[Feature] Ability to Read Postgres-Pass from File #785

New Issue

adam · 2025-12-29T02:23:59+01:00

adam commented

2025-12-29 02:23:59 +01:00

Originally created by @felixw7k on GitHub (Sep 7, 2024).

Use case

As a system administrator i want to check my headscale-config into a git repository. Having secrets in git is considered bad practice, so any headscale-configuration with postgres.pass set, should not be pushed into a git-repo.

Description

If you want to have your configuration versioned, at the moment you are left with the options "using postgres via socket" or "using sqlite" since the password to your database-server would also be checked in.

Being able to read the postgres-password from a file in the headscale-config let's us treat the configuration as "non-secret".

In Docker this file could be bind-mounted by the admin , in a kubernetes-enviromnent it could be set as a secret; which both would no longer be headscale's concern.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

In my opinion, treating the postgres-password the same as the oidc-client-secret would be perfect:
Equivalent to oidc.client_secret_path i could imagine an option like postgres.pass_path to read the password from a file.

Originally created by @felixw7k on GitHub (Sep 7, 2024). ### Use case As a system administrator i want to check my headscale-config into a git repository. Having secrets in git is considered bad practice, so any headscale-configuration with `postgres.pass` set, should not be pushed into a git-repo. ### Description If you want to have your configuration versioned, at the moment you are left with the options "using postgres via socket" or "using sqlite" since the password to your database-server would also be checked in. Being able to read the postgres-password from a file in the headscale-config let's us treat the configuration as "non-secret". In Docker this file could be bind-mounted by the admin , in a kubernetes-enviromnent it could be set as a secret; which both would no longer be headscale's concern. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? In my opinion, treating the postgres-password the same as the oidc-client-secret would be perfect: Equivalent to `oidc.client_secret_path` i could imagine an option like `postgres.pass_path` to read the password from a file.

adam added the enhancement stale labels 2025-12-29 02:23:59 +01:00

adam closed this issue

2025-12-29 02:23:59 +01:00

adam commented

2025-12-29 02:23:59 +01:00

@kradalby commented on GitHub (Sep 9, 2024):

All the configuration options are also settable via environment variables, e.g. HEADSCALE_DATABASE_POSTGRES_PASS.

I dont disagree that it can also be read by file, but I think that solves the majority of problems.

Please also note that we do not actively support or improve postgres and strongly recommend the use of SQLite.

@kradalby commented on GitHub (Sep 9, 2024): All the configuration options are also settable via environment variables, e.g. HEADSCALE_DATABASE_POSTGRES_PASS. I dont disagree that it can also be read by file, but I think that solves the majority of problems. Please also note that we do not actively support or improve postgres and _strongly_ recommend the use of SQLite.

adam commented

2025-12-29 02:23:59 +01:00

@github-actions[bot] commented on GitHub (Dec 25, 2024):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Dec 25, 2024): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:23:59 +01:00

@github-actions[bot] commented on GitHub (Jan 1, 2025):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Jan 1, 2025): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam referenced this issue

2025-12-29 02:31:04 +01:00

[PR #785] [CLOSED] docs(README): update contributors #1646

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#785