jack/PocketVeto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: DB password — read from secrets file, bypasses Docker Compose interpolation

Browse Source 
- Add secrets/db_password file support to docker-compose.yml (Docker secrets mount)
- config.py reads POSTGRES_PASSWORD_FILE if set, builds DATABASE_URL with proper URL encoding
- Remove inline DATABASE_URL construction from docker-compose.yml (was subject to $VAR interpolation)
- Any password with any characters now works — no escaping needed

Authored by: Jack Levy
This commit is contained in:
Jack Levy
2026-03-15 17:31:09 -04:00
parent 9f4c9c7a56
commit 8911351c99
4 changed files with 55 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docker-compose.yml
View File

@@ -3,8 +3,10 @@ services:
image: postgres:16-alpine
environment:
POSTGRES_USER: ${POSTGRES_USER:-congress}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-congress}
POSTGRES_DB: ${POSTGRES_DB:-pocketveto}
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
secrets:
- db_password
volumes:
- ./postgres/data:/var/lib/postgresql/data
healthcheck:
@@ -36,9 +38,11 @@ services:
uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload"
env_file: .env
environment:
- DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- SYNC_DATABASE_URL=postgresql://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- POSTGRES_HOST=postgres
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- REDIS_URL=redis://redis:6379/0
secrets:
- db_password
depends_on:
postgres:
condition: service_healthy
@@ -54,9 +58,11 @@ services:
command: celery -A app.workers.celery_app worker --loglevel=info --concurrency=4 -Q polling,documents,llm,news
env_file: .env
environment:
- DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- SYNC_DATABASE_URL=postgresql://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- POSTGRES_HOST=postgres
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- REDIS_URL=redis://redis:6379/0
secrets:
- db_password
depends_on:
postgres:
condition: service_healthy
@@ -72,9 +78,11 @@ services:
command: celery -A app.workers.celery_app beat --loglevel=info --scheduler=redbeat.RedBeatScheduler
env_file: .env
environment:
- DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- SYNC_DATABASE_URL=postgresql://${POSTGRES_USER:-congress}:${POSTGRES_PASSWORD:-congress}@postgres:5432/${POSTGRES_DB:-pocketveto}
- POSTGRES_HOST=postgres
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- REDIS_URL=redis://redis:6379/0
secrets:
- db_password
depends_on:
redis:
condition: service_healthy
@@ -108,3 +116,7 @@ services:
networks:
app_network:
driver: bridge
secrets:
db_password:
file: ./secrets/db_password