This document provides a high-level introduction to the Simple Secrets Manager system, explaining its purpose, core features, and architectural design. It covers what the system does, how the major components are organized, and the key technologies used. For detailed setup instructions, see Getting Started. For architecture deep-dives, see Architecture. For API usage, see API Reference.
Simple Secrets Manager is a lightweight, self-hosted secrets management system designed for teams that need organized secret storage without enterprise complexity. The system organizes secrets using a three-tier hierarchy: projects contain configs (representing environments like dev, staging, prod), and configs contain secrets (key-value pairs).
The system is delivered as a unified Docker container that includes both a web-based admin console and a REST API for programmatic access. It uses MongoDB for persistent storage and supports both human authentication (username/password) and machine authentication (scoped API tokens).
Primary use cases:
Sources: README.md10-22
| Feature | Description |
|---|---|
| Hierarchical Organization | Three-tier model: projects → configs → secrets |
| Config Inheritance | Base configs can be inherited by environment configs with selective overrides |
| Dual Interface | Web-based admin console and REST API |
| Flexible Authentication | Username/password for humans, scoped tokens for automation |
| Scope-based Authorization | Fine-grained access control using permission scopes (e.g., secrets:read, projects:write) |
| Import/Export | Import .env files, export secrets as JSON or .env format |
| Audit Logging | Track all modifications to secrets and configurations |
| Multi-Architecture | Docker images for amd64 and arm64 (including Raspberry Pi support) |
| Self-Contained Deployment | Single unified container with frontend and backend |
Sources: README.md16-22 README.md43-49
The following diagram shows the major architectural components and their relationships using actual code entity names:
Component Responsibilities:
nginx: Serves frontend static files on port 8080 and reverse proxies /api requests to Flask backendserver.py: Flask application entry point binding to port 5000api_v1 Blueprint: Defines API routes with /api prefix at Api/api.py29-30Tokens, UserPass), authorization (is_auth.py), and system initialization (Onboarding)Connection singleton: Centralized database connection management at connection.py10-31secrets_manager_data for operational data, secrets_manager_auth for credentials and tokensSources: README.md31-33 docs/README_dockerhub.md10-14 connection.py10-31 Api/api.py29-30
The system implements a hierarchical data model with config inheritance:
Key Concepts:
webapp, microservice-a)dev, staging, prod)inherits_from field, reducing duplicationsecrets_manager_data, authentication data in secrets_manager_authSources: README.md18-19 connection.py16-31
| Layer | Technology | Purpose |
|---|---|---|
| Frontend | React + Vite | Admin console UI with hot-reload development |
| Web Server | Nginx | Static file serving and API reverse proxy |
| Backend Framework | Flask + Flask-RESTx | REST API with automatic OpenAPI documentation |
| Process Manager | Supervisor | Manages both Nginx and Flask processes in container |
| Database | MongoDB 4+ | Document storage for projects, configs, secrets, and auth data |
| Authentication | bcrypt + HMAC-SHA256 | Password hashing and token hashing |
| Containerization | Docker + Docker Compose | Unified deployment with multi-architecture support |
| CI/CD | GitHub Actions | Automated builds, quality checks, and image publishing |
| Python Package Manager | uv | Fast dependency resolution and virtual environment management |
Sources: README.md54-59 docs/README_dockerhub.md10-14
Simple Secrets Manager uses a unified container architecture where a single Docker image contains all necessary components:
Deployment Characteristics:
ghcr.io/bearlike/simple-secrets-manager contains frontend, backend, and web serveramd64 and arm64 platforms using Docker BuildxX.Y.Z, X.Y, X, latest) from CI/CD pipelineTypical Deployment:
The recommended deployment method is Docker Compose, which orchestrates the SSM container and MongoDB container together. The configuration is defined in docker-compose.yml1-40 and starts both services with appropriate networking and volume mounts.
Sources: docs/README_dockerhub.md10-28 README.md23-33
Authentication and authorization are separated concerns:
Access Control Concepts:
TOKEN_SALT before storage in secrets_manager_auth.tokens["projects:read", "secrets:write"])flask.g.actor containing username, scopes, and token metadata@require_token ensures authentication, @require_scope("action") enforces permissionsCommon Scopes:
projects:read, projects:writeconfigs:read, configs:writesecrets:read, secrets:writetokens:read, tokens:write, tokens:revokeaudit:readSources: Access/is_auth.py1-100 Access/tokens.py1-200 Access/userpass.py1-150
Refresh this wiki
This wiki was recently refreshed. Please wait 1 day to refresh again.