Skip to content

Production Secrets

Use Docker secrets (file-based mounts) for production deployments so sensitive values are not repo-managed and do not rely on default environment fallbacks.

Required Secrets

  • POSTGRES_PASSWORD
  • DATABASE_URL
  • JWT_SECRET_KEY

The backend supports secret-file configuration via:

  • DATABASE_URL_FILE
  • JWT_SECRET_KEY_FILE

Prepare Secret Files

Store secret files outside the repository, for example in an infrastructure-managed directory.

sh
mkdir -p /secure/nexus
openssl rand -base64 24 > /secure/nexus/postgres_password
openssl rand -base64 48 > /secure/nexus/jwt_secret_key

Create database URL secret using the same Postgres password:

sh
POSTGRES_PASSWORD=$(cat /secure/nexus/postgres_password)
printf 'postgresql://nexus:%s@postgres:5432/nexus\n' "$POSTGRES_PASSWORD" > /secure/nexus/database_url

Deploy With Production Overlay

Run Compose with the production overlay and secret file paths:

sh
POSTGRES_PASSWORD_SECRET_FILE=/secure/nexus/postgres_password \
DATABASE_URL_SECRET_FILE=/secure/nexus/database_url \
JWT_SECRET_KEY_SECRET_FILE=/secure/nexus/jwt_secret_key \
docker compose -f compose.yaml -f compose.prod.yaml up -d --build

Notes

  • Keep secret files out of source control.
  • Restrict file permissions to deployment users only.
  • Rotate secret files periodically and redeploy.

Nexus by McGuire Technology