art-dag/celery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove hardcoded secrets from public repo
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 1m21s
Details

Browse Source 
- Replace hardcoded POSTGRES_PASSWORD, ADMIN_TOKEN, and L1 host IP
  with env var references in docker-compose.yml
- Remove default password fallback from database.py and app/config.py
- Update .env.example with required POSTGRES_PASSWORD, ADMIN_TOKEN, L1_HOST
- Update README to mark DATABASE_URL as required

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
gilesb
2026-02-06 18:46:55 +00:00
parent fc9597456f
commit 146db1c60f
5 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.env.example
View File

@@ -1,5 +1,15 @@
# L1 Server Configuration
# PostgreSQL password (REQUIRED - no default)
POSTGRES_PASSWORD=changeme-generate-with-openssl-rand-hex-16
# Admin token for purge operations (REQUIRED - no default)
# Generate with: openssl rand -hex 32
ADMIN_TOKEN=changeme-generate-with-openssl-rand-hex-32
# L1 host IP/hostname for GPU worker cross-VPC access
L1_HOST=your-l1-server-ip
# This L1 server's public URL (sent to L2 when publishing)
L1_PUBLIC_URL=https://l1.artdag.rose-ash.com

2
README.md
View File

@@ -60,7 +60,7 @@ The stack includes:
| `HOST` | `0.0.0.0` | Server bind address |
| `PORT` | `8000` | Server port |
| `REDIS_URL` | `redis://localhost:6379/5` | Redis connection |
| `DATABASE_URL` | `postgresql://artdag:artdag@localhost:5432/artdag` | PostgreSQL connection |
| `DATABASE_URL` | **(required)** | PostgreSQL connection |
| `CACHE_DIR` | `~/.artdag/cache` | Local cache directory |
| `IPFS_API` | `/dns/localhost/tcp/5001` | IPFS API multiaddr |
| `IPFS_GATEWAY_URL` | `https://ipfs.io/ipfs` | Public IPFS gateway |

4
app/config.py
View File

@@ -33,9 +33,7 @@ class Settings:
# Database
database_url: str = field(
default_factory=lambda: os.environ.get(
"DATABASE_URL", "postgresql://artdag:artdag@localhost:5432/artdag"
)
default_factory=lambda: os.environ.get("DATABASE_URL", "")
)
# IPFS

4
database.py
View File

@@ -11,7 +11,9 @@ from typing import List, Optional
import asyncpg
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://artdag:artdag@localhost:5432/artdag")
DATABASE_URL = os.getenv("DATABASE_URL")
if not DATABASE_URL:
raise RuntimeError("DATABASE_URL environment variable is required")
pool: Optional[asyncpg.Pool] = None

14
docker-compose.yml
View File

@@ -23,7 +23,7 @@ services:
image: postgres:16-alpine
environment:
- POSTGRES_USER=artdag
- POSTGRES_PASSWORD=artdag
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=artdag
ports:
- target: 5432
@@ -69,8 +69,8 @@ services:
- .env
environment:
- REDIS_URL=redis://redis:6379/5
- DATABASE_URL=postgresql://artdag:artdag@postgres:5432/artdag
- ADMIN_TOKEN=artdag-admin-purge-token-2026
- DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@postgres:5432/artdag
- ADMIN_TOKEN=${ADMIN_TOKEN}
# IPFS_API multiaddr - used for all IPFS operations (add, cat, pin)
- IPFS_API=/dns/ipfs/tcp/5001
- CACHE_DIR=/data/cache
@@ -102,7 +102,7 @@ services:
command: sh -c "find /app -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; celery -A celery_app worker --loglevel=info -E"
environment:
- REDIS_URL=redis://redis:6379/5
- DATABASE_URL=postgresql://artdag:artdag@postgres:5432/artdag
- DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@postgres:5432/artdag
# IPFS_API multiaddr - used for all IPFS operations (add, cat, pin)
- IPFS_API=/dns/ipfs/tcp/5001
- CACHE_DIR=/data/cache
@@ -156,10 +156,10 @@ services:
command: sh -c "cd /app && celery -A celery_app worker --loglevel=info -E -Q gpu,celery"
environment:
# GPU node is on different VPC - use public IPs for cross-node communication
- REDIS_URL=redis://138.68.142.139:16379/5
- DATABASE_URL=postgresql://artdag:artdag@138.68.142.139:15432/artdag
- REDIS_URL=redis://${L1_HOST}:16379/5
- DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@${L1_HOST}:15432/artdag
# Connect to shared IPFS node on CPU (via public IP)
- IPFS_API=/ip4/138.68.142.139/tcp/15001
- IPFS_API=/ip4/${L1_HOST}/tcp/15001
# Gateway fallback for resilience
- IPFS_GATEWAYS=https://ipfs.io,https://cloudflare-ipfs.com,https://dweb.link
# Local cache is ephemeral (tmpfs or local volume)