fix: resolve review comments

CHANGELOG.md

@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - CopyToClipboard JavaScript hook with fallback for older browsers
   - Button shows count of visible selected members (respects search/filter)
   - German/English translations
+- Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD)
 
 ### Fixed
 - Email validation false positive when linking user and member with identical emails (#168 Problem #4)

Justfile

@@ -90,7 +90,7 @@ clean:
 # ================================
 
 # Initialize secrets directory with generated secrets (only if not exists)
-init-secrets:
+init-prod-secrets:
   #!/usr/bin/env bash
   set -euo pipefail
   if [ -d "secrets" ]; then
@@ -106,5 +106,5 @@ init-secrets:
   echo "Secrets generated in ./secrets/"
 
 # Start production environment with Docker Compose
-start-prod: init-secrets
+start-prod: init-prod-secrets
   docker compose -f docker-compose.prod.yml up -d

README.md

@@ -217,6 +217,13 @@ For testing the production Docker build locally:
    # OIDC_BASE_URL=http://localhost:8080/auth/v1
    # OIDC_REDIRECT_URI=http://localhost:4001/auth/user/rauthy/callback
    # OIDC_CLIENT_SECRET=<from-rauthy-client>
+   
+   # Alternative: Use _FILE variables for Docker secrets (takes priority over regular vars):
+   # SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
+   # TOKEN_SIGNING_SECRET_FILE=/run/secrets/token_signing_secret
+   # OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
+   # DATABASE_URL_FILE=/run/secrets/database_url
+   # DATABASE_PASSWORD_FILE=/run/secrets/database_password
    ```
 
 3. **Start development environment** (for Rauthy):

config/runtime.exs

@@ -21,7 +21,7 @@ get_env_or_file = fn var_name, default ->
     file_path ->
       case File.read(file_path) do
         {:ok, content} ->
-          String.trim(content)
+          String.trim_trailing(content)
 
         {:error, reason} ->
           raise """
@@ -119,10 +119,25 @@ if config_env() == :prod do
 
   # Rauthy OIDC configuration
   # Supports OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE for Docker secrets.
+  # OIDC_CLIENT_SECRET is required only if OIDC is being used (indicated by explicit OIDC env vars).
+  oidc_base_url = System.get_env("OIDC_BASE_URL")
+  oidc_client_id = System.get_env("OIDC_CLIENT_ID")
+  oidc_in_use = not is_nil(oidc_base_url) or not is_nil(oidc_client_id)
+
+  client_secret =
+    if oidc_in_use do
+      get_env_or_file!.("OIDC_CLIENT_SECRET", """
+      environment variable OIDC_CLIENT_SECRET (or OIDC_CLIENT_SECRET_FILE) is missing.
+      This is required when OIDC authentication is configured (OIDC_BASE_URL or OIDC_CLIENT_ID is set).
+      """)
+    else
+      get_env_or_file.("OIDC_CLIENT_SECRET", nil)
+    end
+
   config :mv, :rauthy,
-    client_id: System.get_env("OIDC_CLIENT_ID") || "mv",
-    base_url: System.get_env("OIDC_BASE_URL") || "http://localhost:8080/auth/v1",
-    client_secret: get_env_or_file.("OIDC_CLIENT_SECRET", nil),
+    client_id: oidc_client_id || "mv",
+    base_url: oidc_base_url || "http://localhost:8080/auth/v1",
+    client_secret: client_secret,
     redirect_uri:
       System.get_env("OIDC_REDIRECT_URI") || "http://#{host}:#{port}/auth/user/rauthy/callback"
 

docker-compose.prod.yml

@@ -1,6 +1,6 @@
 services:
   app:
-    image: mitgliederverwaltung:latest
+    image: git.local-it.org/local-it/mitgliederverwaltung:latest
     container_name: mv-prod-app
     ports:
       - "4001:4001"