diff --git a/.env.example b/.env.example index efc2542d..fa24c705 100644 --- a/.env.example +++ b/.env.example @@ -12,6 +12,12 @@ SECUSCAN_BIND_PORT=8000 # SECUSCAN_REDIS_URL=redis://127.0.0.1:6379/0 # SECUSCAN_CACHE_TTL_SECONDS=30 +# PostgreSQL — REQUIRED when using docker-compose (not for SQLite dev) +# Generate a strong password with: python -c "import secrets; print(secrets.token_urlsafe(32))" +# SECUSCAN_POSTGRES_USER=secuscan +# SECUSCAN_POSTGRES_DB=secuscan +# SECUSCAN_POSTGRES_PASSWORD= + # Docker Support SECUSCAN_DOCKER_ENABLED=false # Docker sandbox network (auto-created if absent; ICC disabled for isolation) diff --git a/docker-compose.yml b/docker-compose.yml index 307932d9..b1f452b1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,15 +3,15 @@ services: postgres: image: postgres:16-alpine environment: - POSTGRES_DB: secuscan - POSTGRES_USER: secuscan - POSTGRES_PASSWORD: secuscan + POSTGRES_DB: ${SECUSCAN_POSTGRES_DB:-secuscan} + POSTGRES_USER: ${SECUSCAN_POSTGRES_USER:-secuscan} + POSTGRES_PASSWORD: ${SECUSCAN_POSTGRES_PASSWORD:?Set SECUSCAN_POSTGRES_PASSWORD to a strong password} ports: - "127.0.0.1:5432:5432" volumes: - postgres_data:/var/lib/postgresql/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U secuscan -d secuscan"] + test: ["CMD-SHELL", "pg_isready -U ${SECUSCAN_POSTGRES_USER:-secuscan} -d ${SECUSCAN_POSTGRES_DB:-secuscan}"] interval: 10s timeout: 5s retries: 5 @@ -43,7 +43,7 @@ services: environment: - SECUSCAN_BIND_ADDRESS=0.0.0.0 # fix: was 127.0.0.1, unreachable inside Docker - SECUSCAN_BIND_PORT=8081 - - SECUSCAN_POSTGRES_DSN=postgresql://secuscan:secuscan@postgres:5432/secuscan + - SECUSCAN_POSTGRES_DSN=postgresql://${SECUSCAN_POSTGRES_USER:-secuscan}:${SECUSCAN_POSTGRES_PASSWORD:?}@postgres:5432/${SECUSCAN_POSTGRES_DB:-secuscan} - SECUSCAN_REDIS_URL=redis://redis:6379/0 - SECUSCAN_PLUGINS_DIR=/app/plugins depends_on: