From 01f532d02c84aba84ac81022a6d7c37639261afd Mon Sep 17 00:00:00 2001 From: Daniel Esteves Date: Fri, 19 Jun 2026 19:17:19 -0400 Subject: [PATCH] fix(engram): use static internal Postgres password in DSN The template helper's ${password:N} can emit URL-reserved characters (!@#$%^&*), which corrupt ENGRAM_DATABASE_URL while Postgres receives the raw password, causing intermittent connection failures on first deploy. Postgres is not exposed (internal network only), so a static internal password is safe and matches the convention used by the umami and documenso templates. Real secrets (JWT, cloud token, admin token) remain randomly generated. --- blueprints/engram/docker-compose.yml | 4 ++-- blueprints/engram/template.toml | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/blueprints/engram/docker-compose.yml b/blueprints/engram/docker-compose.yml index 6e72b17a..21c2fcfb 100644 --- a/blueprints/engram/docker-compose.yml +++ b/blueprints/engram/docker-compose.yml @@ -5,7 +5,7 @@ services: restart: unless-stopped environment: POSTGRES_USER: engram - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + POSTGRES_PASSWORD: engram POSTGRES_DB: engram_cloud volumes: - engram-postgres:/var/lib/postgresql/data @@ -22,7 +22,7 @@ services: postgres: condition: service_healthy environment: - ENGRAM_DATABASE_URL: ${ENGRAM_DATABASE_URL} + ENGRAM_DATABASE_URL: postgres://engram:engram@postgres:5432/engram_cloud?sslmode=disable ENGRAM_JWT_SECRET: ${ENGRAM_JWT_SECRET} ENGRAM_CLOUD_TOKEN: ${ENGRAM_CLOUD_TOKEN} ENGRAM_CLOUD_ADMIN: ${ENGRAM_CLOUD_ADMIN} diff --git a/blueprints/engram/template.toml b/blueprints/engram/template.toml index 2b09a921..e12b5157 100644 --- a/blueprints/engram/template.toml +++ b/blueprints/engram/template.toml @@ -1,14 +1,11 @@ [variables] main_domain = "${domain}" -pg_password = "${password:32}" jwt_secret = "${password:64}" cloud_token = "${password:48}" admin_token = "${password:48}" [config] env = [ - "POSTGRES_PASSWORD=${pg_password}", - "ENGRAM_DATABASE_URL=postgres://engram:${pg_password}@postgres:5432/engram_cloud?sslmode=disable", "ENGRAM_JWT_SECRET=${jwt_secret}", "ENGRAM_CLOUD_TOKEN=${cloud_token}", "ENGRAM_CLOUD_ADMIN=${admin_token}",