Use secret seed for internal database passwords Getting root-only read permissions into the Postgres image would be tricky due to its init script nature. But it isn't exposed to the outside anyway.

commit: 472cfc7ff58cbd52f7ce2831fd11288b2e7630e8 [log] [tgz]
author: Nico Huber <nico.h@gmx.de> Tue Jul 25 14:20:55 2023 +0000
committer: Nico Huber <nico.h@gmx.de> Tue Jul 25 16:55:06 2023 +0000
tree: a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent: 177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]
diff --git a/docker-compose.yml b/docker-compose.yml
index 603fdca..c45cf79 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml

@@ -28,18 +28,22 @@
   postgres:
     build:
       context: ./postgres/docker/
+    secrets:
+      - seed
     networks:
       - dbnet
     volumes:
       - ./postgres/postgres.conf:/etc/postgresql/postgresql.conf:ro
       - ./postgres/init.sh:/docker-entrypoint-initdb.d/init.sh:ro
       - ./postgres/data/:/var/lib/postgresql/data/:rw
-      - ./postgres/passwd/:/tmp/passwd/:rw
   keycloak:
     build:
       context: ./keycloak/docker/
       args:
         - KC_DB=postgres
+    secrets:
+      - source : seed
+        mode: 0400
     networks:
       - kcnet
       - dbnet
@@ -57,8 +61,6 @@
       - KC_DB_POOL_MAX_SIZE=16
       - KEYCLOAK_ADMIN=deusarcadia
       - KEYCLOAK_ADMIN_PASSWORD=arcanumhomini
-    volumes:
-      - ./postgres/passwd/keycloak/:/tmp/passwd/db/:ro
   simpleid:
     build:
       context: .
commit	472cfc7ff58cbd52f7ce2831fd11288b2e7630e8	[log] [tgz]
author	Nico Huber <nico.h@gmx.de>	Tue Jul 25 14:20:55 2023 +0000
committer	Nico Huber <nico.h@gmx.de>	Tue Jul 25 16:55:06 2023 +0000
tree	a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent	177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]