[FEATURE] Support loading sensitive values from files using _FILE suffixed environment variables

[enpaul]

What's needed and why?

I'd like to add support for loading sensitive values (such as the database URI, crowdsec API key, etc) from a file on disk specified by an environment variable, rather than directly from the environment. This will support Docker secrets as well as provide an alternative for users looking to avoid putting sensitive data directly into the app environment.

This feature would work by replacing some usages of os.getenv() with a function that does the below, for example trying to load a sensitive value from the environment variable FOO:

1. Check if an environment variable named FOO_FILE exists
2. If it does, attempt to open the value of that environment variable as a file path and read the contents
3. If successful, return the contents of the file as the value of the secret
4. If unsuccessful or if the environment variable FOO_FILE is not set, return the value of the environment variable FOO.

I've put together a prototype for this change in my fork:

• Implementation of the load_secret function
• Places for usage to replace os.getenv()

Implementations ideas (optional)

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @enpaul, this is a good idea. We'll have a look and let you know what we can do 😄

[TheophileDiot]

Hi @enpaul, thanks for bringing this up!

Here's how it'll work:

BunkerWeb’s entrypoint scripts automatically detect and load secrets from /run/secrets, exporting each one directly as an environment variable inside the container. By default, secrets in Linux containers are mounted at /run/secrets/<secret_name>, which is precisely where BunkerWeb expects them—ensuring seamless and secure integration without additional configuration.