From 98edb12abbc5eee7cdf9b4d9fe61cfdd146d72dd Mon Sep 17 00:00:00 2001 From: Bryan Van Deusen Date: Fri, 5 Jun 2026 11:28:53 -0400 Subject: [PATCH] =?UTF-8?q?fix(deploy):=20let=20app=20own=20secret=20key?= =?UTF-8?q?=20=E2=80=94=20remove=20STEWARD=5FSECRET=5FKEY=20from=20deploy?= =?UTF-8?q?=20compose?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The app auto-generates a key on first boot and persists it to /data/secret.key, which the app_data volume keeps across image updates. No reason to surface this as a user-facing env var in the deploy compose. Removed from .env.example too. Co-Authored-By: Claude Opus 4.8 (1M context) --- .env.example | 1 - compose.deploy.yml | 7 +++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.env.example b/.env.example index 84f9d65..f5201bf 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,6 @@ # Copy to .env for Docker / local development secrets # These override values in config.yaml -STEWARD_SECRET_KEY=change-me STEWARD_DATABASE_URL=postgresql+asyncpg://steward:password@localhost/steward STEWARD_SMTP__PASSWORD= diff --git a/compose.deploy.yml b/compose.deploy.yml index 2e19a38..175e94a 100644 --- a/compose.deploy.yml +++ b/compose.deploy.yml @@ -23,10 +23,9 @@ services: - app_data:/data environment: - STEWARD_DATABASE_URL=postgresql+asyncpg://steward:${POSTGRES_PASSWORD:-steward}@db/steward - # Optional: if unset, the app generates a key and persists it to - # /data/secret.key, so sessions survive restarts via the app_data volume. - # Set STEWARD_SECRET_KEY in .env to pin it explicitly across volume resets. - - STEWARD_SECRET_KEY=${STEWARD_SECRET_KEY:-} + # STEWARD_SECRET_KEY is intentionally absent — the app generates a random + # key on first boot and persists it to /data/secret.key, which the app_data + # volume keeps across image updates. depends_on: db: condition: service_healthy