mirror/zerobyte
0
0
Fork 0
mirror of https://github.com/nicotsx/zerobyte.git synced 2026-04-17 13:33:16 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
renovate/github-codeql-action-digest
zerobyte/examples/provisioned-resources/README.md
Nico 70c7de1efc feat(config): add support for APP_SECRET as a file (#769) 
* feat(config): add support for APP_SECRET as a file

* fix(tsc): ensure appSecret is set in type system

* fix: pr feedback
2026-04-09 23:13:07 +02:00

3.5 KiB
Raw Permalink Blame History

Provisioned repositories and volumes

This example shows how to keep operator-managed repositories and volumes in a mounted JSON file instead of creating them through the UI.

At startup, Zerobyte reads the provisioning file, resolves any env://... or file://... references, encrypts the resolved secrets into the database, and syncs the resources into the normal repositories and volumes lists as managed entries.

Why this model

  • Secret references stay in deployment-time config instead of the UI.
  • Provisioned repositories and volumes show up in the normal UI and API.
  • Secret rotation is just an env/secret update plus a restart.

What this example includes

  • docker-compose.yml mounts a provisioning file and a Docker secret.
  • .env.example provides the environment variables used by env://... references.
  • provisioning.example.json provisions one S3 repository and one WebDAV volume.
  • secrets/aws_secret_access_key.example shows the file consumed by file://aws_secret_access_key.

Prerequisites

  • Docker + Docker Compose
  • An existing Zerobyte organization ID (found in the UI under Settings > Organization)
  • An S3-compatible repository target and a WebDAV share, or your own equivalent values

If this is a brand-new Zerobyte instance, finish first-run setup first so you have a real organization ID, then enable provisioning and restart the container.

Setup

  1. Copy the example files:
cp .env.example .env
cp provisioning.example.json provisioning.json
cp secrets/aws_secret_access_key.example secrets/aws_secret_access_key
  1. Edit .env:
  • Set APP_SECRET to a real secret, for example openssl rand -hex 32, or set APP_SECRET_FILE to a mounted secret file
  • Set ZEROBYTE_AWS_ACCESS_KEY_ID
  • Set ZEROBYTE_WEBDAV_PASSWORD
  • Adjust BASE_URL and TZ if needed
  1. Edit provisioning.json:
  • Replace organizationId with your existing Zerobyte organization ID
  • Update the S3 endpoint/bucket values
  • Update the WebDAV server, path, and username

  1. Edit secrets/aws_secret_access_key and replace the placeholder value with the real secret access key.

  2. Start the stack:

docker compose up -d

How secret references work

  • env://ZEROBYTE_AWS_ACCESS_KEY_ID reads from a container environment variable.
  • env://ZEROBYTE_WEBDAV_PASSWORD reads from a container environment variable.
  • file://aws_secret_access_key reads /run/secrets/aws_secret_access_key inside the container.
  • The resolved values are encrypted before Zerobyte stores them in the database.

file://... references are always resolved from /run/secrets and must be a single filename, not a nested path.

Access

  • UI/API: http://<host>:4096

What you'll see in Zerobyte

  • AWS Production Backups appears in the repositories list as a managed repository.
  • Team A WebDAV appears in the volumes list as a managed volume.
  • Changes to provisioning.json, .env, or mounted secret files apply on the next container restart.

Rotating or removing provisioned resources

  • Rotate an env-based secret: update .env, then restart Zerobyte.
  • Rotate a file-based secret: update secrets/aws_secret_access_key, then restart Zerobyte.
  • Remove a resource: add delete: true, then restart Zerobyte.

Notes

  • This example keeps SYS_ADMIN and /dev/fuse enabled because the sample volume uses WebDAV.
  • Each provisioned entry must reference an existing organizationId.
  • Each entry includes both a top-level backend and the matching config.backend.
Reference in New Issue View Git Blame Copy Permalink