06-Network-Architecture

faicel/server

Fork 0

Table of Contents

1. Why Docker Secrets
2. Generate Strong Secrets

PostgreSQL
Mattermost Database
Forgejo Database
MinIO Root Credentials
Mattermost MinIO User
TURN Secret

3. Remove Existing Secrets (If Recreating)
4. Create Docker Secrets
5. Verify Secrets
6. How Secrets Are Used in Stack Files
7. Secret Rotation Procedure
8. Security Best Practices

This page documents the secure generation and management of Docker Swarm secrets used in production.

Snapshot date: 2026-02
Mode: Swarm

1. Why Docker Secrets

Docker secrets provide:

Encrypted storage at rest (in Swarm)
Controlled access per service
No exposure in environment variables
No inclusion in image layers

Secrets are only accessible to services explicitly granted access.

2. Generate Strong Secrets

All passwords must be randomly generated.

PostgreSQL

openssl rand -base64 48 > swarm/secrets/postgres_password.txt

Mattermost Database

openssl rand -base64 48 > swarm/secrets/mm_db_password.txt

Forgejo Database

openssl rand -base64 12 > swarm/secrets/forgejo_db_password.txt

MinIO Root Credentials

echo "minioadmin" > swarm/secrets/minio_root_user.txt
openssl rand -base64 48 > swarm/secrets/minio_root_password.txt

Mattermost MinIO User

echo "mattermost" > swarm/secrets/mm_minio_user.txt
openssl rand -base64 48 > swarm/secrets/mm_minio_password.txt
openssl rand -base64 40 > swarm/secrets/mm_minio_secret_key.txt
openssl rand -base64 12 > swarm/secrets/mm_minio_access_key.txt

TURN Secret

openssl rand -base64 48 > swarm/secrets/turn_secret.txt

3. Remove Existing Secrets (If Recreating)

sudo docker secret rm postgres_password
sudo docker secret rm forgejo_db_password
sudo docker secret rm mm_db_password
sudo docker secret rm minio_root_user
sudo docker secret rm minio_root_password
sudo docker secret rm turn_secret
sudo docker secret rm mm_minio_user
sudo docker secret rm mm_minio_password
sudo docker secret rm mm_minio_access_key
sudo docker secret rm mm_minio_secret_key

Note: A secret cannot be removed if it is in use by a running service.

4. Create Docker Secrets

sudo docker secret create postgres_password swarm/secrets/postgres_password.txt
sudo docker secret create forgejo_db_password swarm/secrets/forgejo_db_password.txt
sudo docker secret create mm_db_password swarm/secrets/mm_db_password.txt
sudo docker secret create minio_root_user swarm/secrets/minio_root_user.txt
sudo docker secret create minio_root_password swarm/secrets/minio_root_password.txt
sudo docker secret create turn_secret swarm/secrets/turn_secret.txt
sudo docker secret create mm_minio_user swarm/secrets/mm_minio_user.txt
sudo docker secret create mm_minio_password swarm/secrets/mm_minio_password.txt
sudo docker secret create mm_minio_access_key swarm/secrets/mm_minio_access_key.txt
sudo docker secret create mm_minio_secret_key swarm/secrets/mm_minio_secret_key.txt

5. Verify Secrets

sudo docker secret ls

Inspect a specific secret:

sudo docker secret inspect postgres_password

Note: Secret content cannot be read back once created.

6. How Secrets Are Used in Stack Files

Example:

secrets:
  - postgres_password

services:
  postgres:
    secrets:
      - postgres_password

Secrets are mounted inside containers under:

/run/secrets/

Example inside container:

/run/secrets/postgres_password

7. Secret Rotation Procedure

Generate new secret file
Create new Docker secret (with new name)
Update stack file to reference new secret
Redeploy stack
Remove old secret

Never overwrite secrets directly.

8. Security Best Practices

Never store secret values in Git
Never store secrets in .env files
Never expose secrets as environment variables
Restrict access to swarm/secrets/ directory
Backup secrets securely offline