fix: harden the postgres default password

2026-06-07 07:55:16 +02:00 · 2026-06-05 14:30:02 +05:30 · 2026-06-05 14:30:02 +05:30 · 49e68b49d5
commit 49e68b49d5
parent 418592178c
4 changed files with 24 additions and 2 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -3,7 +3,11 @@ services:
    image: pgvector/pgvector:pg17
    environment:
      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
+      # Sourced from .env. Defaults to "postgres"
+      # NOTE: changing this on an existing install does NOT
+      # re-key the database — the password is baked into the volume on first init.
+      # You can manually change the password using psql in the container
+      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-postgres}"
      POSTGRES_DB: postgres
    logging:
      driver: "json-file"
@ -136,7 +140,7 @@ services:
      BACKEND_API_ENDPOINT: "${BACKEND_API_ENDPOINT:-http://localhost:8000}"

      # Database configuration (using containerized postgres)
-      DATABASE_URL: "postgresql+asyncpg://postgres:postgres@postgres:5432/postgres"
+      DATABASE_URL: "postgresql+asyncpg://postgres:${POSTGRES_PASSWORD:-postgres}@postgres:5432/postgres"

      # Redis configuration (using containerized redis)
      REDIS_URL: "redis://:redissecret@redis:6379"
--- a/scripts/setup_local.ps1
+++ b/scripts/setup_local.ps1
@ -243,6 +243,7 @@ if ($UseCoturn) {

 Write-Info "[2/$TotalSteps] Creating environment file..."
 $ossJwtSecret = New-HexSecret 32
+$postgresPassword = New-HexSecret 32

 $envLines = @(
    '# Container registry for Dograh images'
@ -251,6 +252,11 @@ $envLines = @(
    '# JWT secret for OSS authentication'
    "OSS_JWT_SECRET=$ossJwtSecret"
    ''
+    '# PostgreSQL password. Used by the postgres container on first init and by'
+    "# the API's DATABASE_URL. Do not change after the first start — the password"
+    '# is baked into the postgres data volume when it is first created.'
+    "POSTGRES_PASSWORD=$postgresPassword"
+    ''
    '# Telemetry (set to false to disable)'
    "ENABLE_TELEMETRY=$EnableTelemetry"
    ''
--- a/scripts/setup_local.sh
+++ b/scripts/setup_local.sh
@ -150,6 +150,7 @@ fi
 ENV_STEP=$TOTAL_STEPS
 echo -e "${BLUE}[$ENV_STEP/$TOTAL_STEPS] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)
+POSTGRES_PASSWORD=$(openssl rand -hex 32)

 cat > .env << ENV_EOF
 # Container registry for Dograh images
@ -158,6 +159,11 @@ REGISTRY=$REGISTRY
 # JWT secret for OSS authentication
 OSS_JWT_SECRET=$OSS_JWT_SECRET

+# PostgreSQL password. Used by the postgres container on first init and by the
+# API's DATABASE_URL. Do not change after the first start — the password is
+# baked into the postgres data volume when it is first created.
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+
 # Telemetry (set to false to disable)
 ENABLE_TELEMETRY=$ENABLE_TELEMETRY

--- a/scripts/setup_remote.sh
+++ b/scripts/setup_remote.sh
@ -251,6 +251,7 @@ echo -e "${GREEN}✓ SSL certificates generated${NC}"

 echo -e "${BLUE}[4/$TOTAL] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)
+POSTGRES_PASSWORD=$(openssl rand -hex 32)

 cat > .env << ENV_EOF
 # Remote deployments run with production signaling and HTTPS defaults
@ -276,6 +277,11 @@ FORCE_TURN_RELAY=$FORCE_TURN_RELAY
 # JWT secret for OSS authentication
 OSS_JWT_SECRET=$OSS_JWT_SECRET

+# PostgreSQL password. Used by the postgres container on first init and by the
+# API's DATABASE_URL. Do not change after the first start — the password is
+# baked into the postgres data volume when it is first created.
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+
 # Telemetry (set to false to disable)
 ENABLE_TELEMETRY=$ENABLE_TELEMETRY