chore: source compose database password from secrets

2026-05-06 15:05:10 -04:00
parent d2d3bee975
commit 0a6d730ca0
4 changed files with 24 additions and 5 deletions
--- a/.gitea/workflows/deploy-socialize.yml
+++ b/.gitea/workflows/deploy-socialize.yml
@@ -46,9 +46,24 @@ jobs:
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
          DEPLOY_SSH_PRIVATE_KEY_B64: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY_B64 }}
+          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
        run: |
+          : "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD secret is required}"
+
          mkdir -p ~/.ssh
          printf '%s' "$DEPLOY_SSH_PRIVATE_KEY_B64" | base64 -d > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
+
+          deploy_env="$(mktemp)"
+          {
+            printf 'POSTGRES_USER=sa\n'
+            printf 'POSTGRES_PASSWORD=%s\n' "$POSTGRES_PASSWORD"
+            printf 'POSTGRES_DB=socialize\n'
+            printf 'ASPNETCORE_ENVIRONMENT=Production\n'
+          } > "$deploy_env"
+
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$deploy_env" "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/.env"
+          rm -f "$deploy_env"
+
          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$DEPLOY_USER@$DEPLOY_HOST" \
            'cd /srv/prod/socialize && ./deploy.sh'
--- a/.gitignore
+++ b/.gitignore
@@ -34,6 +34,7 @@ dist/
 .vite/

 # Local environment files
+.env
 *.local
 .env.local
 .env.*.local
--- a/README.md
+++ b/README.md
@@ -76,6 +76,9 @@ http://localhost:8080
 http://<this-machine-lan-ip>:8080
 ```

+For preprod deployment, configure the `POSTGRES_PASSWORD` Gitea secret.
+The deploy workflow writes the remote `.env` file before running the server deploy script.
+
 ## Solution

 ```bash
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,9 +2,9 @@ services:
  postgres:
    image: postgres:latest
    environment:
-      POSTGRES_USER: sa
-      POSTGRES_PASSWORD: P@ssword123!
-      POSTGRES_DB: socialize
+      POSTGRES_USER: ${POSTGRES_USER:-sa}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
+      POSTGRES_DB: ${POSTGRES_DB:-socialize}
    ports:
      - "5433:5432"
    healthcheck:
@@ -18,9 +18,9 @@ services:
      context: .
      dockerfile: backend/src/Socialize.Api/Dockerfile
    environment:
-      ASPNETCORE_ENVIRONMENT: Development
+      ASPNETCORE_ENVIRONMENT: ${ASPNETCORE_ENVIRONMENT:-Development}
      ASPNETCORE_URLS: http://0.0.0.0:8080
-      ConnectionStrings__PostgresConnection: Host=postgres;Port=5432;Database=socialize;Username=sa;Password=P@ssword123!
+      ConnectionStrings__PostgresConnection: Host=postgres;Port=5432;Database=${POSTGRES_DB:-socialize};Username=${POSTGRES_USER:-sa};Password=${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
    depends_on:
      postgres:
        condition: service_healthy