Auto Generation of django secret key

.env_sample

@@ -1,5 +1,3 @@
-SECRET_KEY=change-this-secret
-
 # For local setup and debug
 DEBUG=True
 

docker-compose.yml

@@ -26,7 +26,11 @@ services:
       context: .
       dockerfile: packaging/container/Containerfile
     # NOTE: We use watchmedo to reload gunicorn nicely, Uvicorn + Gunicorn reloads don't work well
-    command: ["python manage.py migrate --no-input && python manage.py collectstatic --no-input && cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py"]
+    command:
+        - bash
+        - -c
+        - "cd /app/src && watchmedo auto-restart -p '*.py' --recursive -- python3 ./gunicorn_run.py"
+
     environment:
       - DATABASE_URL=postgres://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
     env_file: .env
@@ -241,4 +245,4 @@ services:
     logging:
       options:
         max-size: "20m"
-        max-file: "5"
+        max-file: "5"

packaging/container/Containerfile

@@ -15,6 +15,8 @@ COPY uv.lock ./
 # Install dependencies
 RUN uv sync --all-extras --frozen
 
-
 WORKDIR /app
-ENTRYPOINT ["/bin/bash", "-c"]
+# Copier l'entrypoint
+COPY packaging/container/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

packaging/container/entrypoint.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ENV_FILE=/app/.env
+TMP_FILE="${ENV_FILE}.tmp"
+
+# read existing DJANGO_SECRET_KEY from .env (raw value after =)
+existing=""
+if [ -f "$ENV_FILE" ]; then
+  existing=$(grep -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" | tail -n1 | sed -E 's/^DJANGO_SECRET_KEY=//')
+fi
+
+# if variable is already provided by environment, persist it if absent from .env
+if [ -n "${DJANGO_SECRET_KEY:-}" ]; then
+  KEY="$DJANGO_SECRET_KEY"
+  if [ -z "$existing" ]; then
+    esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g")
+    if [ -f "$ENV_FILE" ]; then
+      grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true
+    else
+      : > "$TMP_FILE"
+    fi
+    printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE"
+    mv "$TMP_FILE" "$ENV_FILE"
+  fi
+  export DJANGO_SECRET_KEY="$KEY"
+else
+  if [ -n "$existing" ]; then
+    # remove surrounding quotes if present
+    KEY=$(printf '%s' "$existing" | sed -E "s/^'(.*)'$/\1/; s/^\"(.*)\"$/\1/")
+    export DJANGO_SECRET_KEY="$KEY"
+  else
+    # generate, persist and export
+    KEY=$(python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())")
+    esc=$(printf '%s' "$KEY" | sed "s/'/'\\\\''/g")
+    if [ -f "$ENV_FILE" ]; then
+      grep -v -E '^DJANGO_SECRET_KEY=' "$ENV_FILE" > "$TMP_FILE" || true
+    else
+      : > "$TMP_FILE"
+    fi
+    printf "DJANGO_SECRET_KEY='%s'\n" "$esc" >> "$TMP_FILE"
+    mv "$TMP_FILE" "$ENV_FILE"
+    export DJANGO_SECRET_KEY="$KEY"
+  fi
+fi
+
+exec "$@"

src/settings/base.py

@@ -5,7 +5,7 @@
 from celery import signals
 import dj_database_url
 from .logs_loguru import configure_logging
-
+from django.core.management.utils import get_random_secret_key
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # Also add ../../apps to python path
@@ -119,7 +119,10 @@
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
-SECRET_KEY = os.environ.get("SECRET_KEY", '(*0&74%ihg0ui+400+@%2pe92_c)x@w2m%6s(jhs^)dc$&&g93')
+
+### SECRET KEY ###
+SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key())
+
 LOGIN_REDIRECT_URL = '/'
 LOGOUT_REDIRECT_URL = '/'