Sorry for 3 days delay.
That’s tthe bind mount, yes.
Well, the best would probably be reading the passwords from a database like hashicorp vault, but I have done that yet with Docker. Let’s see what I have done when I chose a simple solution on a server only I had access to so only I had access to the docker command.
I havestored the data somewhere in
/srv/volumes/ so it didn’t have to be a home. I set the permissions on this folder so it was not “executable” by anyone, but the owner, root.
chown 0700 /srv/volumes
Note: In case of folders, the “executable” flag means “can list entries in that folder” so nobody could run
cd /srv/volumes only me (well, nobody else were there).
Since Docker ran as root, it didn’t affect the volume mount so other users couldn’t have use the docker command or cd into that folder.
That is one solution if you want a simple one. It is basically what you are trying to do as the home folders are probably not “executable” by anyone except the owner.
You could use secrets, but that requires Docker Swarm
You don’t necessarily need to run the containers in Swarm but it has to be enabled. At least I had to when I last used it. Docker Compose can also use secrets, however, I am not sure how it is different from Swarm. If I remember correctly, it is different.
And there is HashiCorp Vault that I mentioned. I have shared this video somewhere on the forum in the past, but It could be a little outdated now
And you can find other blog posts about it
HashiCorp Vault is probably way too complicated for your use case, but it is good to know about it.