load from files
+const FileBasedEnvironmentSuffix = "FILE"
+
 func main() {
 	app := cli.NewApp()
 	app.Name = "environment-to-ini"
@@ -29,10 +32,14 @@ func main() {
 	through the environment, this command allows environment variables to
 	be mapped to values in the ini.
 
-	Environment variables of the form "GITEA__SECTION_NAME__KEY_NAME"
+	Environment variables of the form "GITEA__section_name__KEY_NAME"
 	will be mapped to the ini section "[section_name]" and the key
 	"KEY_NAME" with the value as provided.
 
+	Environment variables of the form "GITEA__section_name__KEY_NAME__FILE"
+	will be mapped to the ini section "[section_name]" and the key
+	"KEY_NAME" with the value loaded from the specified file.
+
 	Environment variables are usually restricted to a reduced character
 	set "0-9A-Z_" - in order to allow the setting of sections with
 	characters outside of that set, they should be escaped as following:
@@ -126,6 +133,11 @@ func runEnvironmentToIni(c *cli.Context) error {
 		}
 		eKey = eKey[len(prefix):]
 		sectionName, keyName := DecodeSectionKey(eKey)
+		isFileBased := false
+		if strings.HasSuffix(keyName, "__"+FileBasedEnvironmentSuffix) {
+			isFileBased = true
+			keyName = strings.TrimSuffix(keyName, "__"+FileBasedEnvironmentSuffix)
+		}
 		if len(keyName) == 0 {
 			continue
 		}
@@ -137,6 +149,21 @@ func runEnvironmentToIni(c *cli.Context) error {
 				continue
 			}
 		}
+		if isFileBased {
+			isFile, err := util.IsFile(value)
+			if err != nil {
+				log.Fatal("Unable to check if %s is a file. Error: %v", value, err)
+			}
+			if isFile {
+				if content, err := os.ReadFile(value); err == nil {
+					value = string(content)
+				} else {
+					log.Fatal("Failed to load value from file '%s': %v", value, err)
+				}
+			} else {
+				log.Fatal("File '%s' not found", value)
+			}
+		}
 		key := section.Key(keyName)
 		if key == nil {
 			key, err = section.NewKey(keyName, value)

From 07eb1a78983e028f143ed978c2ae26ecfa321846 Mon Sep 17 00:00:00 2001
From: "Amine B. Hassouna" <amine.benhassouna@gmail.com>
Date: Sun, 29 May 2022 12:04:10 +0100
Subject: [PATCH 2/2] Add documentation about file-based environment variables
 with docker

---
 .../with-docker-rootless.en-us.md             | 35 ++++++++++++++++++-
 .../doc/installation/with-docker.en-us.md     | 35 ++++++++++++++++++-
 2 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/docs/content/doc/installation/with-docker-rootless.en-us.md b/docs/content/doc/installation/with-docker-rootless.en-us.md
index a49d3bb15b4c4..b22619b1e7544 100644
--- a/docs/content/doc/installation/with-docker-rootless.en-us.md
+++ b/docs/content/doc/installation/with-docker-rootless.en-us.md
@@ -267,7 +267,7 @@ docker-compose up -d
 
 ## Managing Deployments With Environment Variables
 
-In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
+In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__section_name__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
 
 These environment variables can be passed to the docker container in `docker-compose.yml`. The following example will enable an smtp mail server if the required env variables `GITEA__mailer__FROM`, `GITEA__mailer__HOST`, `GITEA__mailer__PASSWD` are set on the host or in a `.env` file in the same directory as `docker-compose.yml`:
 
@@ -285,6 +285,39 @@ services:
     - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```
 
+Any settings in `app.ini` can be set or overridden with the content of a file by defining an environment variable of the form: `GITEA__section_name__KEY_NAME__FILE` that points to a file. These settings are applied each time the docker container starts.
+
+These king of environment variables can be useful when using `docker secret` and were the secret is mounted as a file in `/run/secrets/<SECRET_NAME>`. The previous example could be refactored to use this technique:
+
+```bash
+...
+services:
+  server:
+    environment:
+    - GITEA__mailer__ENABLED=true
+    - GITEA__mailer__FROM__FILE=/run/secrets/gitea_mailer_from
+    - GITEA__mailer__MAILER_TYPE=smtp
+    - GITEA__mailer__HOST__FILE=/run/secrets/gitea_mailer_host
+    - GITEA__mailer__IS_TLS_ENABLED=true
+    - GITEA__mailer__USER__FILE=/run/secrets/gitea_mailer_user
+    - GITEA__mailer__PASSWD__FILE=/run/secrets/gitea_mailer_password
+    secrets:
+    - gitea_mailer_from
+    - gitea_mailer_host
+    - gitea_mailer_user
+    - gitea_mailer_password
+
+secrets:
+  gitea_mailer_from:
+    external: true
+  gitea_mailer_host:
+    external: true
+  gitea_mailer_user:
+    external: true
+  gitea_mailer_password:
+    external: true
+```
+
 To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](https://docs.gitea.io/en-us/command-line/#generate).
 
 # SSH Container Passthrough
diff --git a/docs/content/doc/installation/with-docker.en-us.md b/docs/content/doc/installation/with-docker.en-us.md
index de738cc0f8142..b420c6c9735c1 100644
--- a/docs/content/doc/installation/with-docker.en-us.md
+++ b/docs/content/doc/installation/with-docker.en-us.md
@@ -285,7 +285,7 @@ docker-compose up -d
 
 ## Managing Deployments With Environment Variables
 
-In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/master/contrib/environment-to-ini).
+In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__section_name__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/master/contrib/environment-to-ini).
 
 These environment variables can be passed to the docker container in `docker-compose.yml`. The following example will enable an smtp mail server if the required env variables `GITEA__mailer__FROM`, `GITEA__mailer__HOST`, `GITEA__mailer__PASSWD` are set on the host or in a `.env` file in the same directory as `docker-compose.yml`:
 
@@ -303,6 +303,39 @@ services:
     - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```
 
+Any settings in `app.ini` can be set or overridden with the content of a file by defining an environment variable of the form: `GITEA__section_name__KEY_NAME__FILE` that points to a file. These settings are applied each time the docker container starts.
+
+These king of environment variables can be useful when using `docker secret` and were the secret is mounted as a file in `/run/secrets/<SECRET_NAME>`. The previous example could be refactored to use this technique:
+
+```bash
+...
+services:
+  server:
+    environment:
+    - GITEA__mailer__ENABLED=true
+    - GITEA__mailer__FROM__FILE=/run/secrets/gitea_mailer_from
+    - GITEA__mailer__MAILER_TYPE=smtp
+    - GITEA__mailer__HOST__FILE=/run/secrets/gitea_mailer_host
+    - GITEA__mailer__IS_TLS_ENABLED=true
+    - GITEA__mailer__USER__FILE=/run/secrets/gitea_mailer_user
+    - GITEA__mailer__PASSWD__FILE=/run/secrets/gitea_mailer_password
+    secrets:
+    - gitea_mailer_from
+    - gitea_mailer_host
+    - gitea_mailer_user
+    - gitea_mailer_password
+
+secrets:
+  gitea_mailer_from:
+    external: true
+  gitea_mailer_host:
+    external: true
+  gitea_mailer_user:
+    external: true
+  gitea_mailer_password:
+    external: true
+```
+
 To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](https://docs.gitea.io/en-us/command-line/#generate).
 
 ## SSH Container Passthrough