Merge pull request #32 from VincentTam/docker-secrets

Use docker secrets to store Discord token

Author: mattfbacon

.gitignore

@@ -3,4 +3,5 @@
 /cache
 # Used for docker containers and might contain secrets.
 /.env
+/discord_token.txt
 *.sqlite

README.md

@@ -26,13 +26,7 @@ To run, CD into this directory, set `DISCORD_TOKEN` to your bot token, set `CACH
 
 There is a `Dockerfile` and `docker-compose.yml` for running the bot inside a Docker container.
 
-To set up the bot with Docker, create a `.env` file like the following:
-
-```
-DISCORD_TOKEN=YourBotTokenHere
-```
-
-and start the container with `docker compose up -d`.
+To set up the bot with Docker, create a `discord_token.txt` file containing your bot token and start the container with `docker compose up -d`.
 
 ### Public Instance
 

crates/bot/src/bot.rs

@@ -754,6 +754,14 @@ async fn handle_error(
 }
 
 pub async fn run() {
+	let token = match (std::env::var_os("DISCORD_TOKEN"), std::env::var_os("DISCORD_TOKEN_FILE")) {
+		(Some(token), None) => token.into_string().expect("`DISCORD_TOKEN` not UTF-8"),
+		(None, Some(path)) => std::fs::read_to_string(path).expect("reading from `DISCORD_TOKEN_FILE`"),
+		(Some(_token), Some(_path)) => panic!("both `DISCORD_TOKEN` and `DISCORD_TOKEN_FILE` provided.\nThis is ambiguous and insecure. Please only use one or the other."),
+		(None, None) => panic!("need `DISCORD_TOKEN` or `DISCORD_TOKEN_FILE` env var"),
+	};
+	let token = token.trim();
+
 	let database = Connection::open_with_flags(
 		std::env::var_os("DB_PATH").expect("need `DB_PATH` env var"),
 		OpenFlags::SQLITE_OPEN_READ_WRITE | OpenFlags::SQLITE_OPEN_CREATE,
@@ -766,7 +774,6 @@ pub async fn run() {
 
 	let edit_tracker_time = std::time::Duration::from_secs(3600);
 
-	let token = std::env::var("DISCORD_TOKEN").expect("need `DISCORD_TOKEN` env var");
 	let intents = GatewayIntents::non_privileged() | GatewayIntents::MESSAGE_CONTENT;
 	let framework = poise::Framework::builder()
 		.options(poise::FrameworkOptions {

docker-compose.yml

@@ -1,7 +1,4 @@
----
-
 name: typst-bot
-version: "3.8"
 services:
     bot:
         # This service is built using the Dockerfile in the current directory.
@@ -12,7 +9,9 @@ services:
         # has when Compose is run. It is not saved in the image. Compose will automatically grab its
         # value from `.env` or the host OS. `?:error` makes it mandatory.
         environment:
-            - DISCORD_TOKEN=${DISCORD_TOKEN?:error}
+            DISCORD_TOKEN_FILE: /run/secrets/discord_token
+        secrets:
+            - discord_token
         # The `/bot/sqlite` and `/bot/cache` directories are mapped to volumes.
         volumes:
             - sqlite:/bot/sqlite
@@ -23,3 +22,7 @@ services:
 volumes:
     sqlite:
     cache:
+
+secrets:
+    discord_token:
+        file: discord_token.txt