From 3101458354e1c93a3317f4a3cddad197eb5d451d Mon Sep 17 00:00:00 2001
From: Brooke <brooke@myco.systems>
Date: Fri, 8 May 2026 15:00:16 -0400
Subject: [PATCH 1/3] set secret permissions to be non-world readable

---
 compose.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/compose.yml b/compose.yml
index 51a973f..3d7a3b6 100644
--- a/compose.yml
+++ b/compose.yml
@@ -9,7 +9,8 @@ services:
       - source: garage_conf
         target: /etc/garage.toml
     secrets:
-      - rpc_secret
+      - source: rpc_secret
+        mode: 0600
     networks:
       - proxy
       - internal
-- 
2.49.0


From 49b4a117c25f9b12ef123dab81a61bf5d4a23da5 Mon Sep 17 00:00:00 2001
From: Brooke <brooke@myco.systems>
Date: Fri, 8 May 2026 15:00:33 -0400
Subject: [PATCH 2/3] set rpc secret file and quote wrap

---
 garage.toml.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/garage.toml.tmpl b/garage.toml.tmpl
index b6b5d4d..d54cc2f 100644
--- a/garage.toml.tmpl
+++ b/garage.toml.tmpl
@@ -15,7 +15,7 @@ compression_level = 2
 rpc_bind_addr = "[::]:3901"
 rpc_public_addr = "{{ env "DOMAIN" }}:3901"
 rpc_addr = "[::]:3901"
-rpc_secret = "{{ secret "rpc_secret" }}"
+rpc_secret_file = "/run/secrets/rpc_secret"
 
 {{ if ne (env "BOOTSTRAP_ID") "" }}
 bootstrap_peers = [
-- 
2.49.0


From 10be86624fd3ac5ecd34265965a2dfd8559b7455 Mon Sep 17 00:00:00 2001
From: Brooke <brooke@myco.systems>
Date: Fri, 8 May 2026 15:00:42 -0400
Subject: [PATCH 3/3] bump config version

---
 abra.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/abra.sh b/abra.sh
index 2287127..c028708 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1 @@
-export GARAGE_CONF_VERSION=v5
+export GARAGE_CONF_VERSION=v7
\ No newline at end of file
-- 
2.49.0