Any existing self-hosted tenants created before v11.0 (June 13 2022) would use a single randomized default password for PostgreSQL. From v11.0
onwards we ensure that each self-hosted tenant gets a unique and randomized set of credentials. You can rotate your PostgreSQL password by running the following commands:
DATABASE_NAME=$(cat .env | grep DATABASE_NAME= | cut -d'=' -f2)
DATABASE_USERNAME=$(cat .env | grep DATABASE_USERNAME= | cut -d'=' -f2)
OLD_PASSWORD=$(cat .env | grep DATABASE_PASSWORD= | cut -d'=' -f2)
NEW_PASSWORD=$(openssl rand -hex 12)
docker exec postgres psql -U "$DATABASE_USERNAME" -d "$DATABASE_NAME" -tAc "ALTER USER $DATABASE_USERNAME PASSWORD '$NEW_PASSWORD';"
sed -i.backup -e "s/$OLD_PASSWORD/$NEW_PASSWORD/" .env
if [ -f ".env.backup" ]; then
rm ".env.backup"
fi
sed -i.backup -e "s/$OLD_PASSWORD/$NEW_PASSWORD/" docker-compose.yml
if [ -f "docker-compose.yml.backup" ]; then
rm "docker-compose.yml.backup"
fi
Please note that you may also need to update the new password in any other parts of your deployment system(s), accordingly.
Security
The PostgreSQL database isn't accessible from outside of the Docker network by default.
Reset a lost password
If your password is lost, it can be reset from the host machine running the installation as long as you haven't manually disabled trust
authentication on your database:
DATABASE_NAME=$(cat .env | grep DATABASE_NAME= | cut -d'=' -f2)
DATABASE_USERNAME=$(cat .env | grep DATABASE_USERNAME= | cut -d'=' -f2)
NEW_PASSWORD=$(openssl rand -hex 12)
docker exec postgres psql -U "$DATABASE_USERNAME" -d "$DATABASE_NAME" -tAc "ALTER USER $DATABASE_USERNAME PASSWORD '$NEW_PASSWORD';"
echo $NEW_PASSWORD > new_password.txt
echo "Your new database password can be found in the 'new_password.txt' file."
echo "Copy it into the POSTGRES_PASSWORD field in your docker-compose.yml file and into the DATABASE_PASSWORD field in your .env file"