Deploying listmonk app using secrets or env

4

Just to follow up for anyone who happens upon this, now that I think understand things better. If you just want to set up listmonk, skip to the code further down…

App secrets can’t be used at build time, so using them to pass args into deploy is either impossible or not particularly trivial

It is potentially more secure to pass build secrets than to pass build arguments. But build secrets only seem to be able to be used to create a config.toml (via echo or printf in the Docker container, so their values would be there in plain text if anyone got a copy of the container.

Instead, if I use --build-arg and pass environment variables directly into the listmonk app in the Docker container, it seems like those values get stashed only in the database, and don’t stick around in the Docker file. If anyone reads this, please correct me if I’m wrong about that. (On the other hand, using env variables to build a config.toml—as in the original example—suffers from leaving those values stashed in a plain text in the Docker container.)

So here’s how I’m deploying listmonk in Fly.io:

Dockerfile:

FROM listmonk/listmonk:latest
ARG PORT ADMIN_USERNAME ADMIN_PASSWORD POSTGRES_HOST POSTGRES_PORT POSTGRES_USER POSTGRES_PASSWORD POSTGRES_DATABASE
ENV LISTMONK_APP__ADDRESS="0.0.0.0:${PORT}" \
  LISTMONK_APP__ADMIN_USERNAME="${ADMIN_USERNAME}" \
  LISTMONK_APP__ADMIN_PASSWORD="${ADMIN_PASSWORD}" \
  LISTMONK_DB__HOST="${POSTGRES_HOST}" \
  LISTMONK_DB__PORT=${POSTGRES_PORT} \
  LISTMONK_DB__USER="${POSTGRES_USER}" \
  LISTMONK_DB__PASSWORD="${POSTGRES_PASSWORD}" \
  LISTMONK_DB__DATABASE="${POSTGRES_DATABASE}" \
  LISTMONK_DB__SSL_MODE="disable" \
  LISTMONK_DB__MAX_OPEN=3 \
  LISTMONK_DB__MAX_IDLE=1
RUN ./listmonk --config="" --idempotent --yes --upgrade || ./listmonk --config="" --install --yes --upgrade
EXPOSE 9000

deploy command:

flyctl deploy \
  --build-arg PORT="9000" \
  --build-arg ADMIN_USERNAME="<some-username>" \
  --build-arg ADMIN_PASSWORD="<some-password>" \
  --build-arg POSTGRES_HOST="<whatever-connected-postgres-app.internal>" \
  --build-arg POSTGRES_PORT=<port> \
  --build-arg POSTGRES_USER="postgres" \
  --build-arg POSTGRES_PASSWORD="<whatever-postgres-password-is>" \
  --build-arg POSTGRES_DATABASE="postgres_database_name" \
  --build-arg POSTGRES_SSL_MODE="disable" \
  --build-arg POSTGRES_MAX_OPEN=3 \
  --build-arg POSTGRES_MAX_IDLE=1
1 Like