How to add config?

porton · September 15, 2025, 6:34pm

My app has two .env files (in backend/ and frontend/) and a *.secret file in backend/.

How to add these files to my Docker image? I can’t include these secret files into my public GitHub repo.

halfer · September 15, 2025, 6:37pm

Don’t add them to your Docker image; adding secrets to images isn’t great from a security perspective.

Just use the secrets feature in Fly:

So for every environment variable that you regard as a secret, add that here. For non-secrets, you can put them in your TOML file. (Secrets are basically environment variables that you cannot re-read in the Fly console, so they’re a bit safer than using ordinary environment variables).

If you follow this advice, your app should then not need an .env file, since that just tends to create env vars, which secrets and TOML vars will do for you.

halfer · September 15, 2025, 6:45pm

That said, if your app must have on-disk configuration files, then use the above advice, and then additionally run something like this in your deployment CI:

flyctl ssh console --command '/project/bin/post-deploy.sh'

Here’s my post-deploy.sh, for a Laravel app:

#!/bin/bash

# This is harmless if the db already exists (this is the Fly volume folder)
touch /data/database-proto.sqlite
chown -R apache /data

# Migrate to latest version, this is a no-op if there's no migrations to do
php artisan migrate

# Install stuff
php artisan vendor:publish --all
php artisan cache:clear

Since you have all your env vars and secrets available to you here, you can populate a config template (e.g. using Sed or Awk).

porton · September 15, 2025, 7:34pm

If I want a binary secret file, should I put it to a Docker volume, not to add it to image?

halfer · September 15, 2025, 7:50pm

It’s better to have it on a Fly volume than to add it to the image. But writing it in your continuous integration process is better, in my view, since it will allow you to update the config for each release. Do you use CI?

lillian · September 15, 2025, 7:51pm

you can set a binary secret file as a secret in base64, and use a file secret: https://fly.io/docs/machines/flyctl/fly-machine-run/#make-a-secret-available-in-a-file

porton · September 15, 2025, 8:29pm

I don’t yet use CI.

halfer · September 15, 2025, 9:24pm

Righto. If you app has a start-up process, then it could take the binary secret recommended by Lillian, and write it to a file on your ephemeral disk. Otherwise a manually created config file on a volume would be fine.

Do look into CI when you can though; it is transformative for the deployment process.

lillian · September 15, 2025, 10:19pm

file secrets as described in that docs link already do that!

halfer · September 15, 2025, 10:21pm

Ooh, bonus!

system · September 22, 2025, 10:22pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.