From 611c414b2d5cd9fb6772b8d40eb405a01713b5f8 Mon Sep 17 00:00:00 2001
From: Chen Gu <guchen@MBKPro.lan>
Date: Sun, 10 May 2026 16:21:54 +0800
Subject: [PATCH] fix: remove hardcoded secrets from docker-compose.yml

---
 .env.example       | 3 +++
 docker-compose.yml | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.env.example b/.env.example
index 46b1afd..bb5a4d4 100644
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,9 @@
 # 数据库连接
 DATABASE_URL="postgresql://postgres:password@localhost:5432/maqt?schema=public"
 
+# PostgreSQL 密码（docker-compose 使用，请修改）
+POSTGRES_PASSWORD="your-postgres-password"
+
 # JWT 密钥（请修改为随机字符串）
 JWT_SECRET="your-super-secret-jwt-key-change-this-in-production"
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 0496725..52b8beb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,7 +6,7 @@ services:
     container_name: maqt-postgres
     environment:
       POSTGRES_USER: maqt
-      POSTGRES_PASSWORD: maqt123456
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-maqt123456}
       POSTGRES_DB: maqt
     volumes:
       - pgdata:/var/lib/postgresql/data
@@ -25,9 +25,9 @@ services:
     ports:
       - "127.0.0.1:3002:3001"
     environment:
-      - DATABASE_URL=postgresql://maqt:maqt123456@postgres:5432/maqt
-      - JWT_SECRET=maqt-jwt-secret-key-2026-change-in-production
-      - ENCRYPTION_KEY=maqt-encryption-key-32bytes!
+      - DATABASE_URL=postgresql://maqt:${POSTGRES_PASSWORD:-maqt123456}@postgres:5432/maqt
+      - JWT_SECRET=${JWT_SECRET}
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
       - PORT=3001
     restart: unless-stopped
     depends_on: