cromefire · cromefire · Oct 25, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024
diff --git a/README.md b/README.md
@@ -126,6 +126,12 @@ like `::1234:5678:90ab:cdef` to `::1:1234:5678:90ab:cdef`
 |---------------------------|-------------------------------------------------|
 | DEVICE_LOCAL_ADDRESS_IPV6 | required, enter the local part of the device IP |
 
+## Secrets
+
+Each secret can be passed either as an environment variable directly, or via a file.
+In order to pass a secret via a file, append `_FILE` to the respective environment variable name and configure it to point to the file containing the secret.
+For example in order to pass the Cloudflare API token via a file, configure an environment variable with name `CLOUDFLARE_API_TOKEN_FILE` with the absolute path to a file containing the secret.
+
 ## Docker compose setup
 
 Here is an example `docker-compose.yml` with all features activated:
@@ -188,4 +194,4 @@ trigger it by calling `http://127.0.0.1:8888/ip?v4=127.0.0.1&v6=::1` and review
 
 ## History & Credit
 
-Most of the credit goes to [@adrianrudnik](https://github.com/adrianrudnik), who wrote and maintained the software for years. Meanwhile I stepped in at a later point when the repository was transferred to me to continue its basic maintenance should it be required.
+Most of the credit goes to [@adrianrudnik](https://github.com/adrianrudnik), who wrote and maintained the software for years. Meanwhile I stepped in at a later point when the repository was transferred to me to continue its basic maintenance should it be required.
diff --git a/main.go b/main.go
@@ -100,9 +100,9 @@ func newFritzBox() *avm.FritzBox {
 func newUpdater() *cloudflare.Updater {
 	u := cloudflare.NewUpdater(slog.Default())
 
-	token := os.Getenv("CLOUDFLARE_API_TOKEN")
+	token := readSecret("CLOUDFLARE_API_TOKEN")
 	email := os.Getenv("CLOUDFLARE_API_EMAIL")
-	key := os.Getenv("CLOUDFLARE_API_KEY")
+	key := readSecret("CLOUDFLARE_API_KEY")
 
 	if token == "" {
 		if email == "" || key == "" {
@@ -155,7 +155,7 @@ func startPushServer(out chan<- *net.IP, localIp *net.IP, cancel context.CancelC
 
 	server := dyndns.NewServer(out, localIp, slog.Default())
 	server.Username = os.Getenv("DYNDNS_SERVER_USERNAME")
-	server.Password = os.Getenv("DYNDNS_SERVER_PASSWORD")
+	server.Password = readSecret("DYNDNS_SERVER_PASSWORD")
 
 	s := &http.Server{
 		Addr:     bind,
@@ -272,3 +272,22 @@ func startPollServer(out chan<- *net.IP, localIp *net.IP) {
 		}
 	}()
 }
+
+func readSecret(envName string) string {
+	password := os.Getenv(envName)
+
+	if password != "" {
+		return password
+	}
+
+	passwordFilePath := os.Getenv(envName + "_FILE")
+	if passwordFilePath != "" {
+		content, err := os.ReadFile(passwordFilePath)
+		if err != nil {
+			slog.Error("Failed to read DynDns server password from file", logging.ErrorAttr(err))
+		} else {
+			password = string(content)
+		}
+	}
+	return password
+}