From 8f2a0f80296b29061673d55eba1bbca132bb309a Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Wed, 21 Jan 2026 13:29:32 +0100
Subject: [PATCH] feat(db): enhance database configuration with environment
 variable support

- Introduced a function to read database credentials from a file for improved security.
- Added support for environment variables to configure database connection, replacing hardcoded values.
- Implemented a warning for users relying on deprecated hardcoded credentials, encouraging migration to Docker Secrets.
---
 apps/dokploy/server/db/index.ts | 43 ++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/apps/dokploy/server/db/index.ts b/apps/dokploy/server/db/index.ts
index 55d6d3a46..644bda54c 100644
--- a/apps/dokploy/server/db/index.ts
+++ b/apps/dokploy/server/db/index.ts
@@ -1,3 +1,4 @@
+import fs from "node:fs";
 import { drizzle, type PostgresJsDatabase } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import * as schema from "./schema";
@@ -6,9 +7,45 @@ declare global {
 	var db: PostgresJsDatabase<typeof schema> | undefined;
 }
 
-const dbUrl =
-	process.env.DATABASE_URL ||
-	"postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy";
+function readSecret(path: string): string {
+	try {
+		return fs.readFileSync(path, "utf8").trim();
+	} catch {
+		throw new Error(`Cannot read secret at ${path}`);
+	}
+}
+
+const {
+	DATABASE_URL,
+	POSTGRES_PASSWORD_FILE,
+	POSTGRES_USER = "dokploy",
+	POSTGRES_DB = "dokploy",
+	POSTGRES_HOST = "dokploy-postgres",
+	POSTGRES_PORT = "5432",
+} = process.env;
+
+let dbUrl: string;
+
+if (DATABASE_URL) {
+	// Compatibilidad legacy / overrides
+	dbUrl = DATABASE_URL;
+} else if (POSTGRES_PASSWORD_FILE) {
+	const password = readSecret(POSTGRES_PASSWORD_FILE);
+	dbUrl = `postgres://${POSTGRES_USER}:${encodeURIComponent(
+		password,
+	)}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}`;
+} else {
+	console.warn(`
+		⚠️  [DEPRECATED DATABASE CONFIG]
+		You are using the legacy hardcoded database credentials.
+		This mode WILL BE REMOVED in a future release.
+		
+		Please migrate to Docker Secrets using POSTGRES_PASSWORD_FILE.
+		Please execute this guide: https://dokploy.com/SECURITY_MIGRATION.md
+		`);
+	dbUrl =
+		"postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy";
+}
 
 export let db: PostgresJsDatabase<typeof schema>;
 if (process.env.NODE_ENV === "production") {