Production Secrets
Use Docker secrets (file-based mounts) for production deployments so sensitive values are not repo-managed and do not rely on default environment fallbacks.
Required Secrets
POSTGRES_PASSWORDDATABASE_URLJWT_SECRET_KEY
The backend supports secret-file configuration via:
DATABASE_URL_FILEJWT_SECRET_KEY_FILE
Prepare Secret Files
Store secret files outside the repository, for example in an infrastructure-managed directory.
sh
mkdir -p /secure/nexus
openssl rand -base64 24 > /secure/nexus/postgres_password
openssl rand -base64 48 > /secure/nexus/jwt_secret_keyCreate database URL secret using the same Postgres password:
sh
POSTGRES_PASSWORD=$(cat /secure/nexus/postgres_password)
printf 'postgresql://nexus:%s@postgres:5432/nexus\n' "$POSTGRES_PASSWORD" > /secure/nexus/database_urlDeploy With Production Overlay
Run Compose with the production overlay and secret file paths:
sh
POSTGRES_PASSWORD_SECRET_FILE=/secure/nexus/postgres_password \
DATABASE_URL_SECRET_FILE=/secure/nexus/database_url \
JWT_SECRET_KEY_SECRET_FILE=/secure/nexus/jwt_secret_key \
docker compose -f compose.yaml -f compose.prod.yaml up -d --buildNotes
- Keep secret files out of source control.
- Restrict file permissions to deployment users only.
- Rotate secret files periodically and redeploy.