From 60cd20cb305a9ff4c6826cf25b6fe1283f4ad67c Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 12:54:37 +0100 Subject: [PATCH 01/10] feature Ok, .env modification needed --- packaging/container/Containerfile | 8 +++++++- src/settings/base.py | 7 +++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/packaging/container/Containerfile b/packaging/container/Containerfile index 9e1ca00bb..490d4bd92 100644 --- a/packaging/container/Containerfile +++ b/packaging/container/Containerfile @@ -17,4 +17,10 @@ RUN uv sync --all-extras --frozen WORKDIR /app -ENTRYPOINT ["/bin/bash", "-c"] +ENTRYPOINT ["/bin/bash", "-c", "\ +if [ -z \"$DJANGO_SECRET_KEY\" ]; then \ +export DJANGO_SECRET_KEY=$(python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'); \ +echo \"Generated DJANGO_SECRET_KEY=$DJANGO_SECRET_KEY\"; \ +fi; \ +exec \"$@\" \ +", "--"] diff --git a/src/settings/base.py b/src/settings/base.py index 127b17eb8..d1d1389d6 100644 --- a/src/settings/base.py +++ b/src/settings/base.py @@ -5,7 +5,7 @@ from celery import signals import dj_database_url from .logs_loguru import configure_logging - +from django.core.management.utils import get_random_secret_key BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Also add ../../apps to python path @@ -125,7 +125,10 @@ USE_I18N = True USE_L10N = True USE_TZ = True -SECRET_KEY = os.environ.get("SECRET_KEY", '(*0&74%ihg0ui+400+@%2pe92_c)x@w2m%6s(jhs^)dc$&&g93') + +### SECRET KEY ### +SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key()) + LOGIN_REDIRECT_URL = '/' LOGOUT_REDIRECT_URL = '/' From 275c0705296c871f58661d8915d7d12f9db4be03 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 14:13:54 +0100 Subject: [PATCH 02/10] debug infinite key regenration --- .env_sample | 2 -- docker-compose.yml | 11 +++++++++-- packaging/container/Containerfile | 12 ++++-------- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.env_sample b/.env_sample index 6bd01cfbd..d02097600 100644 --- a/.env_sample +++ b/.env_sample @@ -1,5 +1,3 @@ -SECRET_KEY=change-this-secret - # For local setup and debug DEBUG=True diff --git a/docker-compose.yml b/docker-compose.yml index de8bfe42e..34eaccdcb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,9 +28,16 @@ services: dockerfile: packaging/container/Containerfile image: django_site-worker # NOTE: We use watchmedo to reload gunicorn nicely, Uvicorn + Gunicorn reloads don't work well - command: ["python manage.py migrate --no-input && python manage.py collectstatic --no-input && cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py"] + command: > + bash -c "python manage.py migrate --no-input && + python manage.py collectstatic --no-input && + cd /app/src && + uv run watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py" + environment: - DATABASE_URL=postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME} + # NOTE: Do not modify "DJANGO_SECRET_KEY", it is created automatically. + - DJANGO_SECRET_KEY= env_file: .env volumes: - .:/app:delegated @@ -248,4 +255,4 @@ services: logging: options: max-size: "20m" - max-file: "5" + max-file: "5" \ No newline at end of file diff --git a/packaging/container/Containerfile b/packaging/container/Containerfile index 490d4bd92..cdb958128 100644 --- a/packaging/container/Containerfile +++ b/packaging/container/Containerfile @@ -15,12 +15,8 @@ COPY pyproject.toml uv.lock ./ # Install dependencies RUN uv sync --all-extras --frozen - WORKDIR /app -ENTRYPOINT ["/bin/bash", "-c", "\ -if [ -z \"$DJANGO_SECRET_KEY\" ]; then \ -export DJANGO_SECRET_KEY=$(python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'); \ -echo \"Generated DJANGO_SECRET_KEY=$DJANGO_SECRET_KEY\"; \ -fi; \ -exec \"$@\" \ -", "--"] +# Copier l'entrypoint +COPY packaging/container/entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +ENTRYPOINT ["/entrypoint.sh"] From 6d58e2b69076f05997bbc4748849fb8621369f0e Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 14:18:37 +0100 Subject: [PATCH 03/10] remove echo secret key --- packaging/container/entrypoint.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 packaging/container/entrypoint.sh diff --git a/packaging/container/entrypoint.sh b/packaging/container/entrypoint.sh new file mode 100644 index 000000000..5765dcf27 --- /dev/null +++ b/packaging/container/entrypoint.sh @@ -0,0 +1,10 @@ +#!/bin/bash +set -e + +# Générer la clé Django si elle n'existe pas +if [ -z "$DJANGO_SECRET_KEY" ]; then + export DJANGO_SECRET_KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())") +fi + +# Exécuter la commande passée au conteneur (migrate, collectstatic, watchmedo…) +exec "$@" From 7a36f1f71b4e0e1a9c33d68405fefd4e95a6d770 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 15:55:43 +0100 Subject: [PATCH 04/10] secret key in .env/ production ready --- docker-compose.yml | 12 +++++------- packaging/container/entrypoint.sh | 29 ++++++++++++++++++++++++----- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 34eaccdcb..3c17b42ef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,16 +28,14 @@ services: dockerfile: packaging/container/Containerfile image: django_site-worker # NOTE: We use watchmedo to reload gunicorn nicely, Uvicorn + Gunicorn reloads don't work well - command: > - bash -c "python manage.py migrate --no-input && - python manage.py collectstatic --no-input && - cd /app/src && - uv run watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py" - + command: + - bash + - -c + - "cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py" + environment: - DATABASE_URL=postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME} # NOTE: Do not modify "DJANGO_SECRET_KEY", it is created automatically. - - DJANGO_SECRET_KEY= env_file: .env volumes: - .:/app:delegated diff --git a/packaging/container/entrypoint.sh b/packaging/container/entrypoint.sh index 5765dcf27..6d27ffb1c 100644 --- a/packaging/container/entrypoint.sh +++ b/packaging/container/entrypoint.sh @@ -1,10 +1,29 @@ -#!/bin/bash -set -e +#!/usr/bin/env bash +set -euo pipefail -# Générer la clé Django si elle n'existe pas -if [ -z "$DJANGO_SECRET_KEY" ]; then +ENV_FILE=/app/.env +TMP_FILE=${ENV_FILE}.tmp + +if [ -z "${DJANGO_SECRET_KEY:-}" ]; then + if [ -f "$ENV_FILE" ]; then + existing=$(grep -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed 's/^DJANGO_SECRET_KEY=//') + else + existing="" + fi + + if [ -n "${existing:-}" ]; then + export DJANGO_SECRET_KEY="$existing" + else export DJANGO_SECRET_KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())") + # persist: remove old DJANGO_SECRET_KEY lines and append the new one + if [ -f "$ENV_FILE" ]; then + grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true + else + : > "$TMP_FILE" + fi + printf "%s\n" "DJANGO_SECRET_KEY=$DJANGO_SECRET_KEY" >> "$TMP_FILE" + mv "$TMP_FILE" "$ENV_FILE" + fi fi -# Exécuter la commande passée au conteneur (migrate, collectstatic, watchmedo…) exec "$@" From 6dca3d594f4826294ac78a9b14a00a356e8b46ba Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 16:02:29 +0100 Subject: [PATCH 05/10] remove comment --- docker-compose.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3c17b42ef..c6c4322fc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,14 +28,9 @@ services: dockerfile: packaging/container/Containerfile image: django_site-worker # NOTE: We use watchmedo to reload gunicorn nicely, Uvicorn + Gunicorn reloads don't work well - command: - - bash - - -c - - "cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py" - + command: ["python manage.py migrate --no-input && python manage.py collectstatic --no-input && cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py"] environment: - DATABASE_URL=postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME} - # NOTE: Do not modify "DJANGO_SECRET_KEY", it is created automatically. env_file: .env volumes: - .:/app:delegated From a0d31ca795ee6576483cf49a13fdf67931ae0872 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 16:05:57 +0100 Subject: [PATCH 06/10] remove comment --- docker-compose.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c6c4322fc..867cfb8e3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,7 +28,11 @@ services: dockerfile: packaging/container/Containerfile image: django_site-worker # NOTE: We use watchmedo to reload gunicorn nicely, Uvicorn + Gunicorn reloads don't work well - command: ["python manage.py migrate --no-input && python manage.py collectstatic --no-input && cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py"] + command: + - bash + - -c + - "cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py" + environment: - DATABASE_URL=postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME} env_file: .env From 1438e1ecd2fbb6705f517d518fcc898082ea7270 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Thu, 5 Mar 2026 16:22:02 +0100 Subject: [PATCH 07/10] debug secret key, written inside of simple quote --- packaging/container/entrypoint.sh | 42 ++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/packaging/container/entrypoint.sh b/packaging/container/entrypoint.sh index 6d27ffb1c..a1ad98c9f 100644 --- a/packaging/container/entrypoint.sh +++ b/packaging/container/entrypoint.sh @@ -2,27 +2,45 @@ set -euo pipefail ENV_FILE=/app/.env -TMP_FILE=${ENV_FILE}.tmp +TMP_FILE="${ENV_FILE}.tmp" -if [ -z "${DJANGO_SECRET_KEY:-}" ]; then - if [ -f "$ENV_FILE" ]; then - existing=$(grep -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed 's/^DJANGO_SECRET_KEY=//') - else - existing="" - fi +# read existing DJANGO_SECRET_KEY from .env (raw value after =) +existing="" +if [ -f "$ENV_FILE" ]; then + existing=$(grep -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed -E 's/^DJANGO_SECRET_KEY=//') +fi - if [ -n "${existing:-}" ]; then - export DJANGO_SECRET_KEY="$existing" +# if variable is already provided by environment, persist it if absent from .env +if [ -n "${DJANGO_SECRET_KEY:-}" ]; then + KEY="$DJANGO_SECRET_KEY" + if [ -z "$existing" ]; then + esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g") + if [ -f "$ENV_FILE" ]; then + grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true + else + : > "$TMP_FILE" + fi + printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE" + mv "$TMP_FILE" "$ENV_FILE" + fi + export DJANGO_SECRET_KEY="$KEY" +else + if [ -n "$existing" ]; then + # remove surrounding quotes if present + KEY=$(printf '%s' "$existing" | sed -E "s/^'(.*)'$/\1/; s/^\"(.*)\"$/\1/") + export DJANGO_SECRET_KEY="$KEY" else - export DJANGO_SECRET_KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())") - # persist: remove old DJANGO_SECRET_KEY lines and append the new one + # generate, persist and export + KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())") + esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g") if [ -f "$ENV_FILE" ]; then grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true else : > "$TMP_FILE" fi - printf "%s\n" "DJANGO_SECRET_KEY=$DJANGO_SECRET_KEY" >> "$TMP_FILE" + printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE" mv "$TMP_FILE" "$ENV_FILE" + export DJANGO_SECRET_KEY="$KEY" fi fi From 61f8714b021d541081d3698c050fb6f6e4992495 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Tue, 17 Mar 2026 13:36:52 +0100 Subject: [PATCH 08/10] container crash when starting fix --- packaging/container/entrypoint.sh | 39 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/packaging/container/entrypoint.sh b/packaging/container/entrypoint.sh index a1ad98c9f..389a04412 100644 --- a/packaging/container/entrypoint.sh +++ b/packaging/container/entrypoint.sh @@ -1,46 +1,45 @@ #!/usr/bin/env bash set -euo pipefail -ENV_FILE=/app/.env -TMP_FILE="${ENV_FILE}.tmp" +ENV_FILE=/.env -# read existing DJANGO_SECRET_KEY from .env (raw value after =) existing="" if [ -f "$ENV_FILE" ]; then - existing=$(grep -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed -E 's/^DJANGO_SECRET_KEY=//') + existing=$(grep -E '^SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed -E 's/^SECRET_KEY=//') fi -# if variable is already provided by environment, persist it if absent from .env -if [ -n "${DJANGO_SECRET_KEY:-}" ]; then - KEY="$DJANGO_SECRET_KEY" +if [ -n "${SECRET_KEY:-}" ]; then + KEY="$SECRET_KEY" if [ -z "$existing" ]; then esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g") if [ -f "$ENV_FILE" ]; then - grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true + TMP=$(mktemp) + grep -v -E '^SECRET_KEY=' "$ENV_FILE" > "$TMP" || true else - : > "$TMP_FILE" + TMP=$(mktemp) + : > "$TMP" fi - printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE" - mv "$TMP_FILE" "$ENV_FILE" + printf "SECRET_KEY='%s'\n" "$esc" >> "$TMP" + mv "$TMP" "$ENV_FILE" fi - export DJANGO_SECRET_KEY="$KEY" + export SECRET_KEY="$KEY" else if [ -n "$existing" ]; then - # remove surrounding quotes if present KEY=$(printf '%s' "$existing" | sed -E "s/^'(.*)'$/\1/; s/^\"(.*)\"$/\1/") - export DJANGO_SECRET_KEY="$KEY" + export SECRET_KEY="$KEY" else - # generate, persist and export KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())") esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g") if [ -f "$ENV_FILE" ]; then - grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true + TMP=$(mktemp) + grep -v -E '^SECRET_KEY=' "$ENV_FILE" > "$TMP" || true else - : > "$TMP_FILE" + TMP=$(mktemp) + : > "$TMP" fi - printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE" - mv "$TMP_FILE" "$ENV_FILE" - export DJANGO_SECRET_KEY="$KEY" + printf "SECRET_KEY='%s'\n" "$esc" >> "$TMP" + mv "$TMP" "$ENV_FILE" + export SECRET_KEY="$KEY" fi fi From 233c9a34de9339125f7d0147609ba0897c0dd0d2 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Tue, 17 Mar 2026 13:44:38 +0100 Subject: [PATCH 09/10] cicle ci test fix --- src/settings/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/settings/base.py b/src/settings/base.py index d1d1389d6..3690675f7 100644 --- a/src/settings/base.py +++ b/src/settings/base.py @@ -126,8 +126,8 @@ USE_L10N = True USE_TZ = True -### SECRET KEY ### -SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key()) +# SECRET KEY +SECRET_KEY = os.environ["SECRET_KEY"] LOGIN_REDIRECT_URL = '/' LOGOUT_REDIRECT_URL = '/' From 42496a16e20e8a096f65dd9caf4e4c2884de8e64 Mon Sep 17 00:00:00 2001 From: Idir Chikhoune Date: Tue, 17 Mar 2026 13:49:33 +0100 Subject: [PATCH 10/10] cicle ci test fix --- src/settings/base.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/settings/base.py b/src/settings/base.py index 3690675f7..b44e8d73e 100644 --- a/src/settings/base.py +++ b/src/settings/base.py @@ -5,7 +5,6 @@ from celery import signals import dj_database_url from .logs_loguru import configure_logging -from django.core.management.utils import get_random_secret_key BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Also add ../../apps to python path @@ -126,7 +125,7 @@ USE_L10N = True USE_TZ = True -# SECRET KEY +# SECRET KEY SECRET_KEY = os.environ["SECRET_KEY"] LOGIN_REDIRECT_URL = '/'