From 5b08922f08a1608d994ccdc15760a81ffe14cc25 Mon Sep 17 00:00:00 2001
From: Erik <erik@octtoengenharia.com>
Date: Sat, 7 Mar 2026 18:36:27 -0300
Subject: [PATCH] security: move sensitive data to environment variables

---
 .env.example       | 13 +++++--------
 docker-compose.yml | 11 +++++------
 env.migration.txt  | 18 ++++++++++++++++++
 3 files changed, 28 insertions(+), 14 deletions(-)
 create mode 100644 env.migration.txt

diff --git a/.env.example b/.env.example
index 1e96159..abddf60 100644
--- a/.env.example
+++ b/.env.example
@@ -1,12 +1,7 @@
 # Database Configuration
-POSTGRES_USER=admin
-POSTGRES_PASSWORD=adminpassword
-POSTGRES_DB=occto_db
-DATABASE_URL=postgresql://admin:adminpassword@postgres:5432/occto_db?schema=public
+DATABASE_URL=postgresql://USER:PASSWORD@HOST:PORT/DATABASE?schema=occto
 
-# MinIO Configuration
-MINIO_ROOT_USER=admin
-MINIO_ROOT_PASSWORD=adminpassword
+# MinIO / S3 Configuration
 MINIO_ENDPOINT=minio
 MINIO_PORT=9000
 MINIO_USE_SSL=false
@@ -16,4 +11,6 @@ MINIO_BUCKET_NAME=occto-images
 
 # Application
 NODE_ENV=production
-JWT_SECRET=b33500bb3dc5504535c34cc5f79f4ca0f60994b093bded14d48f76c0c090f032234693219e60398cab053a9c55c1d426ef7b1768104db9040254ba7db452f708
+DOMAIN=localhost
+JWT_SECRET=generate_a_random_string_here
+LIBRETRANSLATE_URL=https://libretranslate.stackbyte.cloud
diff --git a/docker-compose.yml b/docker-compose.yml
index f9da1a6..cb07dec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,16 +12,16 @@ services:
     environment:
       - NODE_ENV=${NODE_ENV:-production}
       # Conexão com o banco centralizado (Postgres unificado)
-      - DATABASE_URL=postgresql://bd-user:O1vLMhy9yZ7ZdSsX9ZqK@banco-de-dados-postgress-slcggn:5432/bd-geral?schema=occto
+      - DATABASE_URL=${DATABASE_URL}
       # Configurações de Mídias (S3)
-      - MINIO_ENDPOINT=${MINIO_ENDPOINT:-minio}
+      - MINIO_ENDPOINT=${MINIO_ENDPOINT}
       - MINIO_PORT=${MINIO_PORT:-9000}
       - MINIO_USE_SSL=${MINIO_USE_SSL:-false}
-      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:-admin}
-      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY:-adminpassword}
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
       - MINIO_BUCKET_NAME=${MINIO_BUCKET_NAME:-occto-images}
       # Segurança e Outros
-      - JWT_SECRET=${JWT_SECRET:-b33500bb3dc5504535c34cc5f79f4ca0f60994b093bded14d48f76c0c090f032234693219e60398cab053a9c55c1d426ef7b1768104db9040254ba7db452f708}
+      - JWT_SECRET=${JWT_SECRET}
       - LIBRETRANSLATE_URL=${LIBRETRANSLATE_URL:-https://libretranslate.stackbyte.cloud}
     labels:
       - "traefik.enable=true"
@@ -42,6 +42,5 @@ networks:
   dokploy-network:
     external: true
 
-# Volumes do Postgres local foram removidos já que o banco agora é externo.
 volumes:
   minio_data:
diff --git a/env.migration.txt b/env.migration.txt
new file mode 100644
index 0000000..fd55341
--- /dev/null
+++ b/env.migration.txt
@@ -0,0 +1,18 @@
+# Database Configuration (Novo Servidor Unificado)
+# Use o schema=occto para manter o isolamento
+DATABASE_URL=postgresql://bd-user:O1vLMhy9yZ7ZdSsX9ZqK@banco-de-dados-postgress-slcggn:5432/bd-geral?schema=occto
+
+# MinIO / S3 Configuration
+# Mantenha os valores originais ou atualize para o novo S3 unificado
+MINIO_ENDPOINT=minio
+MINIO_PORT=9000
+MINIO_USE_SSL=false
+MINIO_ACCESS_KEY=admin
+MINIO_SECRET_KEY=adminpassword
+MINIO_BUCKET_NAME=occto-images
+
+# Application
+NODE_ENV=production
+DOMAIN=seu-dominio.com.br
+JWT_SECRET=b33500bb3dc5504535c34cc5f79f4ca0f60994b093bded14d48f76c0c090f032234693219e60398cab053a9c55c1d426ef7b1768104db9040254ba7db452f708
+LIBRETRANSLATE_URL=https://libretranslate.stackbyte.cloud