windmill: secret protection, socket-only postgres, volume rename/backup

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/8bfb1fa8-7878-434e-ab4d-1034067e5ad0 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-21 10:50:10 +00:00 · 2026-04-28 11:30:53 +00:00
parent b205e46976
commit 56afde115d
4 changed files with 24 additions and 16 deletions
--- a/Containers/windmill/Dockerfile
+++ b/Containers/windmill/Dockerfile
@@ -47,11 +47,13 @@ RUN set -ex; \
    # pre-installed runtimes would create a huge and unnecessary image layer.
    mkdir -p \
        /var/lib/postgresql/data \
+        /var/lib/windmill-dump \
        /var/run/postgresql \
        /var/log/supervisord \
        /var/run/supervisord; \
    chown -R windmill:windmill \
        /var/lib/postgresql \
+        /var/lib/windmill-dump \
        /var/run/postgresql \
        /var/log/supervisord \
        /var/run/supervisord; \
@@ -94,7 +96,7 @@ ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
    REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
    NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt

-VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]
+VOLUME ["/var/lib/postgresql/data", "/var/lib/windmill-dump", "/tmp/windmill/cache"]

 # Use the pre-existing windmill user (uid=1000) from the base image
 USER 1000
--- a/Containers/windmill/start.sh
+++ b/Containers/windmill/start.sh
@@ -60,10 +60,9 @@ configure_pg() {
    cat > "$datadir/pg_hba.conf" << 'HBAEOF'
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             all                                     trust
-host    all             all             127.0.0.1/32            trust
-host    all             all             ::1/128                 trust
 HBAEOF
-    echo "listen_addresses = 'localhost'" >> "$datadir/postgresql.conf"
+    # Disable TCP entirely; all communication uses the Unix socket.
+    echo "listen_addresses = ''" >> "$datadir/postgresql.conf"
 }

 # ── PostgreSQL major-version upgrade via dump/restore ────────────────────────
@@ -110,24 +109,24 @@ if [ -f "$PGDATA/PG_VERSION" ]; then

        configure_pg "$PGDATA"

-        # Start postgres temporarily on an alternate TCP port so we can import.
-        # Use explicit flags; do NOT export PGPORT to avoid side-effects.
-        postgres -D "$PGDATA" -h 127.0.0.1 -p 11000 &
+        # Start postgres temporarily on a socket in /tmp so we can import.
+        # No TCP port is needed since we connect via the socket.
+        postgres -D "$PGDATA" -k /tmp -h "" &
        TEMP_PG_PID=$!

        # Wait until postgres accepts connections
-        while ! psql -h 127.0.0.1 -p 11000 -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
+        while ! psql -h /tmp -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
            echo "Waiting for the temporary database to start..."
            sleep 5
        done

        # Create the windmill database
-        psql -h 127.0.0.1 -p 11000 -U windmill -d postgres \
+        psql -h /tmp -U windmill -d postgres \
            -c "CREATE DATABASE windmill OWNER windmill;"

        # Restore from dump
        echo "Restoring the database from dump..."
-        psql -h 127.0.0.1 -p 11000 -U windmill -d windmill < "$DUMP_FILE"
+        psql -h /tmp -U windmill -d windmill < "$DUMP_FILE"

        # Stop the temporary postgres cleanly
        pg_ctl -D "$PGDATA" stop -m smart -t 1800
--- a/Containers/windmill/windmill-start.sh
+++ b/Containers/windmill/windmill-start.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 # Wait for PostgreSQL to accept connections
-until pg_isready -h localhost -q 2>/dev/null; do
+until pg_isready -h /var/run/postgresql -q 2>/dev/null; do
    echo "Waiting for PostgreSQL to be ready..."
    sleep 2
 done
--- a/php/containers.json
+++ b/php/containers.json
@@ -178,7 +178,8 @@
        "FULLTEXTSEARCH_PASSWORD",
        "IMAGINARY_SECRET",
        "WHITEBOARD_SECRET",
-        "HP_SHARED_KEY"
+        "HP_SHARED_KEY",
+        "WINDMILL_SECRET"
      ],
      "volumes": [
        {
@@ -268,7 +269,8 @@
        "HARP_ENABLED=%HARP_ENABLED%",
        "HP_SHARED_KEY=%HP_SHARED_KEY%",
        "WINDMILL_ENABLED=%WINDMILL_ENABLED%",
-        "WINDMILL_HOST=nextcloud-aio-windmill"
+        "WINDMILL_HOST=nextcloud-aio-windmill",
+        "WINDMILL_SECRET=%WINDMILL_SECRET%"
      ],
      "stop_grace_period": 600,
      "restart": "unless-stopped",
@@ -980,7 +982,11 @@
        "NUM_WORKERS=1",
        "MODE=standalone",
        "DISABLE_NSJAIL=true",
-        "DATABASE_URL=postgresql://windmill@localhost/windmill?host=/var/run/postgresql"
+        "DATABASE_URL=postgresql://windmill@localhost/windmill?host=/var/run/postgresql",
+        "SUPERADMIN_SECRET=%WINDMILL_SECRET%"
+      ],
+      "secrets": [
+        "WINDMILL_SECRET"
      ],
      "volumes": [
        {
@@ -994,13 +1000,14 @@
          "writeable": true
        },
        {
-          "source": "nextcloud_aio_windmill",
+          "source": "nextcloud_aio_windmill_cache",
          "destination": "/tmp/windmill/cache",
          "writeable": true
        }
      ],
      "backup_volumes": [
-        "nextcloud_aio_windmill_db"
+        "nextcloud_aio_windmill_db",
+        "nextcloud_aio_windmill_dump"
      ],
      "restart": "unless-stopped",
      "stop_grace_period": 1800,