diff --git a/apps/backups/services.py b/apps/backups/services.py index 72b7b3f2..c70160e1 100644 --- a/apps/backups/services.py +++ b/apps/backups/services.py @@ -51,7 +51,9 @@ def _get_pg_env() -> dict: "sslcert": "PGSSLCERT", "sslkey": "PGSSLKEY", } + # Always strip inherited PGSSL* vars first, then set only what is explicitly configured for opt_key, env_key in _ssl_env_map.items(): + env.pop(env_key, None) value = options.get(opt_key) if value: env[env_key] = value diff --git a/core/management/commands/dropdb.py b/core/management/commands/dropdb.py index 3c390bef..d61b9891 100644 --- a/core/management/commands/dropdb.py +++ b/core/management/commands/dropdb.py @@ -1,5 +1,6 @@ import sys import psycopg2 +from psycopg2 import sql from django.core.management.base import BaseCommand from django.conf import settings from django.db import connection @@ -41,9 +42,9 @@ class Command(BaseCommand): conn.autocommit = True cur = conn.cursor() self.stdout.write(f"Dropping database '{db_name}'...") - cur.execute(f"DROP DATABASE IF EXISTS {db_name};") + cur.execute(sql.SQL("DROP DATABASE IF EXISTS {}").format(sql.Identifier(db_name))) self.stdout.write(f"Creating database '{db_name}'...") - cur.execute(f"CREATE DATABASE {db_name};") + cur.execute(sql.SQL("CREATE DATABASE {}").format(sql.Identifier(db_name))) cur.close() conn.close() self.stdout.write(self.style.SUCCESS(f"Database '{db_name}' has been dropped and recreated.")) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 4bf170c8..ea8a95b9 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -31,8 +31,9 @@ echo_with_timestamp() { export POSTGRES_DB=${POSTGRES_DB:-dispatcharr} export POSTGRES_USER=${POSTGRES_USER:-dispatch} # AIO mode: default to 'secret' for internal DB. -# Modular mode: no default — cert-only auth (mTLS) uses no password. -if [[ "${DISPATCHARR_ENV:-}" == "modular" ]]; then +# Modular mode + TLS: no default — cert-only auth (mTLS) uses no password. +# Modular mode + no TLS: preserve 'secret' default for backward compatibility. +if [[ "${DISPATCHARR_ENV:-}" == "modular" && "${POSTGRES_SSL:-}" == "true" ]]; then export POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-}" else export POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-secret}" diff --git a/docker/init/00-fix-pg-ssl-key.sh b/docker/init/00-fix-pg-ssl-key.sh index 122815f7..d7065815 100644 --- a/docker/init/00-fix-pg-ssl-key.sh +++ b/docker/init/00-fix-pg-ssl-key.sh @@ -11,7 +11,7 @@ # # Usage: source this script with FIXED_KEY_PATH set to the destination. # FIXED_KEY_PATH="/data/.pg-client.key" -# . /app/docker/init/fix-pg-ssl-key.sh +# . /app/docker/init/00-fix-pg-ssl-key.sh # # After sourcing, POSTGRES_SSL_KEY is updated to the fixed path if a copy # was needed. The caller is responsible for propagating the new value to diff --git a/docker/tests/test-tls-postgres.sh b/docker/tests/test-tls-postgres.sh index 81230178..8a7630dc 100644 --- a/docker/tests/test-tls-postgres.sh +++ b/docker/tests/test-tls-postgres.sh @@ -97,7 +97,7 @@ fresh_volume() { } cleanup_scenario() { - if [ "$KEEP_ON_FAIL" = true ] && [ ${#ERRORS[@]} -gt 0 ]; then + if [ "$KEEP_ON_FAIL" = true ] && [ "$FAIL" -gt "${SCENARIO_FAIL_BEFORE:-0}" ]; then log_info "Keeping resources for debugging (--keep-on-fail)" CLEANUP_ITEMS=() return @@ -114,7 +114,7 @@ cleanup_scenario() { CLEANUP_ITEMS=() } -trap 'cleanup_scenario' EXIT +trap 'cleanup_scenario; [ -n "$CERT_DIR" ] && rm -rf "$CERT_DIR"' EXIT wait_for_ready() { local name="$1"