Comment on Should I stick with Docker Swarm for self-hosting?
emhl@feddit.org 4 months ago
What are your reasons for using docker swarm instead normal docker if you don’t want to do replication?
Comment on Should I stick with Docker Swarm for self-hosting?
emhl@feddit.org 4 months ago
What are your reasons for using docker swarm instead normal docker if you don’t want to do replication?
UncommonBagOfLoot@lemmy.world 4 months ago
To use Docker secrets so that the secrets are encrypted on the host. Using Docker Swarm was the path of least resistance to set up my system monitoring stack.
Docker Compose can use secrets without Swarm, but my understanding is that the those are in plaintext on the host.
i_am_not_a_robot@discuss.tchncs.de 4 months ago
Docker Swarm encryption doesn’t work for your use case. The documentation says that the secret is stored encrypted but can be decrypted by the swarm manager nodes and nodes running services that use the service, which both apply to your single node. If you’re not having to unlock Docker Compose on startup, that means that the encrypted value and the decryption key live next to each other on the same computer and anyone who has access to the encrypted secrets can also decrypt them.
Lem453@lemmy.ca 4 months ago
When I was starting out I almost went down the same pathway. In the send, docker secrets are mainly useful when the same key needs to be distributed around multiple nodes.
Storing the keys locally in an env file that is only accessible to the docker user is close enough to the same thing for home use and greatly simplifies your setup.
I would suggest using a folder for each stack that contains 1 docker compose file and one env file. The env file contains passwords, the rest of the env variables are defined in the docker compose itself. Exclude the env files from your git repo (if you use this for version control) so you never check in a secret to your git repo
I do this all via portainer. Each stack is a compose file that portainer pulls from my self hosted gitea (on another machine). Portainer creates an env file itself when you add the env variables from the gui.
If someone gets access to your system and is able to access the env file, they already have high level access and your system is compromised regardless of if you have the secrets encrypted via swarm or not.