6e803a482a
Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent.
28 lines
972 B
YAML
28 lines
972 B
YAML
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: mimic-postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_DB: ${POSTGRES_DB:-mimic}
|
|
POSTGRES_USER: ${POSTGRES_USER:-mimic_app}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mimic_dev_password}
|
|
ports:
|
|
- "127.0.0.1:5432:5432"
|
|
volumes:
|
|
- mimic_pgdata:/var/lib/postgresql/data
|
|
# The `mimic_audit_writer` role is provisioned by the Ansible playbook
|
|
# in prod (D-010). For dev, create it manually after `make db-up`:
|
|
# docker exec -it mimic-postgres psql -U mimic_app -d mimic \
|
|
# -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"
|
|
# Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 10
|
|
|
|
volumes:
|
|
mimic_pgdata:
|
|
name: mimic_pgdata
|