From 7618c5a7347b65d52ac9a2afcf4a001616a9e39a Mon Sep 17 00:00:00 2001
From: shankar0123 <skreddy040@gmail.com>
Date: Fri, 20 Mar 2026 01:20:27 -0400
Subject: [PATCH] fix: externalize credentials and add agent key volume
 persistence

- POSTGRES_PASSWORD and CERTCTL_API_KEY read from .env file
- Added deploy/.env.example with documentation
- Agent key volume (agent_keys) for key persistence across restarts
- Agent healthcheck via pgrep
- Resource limits: server 1CPU/512M, agent 0.5CPU/256M

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 deploy/.env.example       |  8 ++++++++
 deploy/docker-compose.yml | 25 ++++++++++++++++++++++---
 2 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 deploy/.env.example

diff --git a/deploy/.env.example b/deploy/.env.example
new file mode 100644
index 0000000..e2fd597
--- /dev/null
+++ b/deploy/.env.example
@@ -0,0 +1,8 @@
+# certctl Docker Compose environment variables
+# Copy this file to .env and customize for your deployment
+
+# PostgreSQL password (change in production!)
+POSTGRES_PASSWORD=certctl
+
+# Agent API key (change in production! Generate with: openssl rand -hex 32)
+CERTCTL_API_KEY=change-me-in-production
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 6c6d432..3c4668d 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -6,7 +6,7 @@ services:
     environment:
       POSTGRES_DB: certctl
       POSTGRES_USER: certctl
-      POSTGRES_PASSWORD: certctl
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-certctl}
     ports:
       - "5432:5432"
     volumes:
@@ -33,7 +33,7 @@ services:
       postgres:
         condition: service_healthy
     environment:
-      CERTCTL_DATABASE_URL: postgres://certctl:certctl@postgres:5432/certctl?sslmode=disable
+      CERTCTL_DATABASE_URL: postgres://certctl:${POSTGRES_PASSWORD:-certctl}@postgres:5432/certctl?sslmode=disable
       CERTCTL_SERVER_HOST: 0.0.0.0
       CERTCTL_SERVER_PORT: 8443
       CERTCTL_LOG_LEVEL: info
@@ -54,6 +54,11 @@ services:
       options:
         max-size: "10m"
         max-file: "3"
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 512M
 
   # Certctl Agent
   certctl-agent:
@@ -66,17 +71,29 @@ services:
         condition: service_healthy
     environment:
       CERTCTL_SERVER_URL: http://certctl-server:8443
-      CERTCTL_API_KEY: change-me-in-production
+      CERTCTL_API_KEY: ${CERTCTL_API_KEY:-change-me-in-production}
       CERTCTL_AGENT_NAME: docker-agent
       CERTCTL_LOG_LEVEL: info
+    volumes:
+      - agent_keys:/var/lib/certctl/keys
     networks:
       - certctl-network
+    healthcheck:
+      test: ["CMD-SHELL", "pgrep -f certctl-agent || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
     restart: unless-stopped
     logging:
       driver: "json-file"
       options:
         max-size: "10m"
         max-file: "3"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 256M
 
 networks:
   certctl-network:
@@ -85,3 +102,5 @@ networks:
 volumes:
   postgres_data:
     driver: local
+  agent_keys:
+    driver: local