From a3c17750cdac43feb42aeb5320c4d3e8d1ca4a0e Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 6 May 2026 07:11:57 +0200 Subject: [PATCH] fix(docs): correct DEPLOYMENT.md env var name and prod overlay note MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Security checklist: OCR_TRAINING_TOKEN → APP_OCR_TRAINING_TOKEN (backend) plus TRAINING_TOKEN (OCR service); both must share the same value - Bootstrap: clarify docker-compose.prod.yml is not committed — must be created from docs/infrastructure/production-compose.md Co-Authored-By: Claude Sonnet 4.6 --- docs/DEPLOYMENT.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index b9895e33..6e697c55 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -139,7 +139,7 @@ All vars are set in `.env` at the repo root (copy from `.env.example`). The back - [ ] Set `APP_ADMIN_USERNAME` if you want a non-default admin login name (add to `.env` — not in `.env.example`) - [ ] Rotate `POSTGRES_PASSWORD` from `change-me` - [ ] Rotate `MINIO_ROOT_PASSWORD` from `change-me` -- [ ] Set a strong `OCR_TRAINING_TOKEN` (`python3 -c "import secrets; print(secrets.token_hex(32))"`) +- [ ] Set a strong `APP_OCR_TRAINING_TOKEN` (backend) and the matching `TRAINING_TOKEN` (OCR service) — both must be the same value (`python3 -c "import secrets; print(secrets.token_hex(32))"`) - [ ] Confirm `ALLOWED_PDF_HOSTS` is locked to your MinIO/S3 hostname — widening to `*` opens SSRF - [ ] Set `SPRING_PROFILES_ACTIVE=prod` in the prod overlay (not `dev,e2e` — that exposes Swagger UI and `/v3/api-docs`) - [ ] Use a dedicated MinIO service account for `S3_ACCESS_KEY` / `S3_SECRET_KEY`, not the root credentials @@ -156,6 +156,7 @@ cp .env.example .env # Create the bucket named $MINIO_DEFAULT_BUCKETS with private access. # 3. Start the stack (prod overlay — see docs/infrastructure/production-compose.md) +# docker-compose.prod.yml is NOT committed — create it from the guide above docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d # 4. Flyway migrations run automatically on backend start.