From 90dabdf5bb6e514e2e726a2d78d5f302446bd115 Mon Sep 17 00:00:00 2001
From: thelamer <ryankuba@gmail.com>
Date: Wed, 8 Oct 2025 07:55:58 -0400
Subject: [PATCH 1/3] dev deps and pass app version

---
 Dockerfile         | 2 ++
 Dockerfile.aarch64 | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index a8e10e8..3941932 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,6 +34,7 @@ RUN \
     ruby \
     ruby-bundler && \
   apk add --no-cache --virtual=build-dependencies \
+    assimp-dev \
     build-base \
     git \
     grep \
@@ -72,6 +73,7 @@ RUN \
   touch db/schema.rb && \
   DATABASE_URL="nulldb://user:pass@localhost/db" \
   SECRET_KEY_BASE="placeholder" \
+  APP_VERSION=${MANYFOLD_VERSION} \
   bundle exec rake assets:precompile && \
   rm db/schema.rb && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 2f19192..314719f 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -34,6 +34,7 @@ RUN \
     ruby \
     ruby-bundler && \
   apk add --no-cache --virtual=build-dependencies \
+    assimp-dev \
     build-base \
     git \
     grep \
@@ -72,6 +73,7 @@ RUN \
   touch db/schema.rb && \
   DATABASE_URL="nulldb://user:pass@localhost/db" \
   SECRET_KEY_BASE="placeholder" \
+  APP_VERSION=${MANYFOLD_VERSION} \
   bundle exec rake assets:precompile && \
   rm db/schema.rb && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \

From f1f2c631da9a4e4a1fd264279cdb70c84a14970f Mon Sep 17 00:00:00 2001
From: thelamer <ryankuba@gmail.com>
Date: Wed, 8 Oct 2025 08:56:09 -0400
Subject: [PATCH 2/3] change key init as it controls the database encryption
 now and is required for setup, unsure of effect on legacy installations

---
 Dockerfile                                         |  3 +--
 Dockerfile.aarch64                                 |  3 +--
 README.md                                          |  3 ++-
 readme-vars.yml                                    |  3 ++-
 .../s6-overlay/s6-rc.d/init-manyfold-config/run    | 14 ++++++++++++++
 5 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3941932..5a34ce9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ ENV RAILS_ENV="production" \
 
 RUN \
   apk add --no-cache \
-    assimp \
+    assimp-dev \
     file \
     glfw \
     imagemagick \
@@ -34,7 +34,6 @@ RUN \
     ruby \
     ruby-bundler && \
   apk add --no-cache --virtual=build-dependencies \
-    assimp-dev \
     build-base \
     git \
     grep \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 314719f..c8c1d7a 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -18,7 +18,7 @@ ENV RAILS_ENV="production" \
 
 RUN \
   apk add --no-cache \
-    assimp \
+    assimp-dev \
     file \
     glfw \
     imagemagick \
@@ -34,7 +34,6 @@ RUN \
     ruby \
     ruby-bundler && \
   apk add --no-cache --virtual=build-dependencies \
-    assimp-dev \
     build-base \
     git \
     grep \
diff --git a/README.md b/README.md
index 43e869b..686eed5 100644
--- a/README.md
+++ b/README.md
@@ -124,7 +124,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-e DATABASE_URL=` | Database connection URL. For sqlite use `sqlite3:/config/manyfold.sqlite3`. For postgres or mariadb use `<scheme>://<username>:<password>@<hostname>:<port>/<db name>` where `<scheme>` is `postgresql` or `mysql2`. Special characters in username/password must be [URL encoded](https://en.wikipedia.org/wiki/Percent-encoding). |
 | `-e REDIS_URL=` | Redis/Valkey database URL in `redis://<hostname>:<port>/<db number>` format. |
-| `-e SECRET_KEY_BASE=` | Browser session secret. Changing it will terminate all active browser sessions. |
+| `-e SECRET_KEY_BASE=` | Browser session and database encryption key. If unset a random one will be generated on init, the database is locked to this key. |
 | `-v /config` | Persistent storage for application configuration data. |
 | `-v /libraries` | Location of your 3D model libraries. |
 
@@ -290,6 +290,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **08.10.25:** - Change key init to auto generate and persist.
 * **27.07.25:** - Rebase to Alpine 3.22.
 * **12.01.25:** - Rebase to Alpine 3.21.
 * **23.07.24:** - Initial Release.
diff --git a/readme-vars.yml b/readme-vars.yml
index 06bad87..c76e7ff 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -22,7 +22,7 @@ param_usage_include_env: true
 param_env_vars:
   - {env_var: "DATABASE_URL", env_value: "", desc: "Database connection URL. For sqlite use `sqlite3:/config/manyfold.sqlite3`. For postgres or mariadb use `<scheme>://<username>:<password>@<hostname>:<port>/<db name>` where `<scheme>` is `postgresql` or `mysql2`. Special characters in username/password must be [URL encoded](https://en.wikipedia.org/wiki/Percent-encoding)."}
   - {env_var: "REDIS_URL", env_value: "", desc: "Redis/Valkey database URL in `redis://<hostname>:<port>/<db number>` format."}
-  - {env_var: "SECRET_KEY_BASE", env_value: "", desc: "Browser session secret. Changing it will terminate all active browser sessions."}
+  - {env_var: "SECRET_KEY_BASE", env_value: "", desc: "Browser session and database encryption key. If unset a random one will be generated on init, the database is locked to this key."}
 param_usage_include_ports: true
 param_ports:
   - {external_port: "3214", internal_port: "3214", port_desc: "Port for web frontend"}
@@ -84,6 +84,7 @@ init_diagram: |
   "manyfold:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.10.25:", desc: "Change key init to auto generate and persist."}
   - {date: "27.07.25:", desc: "Rebase to Alpine 3.22."}
   - {date: "12.01.25:", desc: "Rebase to Alpine 3.21."}
   - {date: "23.07.24:", desc: "Initial Release."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-manyfold-config/run b/root/etc/s6-overlay/s6-rc.d/init-manyfold-config/run
index 8c0c58b..7a233e8 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-manyfold-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-manyfold-config/run
@@ -1,6 +1,20 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
+# set secret key if unset
+SECRET_FILE="/config/secret_key_base.txt"
+if [ -n "${SECRET_KEY_BASE}" ]; then
+  echo "**** SECRET_KEY_BASE set in environment. ****"
+elif [ -f "${SECRET_FILE}" ] && [ -s "${SECRET_FILE}" ]; then
+  export SECRET_KEY_BASE=$(cat "${SECRET_FILE}" | tr -d '[:space:]')
+else
+  echo "**** SECRET_KEY_BASE not set, generating. ****"
+  KEY=$(ruby -r "securerandom" -e "puts SecureRandom.hex(64)")
+  echo "${KEY}" > "${SECRET_FILE}"
+  export SECRET_KEY_BASE="${KEY}"
+fi
+printf "%s" "${SECRET_KEY_BASE}" > /var/run/s6/container_environment/SECRET_KEY_BASE
+
 mkdir -p \
     /app/www/log \
     /app/www/tmp

From 69a93b6072d716d067db1298362e5f31bfd6d3a4 Mon Sep 17 00:00:00 2001
From: thelamer <ryankuba@gmail.com>
Date: Thu, 9 Oct 2025 10:14:24 -0400
Subject: [PATCH 3/3] more deps

---
 Dockerfile         | 1 +
 Dockerfile.aarch64 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 5a34ce9..19f5bb6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,6 +20,7 @@ RUN \
   apk add --no-cache \
     assimp-dev \
     file \
+    gcompat \
     glfw \
     imagemagick \
     imagemagick-heic \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index c8c1d7a..b57eb0d 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -20,6 +20,7 @@ RUN \
   apk add --no-cache \
     assimp-dev \
     file \
+    gcompat \
     glfw \
     imagemagick \
     imagemagick-heic \