windmill: secret protection, socket-only postgres, volume rename/backup

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/8bfb1fa8-7878-434e-ab4d-1034067e5ad0

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

Containers/windmill/Dockerfile

@@ -47,11 +47,13 @@ RUN set -ex; \
     # pre-installed runtimes would create a huge and unnecessary image layer.
     mkdir -p \
         /var/lib/postgresql/data \
+        /var/lib/windmill-dump \
         /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord; \
     chown -R windmill:windmill \
         /var/lib/postgresql \
+        /var/lib/windmill-dump \
         /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord; \
@@ -94,7 +96,7 @@ ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
     REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
     NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt
 
-VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]
+VOLUME ["/var/lib/postgresql/data", "/var/lib/windmill-dump", "/tmp/windmill/cache"]
 
 # Use the pre-existing windmill user (uid=1000) from the base image
 USER 1000

Containers/windmill/start.sh

@@ -60,10 +60,9 @@ configure_pg() {
     cat > "$datadir/pg_hba.conf" << 'HBAEOF'
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             all                                     trust
-host    all             all             127.0.0.1/32            trust
-host    all             all             ::1/128                 trust
 HBAEOF
-    echo "listen_addresses = 'localhost'" >> "$datadir/postgresql.conf"
+    # Disable TCP entirely; all communication uses the Unix socket.
+    echo "listen_addresses = ''" >> "$datadir/postgresql.conf"
 }
 
 # ── PostgreSQL major-version upgrade via dump/restore ────────────────────────
@@ -110,24 +109,24 @@ if [ -f "$PGDATA/PG_VERSION" ]; then
 
         configure_pg "$PGDATA"
 
-        # Start postgres temporarily on an alternate TCP port so we can import.
-        # Use explicit flags; do NOT export PGPORT to avoid side-effects.
-        postgres -D "$PGDATA" -h 127.0.0.1 -p 11000 &
+        # Start postgres temporarily on a socket in /tmp so we can import.
+        # No TCP port is needed since we connect via the socket.
+        postgres -D "$PGDATA" -k /tmp -h "" &
         TEMP_PG_PID=$!
 
         # Wait until postgres accepts connections
-        while ! psql -h 127.0.0.1 -p 11000 -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
+        while ! psql -h /tmp -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
             echo "Waiting for the temporary database to start..."
             sleep 5
         done
 
         # Create the windmill database
-        psql -h 127.0.0.1 -p 11000 -U windmill -d postgres \
+        psql -h /tmp -U windmill -d postgres \
             -c "CREATE DATABASE windmill OWNER windmill;"
 
         # Restore from dump
         echo "Restoring the database from dump..."
-        psql -h 127.0.0.1 -p 11000 -U windmill -d windmill < "$DUMP_FILE"
+        psql -h /tmp -U windmill -d windmill < "$DUMP_FILE"
 
         # Stop the temporary postgres cleanly
         pg_ctl -D "$PGDATA" stop -m smart -t 1800

Containers/windmill/windmill-start.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Wait for PostgreSQL to accept connections
-until pg_isready -h localhost -q 2>/dev/null; do
+until pg_isready -h /var/run/postgresql -q 2>/dev/null; do
     echo "Waiting for PostgreSQL to be ready..."
     sleep 2
 done