more security for configuration files

[mdreyer31]

more secure settings for configuration due to sensitve data in it

[nickjj]

Hi,

Sorry for deleting my old comment, you can ignore it.

What type of sensitive info are you storing in these files?

[ghost]

We store there proxy passwords:
https://github.com/nickjj/ansible-docker/blob/master/tests/test.py line 28 :)

[nickjj]

Ah, for sensitive environment variables I wonder if you would be better off using EnvironmentFile=/path/to/secure/env/file, this way the config file never needs to have secrets in it.

[ghost]

When i get you right i then have to manage that file separately right?

From my side that could be an option but i dont see the point not to change the permissions to 640

[mdreyer31]

From my point of view it is possible to pass secrets via variables (ie. "docker__systemd_override") to these files. So this change is a little bit harding for this role.

[nickjj]

Yep @mdreyer31's suggestion is what you could do in this case, at least for right now.

You could do something like this:

docker__systemd_override: "EnvironmentFile=/path/to/secure/env/file"

That will create a /etc/systemd/system/docker.service.d/custom.conf file on disk with whatever lines of configuration you put in the docker__systemd_override variable. It's an escape hatch to use any systemd config option you want.

And as you discovered, you would be responsible for putting that /path/to/secure/env/file file wherever you want. Perhaps handled by a custom resources role or whatever role you might use to manage files and other resources on your system.

What sensitive data are you storing in the daemon.json btw?