feat: use Docker secrets for password

Using environment variables for secret data like passwords is an anti-pattern as they can easily leak. It's much safer to maintain the data as a file. To prevent accidental commits of the password file, we are adding a `.gitignore` file.
2024-11-25 01:34:36 +01:00 · 2024-03-02 16:17:47 +01:00 · 2024-03-02 16:17:47 +01:00 · edf466c7c9
commit edf466c7c9
parent bb84e13b9a
2 changed files with 8 additions and 1 deletions
--- a/docker-compose/postgres/.gitignore
+++ b/docker-compose/postgres/.gitignore
@ -0,0 +1 @@
+secret.*
--- a/docker-compose/postgres/docker-compose.yaml
+++ b/docker-compose/postgres/docker-compose.yaml
@ -6,7 +6,7 @@ services:
    image: docker.io/library/postgres:16.2
    environment:
      - POSTGRES_USER=${POSTGRES_USER}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
      # (Optional) when creating a new database
      # - POSTGRES_DB=${POSTGRES_DB}
    ports:
@ -16,6 +16,8 @@ services:
    #
    # networks:
    #   - yournetwork
+    secrets:
+      - postgres_password
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
@ -27,6 +29,10 @@ services:
 #   yournetwork:
 #     external: true

+secrets:
+  postgres_password:
+    file: secret.postgres_password.txt
+
 volumes:
  postgres_data:
    driver: local