feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose (#458)

* feat(scripts): generate REDIS_PASSWORD on setup, plumb through compose Per the discussion on #453, this takes the recommended path of extending the setup scripts rather than introducing a parallel compose file. - scripts/setup_remote.sh now generates REDIS_PASSWORD alongside OSS_JWT_SECRET and POSTGRES_PASSWORD and writes it to the rendered .env (with a short comment noting it can be rotated, unlike the postgres password which is baked into the volume on first init). - scripts/start_docker.sh now generates REDIS_PASSWORD on first run if missing, mirroring the existing OSS_JWT_SECRET pattern (reuses generate_secret, which falls back through python3 → openssl → /dev/urandom). - docker-compose.yaml and docker-compose-local.yaml now interpolate ${REDIS_PASSWORD:-redissecret} in the redis --requirepass, the redis healthcheck, and the api REDIS_URL. The :-redissecret fallback preserves backwards compatibility for users with an existing .env that predates this change — they keep the old value until they regenerate. New installs (via either script) get a secure random hex. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Harden local Docker secret setup --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
2026-06-22 08:38:13 +02:00 · 2026-06-21 04:41:31 -03:00 · 2026-06-21 04:41:31 -03:00 · 17054e3f26
commit 17054e3f26
parent ac91019d38
9 changed files with 99 additions and 12 deletions
--- a/scripts/start_docker.sh
+++ b/scripts/start_docker.sh
@ -23,7 +23,7 @@ generate_secret() {
        return
    fi

-    fail "Could not generate OSS_JWT_SECRET. Install python3 or openssl, or set OSS_JWT_SECRET manually in .env."
+    fail "Could not generate a secret. Install python3 or openssl, or set secrets manually in .env."
 }

 dotenv_value() {
@ -76,6 +76,11 @@ set_dotenv_value() {

 [[ -f docker-compose.yaml ]] || fail "docker-compose.yaml not found. Download it first, then re-run this script."

+env_file_existed=false
+if [[ -f "$ENV_FILE" ]]; then
+    env_file_existed=true
+fi
+
 existing_secret="$(dotenv_value OSS_JWT_SECRET || true)"
 if [[ -z "$existing_secret" ]]; then
    set_dotenv_value OSS_JWT_SECRET "$(generate_secret)"
@ -84,6 +89,26 @@ else
    echo "OSS_JWT_SECRET is already set in $ENV_FILE."
 fi

+existing_postgres_password="$(dotenv_value POSTGRES_PASSWORD || true)"
+if [[ -z "$existing_postgres_password" ]]; then
+    if [[ "$env_file_existed" == "false" ]]; then
+        set_dotenv_value POSTGRES_PASSWORD "$(generate_secret)"
+        echo "Created POSTGRES_PASSWORD in $ENV_FILE."
+    else
+        echo "POSTGRES_PASSWORD is not set in $ENV_FILE; keeping the docker-compose fallback for existing local data volumes."
+    fi
+else
+    echo "POSTGRES_PASSWORD is already set in $ENV_FILE."
+fi
+
+existing_redis_password="$(dotenv_value REDIS_PASSWORD || true)"
+if [[ -z "$existing_redis_password" ]]; then
+    set_dotenv_value REDIS_PASSWORD "$(generate_secret)"
+    echo "Created REDIS_PASSWORD in $ENV_FILE."
+else
+    echo "REDIS_PASSWORD is already set in $ENV_FILE."
+fi
+
 echo ""
 echo "Docker registry: $REGISTRY"
 echo "Telemetry enabled: $ENABLE_TELEMETRY"