From 02081b030917f80874639812a759028d4f832330 Mon Sep 17 00:00:00 2001
From: 3wc <3wc@doesthisthing.work>
Date: Thu, 6 Feb 2025 18:11:06 -0500
Subject: [PATCH] Keep default secret-in-config file for backwards compat.

---
 .env.sample                   |  4 ++++
 compose.peertube-secret.yml   | 14 ++++++++++++++
 compose.yml                   |  5 -----
 release/5.0.0+v5.2.1-bullseye | 10 +++++++++-
 4 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 compose.peertube-secret.yml

diff --git a/.env.sample b/.env.sample
index 457c6f1..06247d3 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,6 +2,7 @@ TYPE=peertube
 
 DOMAIN=peertube.example.com              # <= EDIT THIS
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE=compose.yml
 
 PEERTUBE_WEBSERVER_PORT=443
 PEERTUBE_WEBSERVER_HTTPS=true
@@ -11,6 +12,9 @@ PEERTUBE_TRANSCODING_ENABLED=true
 PEERTUBE_CONTACT_FORM_ENABLED=false
 
 SECRET_DB_PASSWORD_VERSION=v1
+
+# Comment out these lines if you want to store the peertube secret in a config file instead of a docker secret
+COMPOSE_FILE="$COMPOSE_FILE:compose.peertube-secret.yml"
 SECRET_PEERTUBE_SECRET_VERSION=v1
 
 ## Webseed backend
diff --git a/compose.peertube-secret.yml b/compose.peertube-secret.yml
new file mode 100644
index 0000000..7f2d84f
--- /dev/null
+++ b/compose.peertube-secret.yml
@@ -0,0 +1,14 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
+    secrets:
+      - peertube_secret
+
+secrets:
+  peertube_secret:
+    external: true
+    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}
diff --git a/compose.yml b/compose.yml
index 71624a5..1b99e98 100644
--- a/compose.yml
+++ b/compose.yml
@@ -58,14 +58,12 @@ services:
       - PEERTUBE_WEBSERVER_HOSTNAME=${DOMAIN}
       - PEERTUBE_WEBSERVER_HTTPS
       - PEERTUBE_WEBSERVER_PORT
-      - PEERTUBE_SECRET_FILE=/run/secrets/peertube_secret
     volumes:
       - app-data:/data
       - app-config:/config
       - app-assets:/srv/client/dist
     secrets:
       - db_password
-      - peertube_secret
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
@@ -141,6 +139,3 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-  peertube_secret:
-    external: true
-    name: ${STACK_NAME}_peertube_secret_${SECRET_PEERTUBE_SECRET_VERSION}
diff --git a/release/5.0.0+v5.2.1-bullseye b/release/5.0.0+v5.2.1-bullseye
index 0a3aab6..b70b896 100644
--- a/release/5.0.0+v5.2.1-bullseye
+++ b/release/5.0.0+v5.2.1-bullseye
@@ -1 +1,9 @@
-WARNING! ⚠️ This release includes several major Postgres version updates, please make even more sure to take a database backup than usual
\ No newline at end of file
+WARNING! ⚠️ 
+
+This release includes several major Postgres version updates, please make even more sure to take a database backup than usual
+
+Also, `PEERTUBE_SECRET `can now be stored in Docker, instead of just in a config file. To enable this behaviour:
+
+1. Extract the secret from the config file using `abra app run $STACK_NAME app grep peertube: /config/production.yaml | cut -d'"' -f2`
+2. Run `abra app secret insert $STACK_NAME peertube_secret v1`
+3. Run `abra app config $STACK_NAME`, and set `COMPOSE_FILE=compose.yml:compose.peertube-secret.yml`