feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose (#458)

* feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose Per the discussion on #453, this takes the recommended path of extending the setup scripts rather than introducing a parallel compose file. - scripts/setup_remote.sh now generates REDIS_PASSWORD alongside OSS_JWT_SECRET and POSTGRES_PASSWORD and writes it to the rendered .env (with a short comment noting it can be rotated, unlike the postgres password which is baked into the volume on first init). - scripts/start_docker.sh now generates REDIS_PASSWORD on first run if missing, mirroring the existing OSS_JWT_SECRET pattern (reuses generate_secret, which falls back through python3 → openssl → /dev/urandom). - docker-compose.yaml and docker-compose-local.yaml now interpolate ${REDIS_PASSWORD:-redissecret} in the redis --requirepass, the redis healthcheck, and the api REDIS_URL. The :-redissecret fallback preserves backwards compatibility for users with an existing .env that predates this change — they keep the old value until they regenerate. New installs (via either script) get a secure random hex. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Harden local Docker secret setup --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
2026-06-22 08:38:13 +02:00 · 2026-06-21 04:41:31 -03:00 · 2026-06-21 04:41:31 -03:00 · 17054e3f26
commit 17054e3f26
parent ac91019d38
9 changed files with 99 additions and 12 deletions
--- a/scripts/start_docker.ps1
+++ b/scripts/start_docker.ps1
@ -65,6 +65,8 @@ if (-not (Test-Path 'docker-compose.yaml')) {
    exit 1
 }

+$envFileExisted = Test-Path $EnvFile
+
 $existingSecret = Get-DotEnvValue -Path $EnvFile -Key 'OSS_JWT_SECRET'
 if ([string]::IsNullOrEmpty($existingSecret)) {
    Set-DotEnvValue -Path $EnvFile -Key 'OSS_JWT_SECRET' -Value (New-HexSecret)
@ -73,6 +75,26 @@ if ([string]::IsNullOrEmpty($existingSecret)) {
    Write-Host "OSS_JWT_SECRET is already set in $EnvFile."
 }

+$existingPostgresPassword = Get-DotEnvValue -Path $EnvFile -Key 'POSTGRES_PASSWORD'
+if ([string]::IsNullOrEmpty($existingPostgresPassword)) {
+    if (-not $envFileExisted) {
+        Set-DotEnvValue -Path $EnvFile -Key 'POSTGRES_PASSWORD' -Value (New-HexSecret)
+        Write-Host "Created POSTGRES_PASSWORD in $EnvFile."
+    } else {
+        Write-Host "POSTGRES_PASSWORD is not set in $EnvFile; keeping the docker-compose fallback for existing local data volumes."
+    }
+} else {
+    Write-Host "POSTGRES_PASSWORD is already set in $EnvFile."
+}
+
+$existingRedisPassword = Get-DotEnvValue -Path $EnvFile -Key 'REDIS_PASSWORD'
+if ([string]::IsNullOrEmpty($existingRedisPassword)) {
+    Set-DotEnvValue -Path $EnvFile -Key 'REDIS_PASSWORD' -Value (New-HexSecret)
+    Write-Host "Created REDIS_PASSWORD in $EnvFile."
+} else {
+    Write-Host "REDIS_PASSWORD is already set in $EnvFile."
+}
+
 Write-Host ''
 Write-Host "Docker registry: $Registry"
 Write-Host "Telemetry enabled: $EnableTelemetry"