Security++

.env.sample

@@ -9,6 +9,7 @@ LETS_ENCRYPT_ENV=production
 
 ADMIN_USERNAME=admin
 SECRET_ADMIN_PASSWORD_VERSION=v1
+SECRET_POSTGRES_PASSWORD_VERSION=v1
 SITE_NAME=LemmyCloud
 
 SLUR_FILTER='(fag(g|got|tard)?\b|cock\s?sucker(s|ing)?|ni((g{2,}|q)+|[gq]{2,})[e3r]+(s|z)?|mudslime?s?|kikes?|\bspi(c|k)s?\b|\bchinks?|gooks?|bitch(es|ing|y)?|whor(es?|ing)|\btr(a|@)nn?(y|ies?)|\b(b|re|r)tard(ed)?s?)'

compose.yml

@@ -15,6 +15,7 @@ services:
       - lemmy_config:/config/
     secrets:
       - admin_password
+      - postgres_password
     entrypoint: ['/docker-entrypoint.sh']
     # entrypoint: ['tail', '-f', '/dev/null']
     configs:
@@ -49,10 +50,12 @@ services:
     image: postgres:12-alpine
     environment:
       - POSTGRES_USER=lemmy
-      - POSTGRES_PASSWORD=password
       - POSTGRES_DB=lemmy
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
     networks:
       - backend
+    secrets:
+      - postgres_password
     volumes:
       - postgres_data:/var/lib/postgresql/data
 
@@ -114,6 +117,9 @@ secrets:
   admin_password:
     external: true
     name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+  postgres_password:
+    external: true
+    name: ${STACK_NAME}_postgres_password_${SECRET_POSTGRES_PASSWORD_VERSION}
 
 networks:
   backend:

config.hjson.tmpl

@@ -28,7 +28,7 @@
     # username to connect to postgres
     user: "lemmy"
     # password to connect to postgres
-    password: "password"
+    password: "{{ secret "postgres_password" }}"
     # host where postgres is running
     host: "db"
     # port where postgres can be accessed