Implement support for custom passwords in Docker builds by introducing .piscal-build.env file. Update build scripts to load environment variables from this file, enhancing security and flexibility. Revise README documentation to reflect new password handling options.

.gitignore

@@ -48,6 +48,7 @@ piscal
 # Credential files (SECURITY - never commit these)
 credentials.txt
 passwords.txt
+.piscal-build.env
 *.secrets
 *.key
 *.pem

.piscal-build.env.example

@@ -0,0 +1,4 @@
+# Copy to .piscal-build.env and set your production password.
+# .piscal-build.env is gitignored - never commit it.
+#
+# PISCAL_SSH_PASSWORD=your_secure_password

README-Docker.md

@@ -94,16 +94,31 @@ The image uses the v1 layout expected by the LeafWeb client:
 
 ## Advanced Usage
 
-### Custom Credentials at Build Time
+### Baking In a Production Password
 
-If you need different credentials, use Docker build arguments:
+To use a custom password without passing it on the command line:
+
+**Option 1: `.piscal-build.env` (recommended)**
 
 ```bash
-docker build \
+cp .piscal-build.env.example .piscal-build.env
-  --build-arg SSH_USERNAME=customuser \
+# Edit .piscal-build.env and set: PISCAL_SSH_PASSWORD=your_secure_password
-  --build-arg SSH_PASSWORD=custompass \
+./build-docker.sh   # or .\build-docker.ps1
-  -t piscal:custom \
+```
-  .
+
+The build scripts automatically load `.piscal-build.env` (gitignored) and pass the password to the Docker build.
+
+**Option 2: Environment variable**
+
+```bash
+export PISCAL_SSH_PASSWORD="your_secure_password"
+./build-docker.sh
+```
+
+**Option 3: Direct build-arg**
+
+```bash
+docker build --build-arg SSH_PASSWORD=custompass -t piscal:custom .
 ```
 
 ### Custom Storage Path

README.md

@@ -27,6 +27,8 @@ ssh -p 2222 piscaladmin@localhost
 # Password: piscaladmin
 ```
 
+For production builds with a custom password, copy `.piscal-build.env.example` to `.piscal-build.env` and set `PISCAL_SSH_PASSWORD`. See [README-Docker.md](README-Docker.md).
+
 ### Full Docker Documentation
 
 See [README-Docker.md](README-Docker.md) for complete Docker build and deployment documentation, including:

TODO.md

@@ -0,0 +1,3 @@
+# TODO
+
+- [ ] **LeafWeb_storage sunset** – Migrate away from the LeafWeb_storage directory (input/output files) to SQL-backed storage. Data can be reconstituted from SQL as needed.

build-docker.ps1

@@ -3,6 +3,15 @@
 
 $ErrorActionPreference = "Stop"
 
+# Load password from .piscal-build.env if it exists (gitignored)
+if (Test-Path .piscal-build.env) {
+    Get-Content .piscal-build.env | ForEach-Object {
+        if ($_ -match '^\s*([^#][^=]+)=(.*)$') {
+            [Environment]::SetEnvironmentVariable($matches[1].Trim(), $matches[2].Trim(), 'Process')
+        }
+    }
+}
+
 # Generate version tag: YYYYMMDD-gitsha
 $DateTag = Get-Date -Format "yyyyMMdd"
 $GitSha = (git rev-parse --short HEAD).Trim()
@@ -12,12 +21,12 @@ Write-Host "Building PISCAL Docker image..." -ForegroundColor Cyan
 Write-Host "Version: $Version" -ForegroundColor Cyan
 Write-Host ""
 
-# Build with version tag and latest tag (using default ARGs for dev)
+# Build args: use PISCAL_SSH_PASSWORD if set (from env or .piscal-build.env)
-docker build `
+$BuildArgs = @("-t", "piscal:$Version", "-t", "piscal:latest", "-t", "piscal:dev")
-  -t "piscal:$Version" `
+if ($env:PISCAL_SSH_PASSWORD) {
-  -t piscal:latest `
+    $BuildArgs += "--build-arg", "SSH_PASSWORD=$($env:PISCAL_SSH_PASSWORD)"
-  -t piscal:dev `
+}
-  .
+docker build @BuildArgs .
 
 if ($LASTEXITCODE -eq 0) {
     Write-Host ""
@@ -26,15 +35,21 @@ if ($LASTEXITCODE -eq 0) {
     Write-Host "  - piscal:latest" -ForegroundColor Green
     Write-Host "  - piscal:dev" -ForegroundColor Green
     Write-Host ""
-    Write-Host "Default credentials (v1 layout):" -ForegroundColor Cyan
+    if ($env:PISCAL_SSH_PASSWORD) {
-    Write-Host "  Username: piscaladmin" -ForegroundColor Cyan
+        Write-Host "Credentials (from PISCAL_SSH_PASSWORD / .piscal-build.env):" -ForegroundColor Cyan
-    Write-Host "  Password: piscaladmin" -ForegroundColor Cyan
+        Write-Host "  Username: piscaladmin" -ForegroundColor Cyan
+        Write-Host "  Password: (custom)" -ForegroundColor Cyan
+    } else {
+        Write-Host "Default credentials (v1 layout):" -ForegroundColor Cyan
+        Write-Host "  Username: piscaladmin" -ForegroundColor Cyan
+        Write-Host "  Password: piscaladmin" -ForegroundColor Cyan
+    }
     Write-Host "  LeafWeb:  /home/piscaladmin/LeafWeb (scripts + project dirs)" -ForegroundColor Cyan
     Write-Host "  Storage:  /home/piscaladmin/LeafWeb_storage" -ForegroundColor Cyan
     Write-Host "  Executable: /home/piscaladmin/piscal_executable/piscal" -ForegroundColor Cyan
     Write-Host ""
     Write-Host "To run: docker run -d -p 2222:22 --name piscal-server piscal:latest" -ForegroundColor Yellow
-    Write-Host "To SSH: ssh -p 2222 piscaladmin@localhost (password: piscaladmin)" -ForegroundColor Yellow
+    Write-Host "To SSH: ssh -p 2222 piscaladmin@localhost" -ForegroundColor Yellow
 } else {
     Write-Host "Build failed!" -ForegroundColor Red
     exit $LASTEXITCODE

build-docker.sh

@@ -3,6 +3,13 @@
 
 set -e
 
+# Load password from .piscal-build.env if it exists (gitignored)
+if [ -f .piscal-build.env ]; then
+  set -a
+  source .piscal-build.env
+  set +a
+fi
+
 # Generate version tag: YYYYMMDD-gitsha
 DATE_TAG=$(date +%Y%m%d)
 GIT_SHA=$(git rev-parse --short HEAD)
@@ -12,12 +19,13 @@ echo "Building PISCAL Docker image..."
 echo "Version: ${VERSION}"
 echo ""
 
-# Build with version tag and latest tag (using default ARGs for dev)
+# Build args: use PISCAL_SSH_PASSWORD if set (from env or .piscal-build.env)
-docker build \
+BUILD_ARGS=(-t "piscal:${VERSION}" -t piscal:latest -t piscal:dev)
-  -t piscal:${VERSION} \
+if [ -n "${PISCAL_SSH_PASSWORD:-}" ]; then
-  -t piscal:latest \
+  BUILD_ARGS+=(--build-arg "SSH_PASSWORD=${PISCAL_SSH_PASSWORD}")
-  -t piscal:dev \
+fi
-  .
+
+docker build "${BUILD_ARGS[@]}" .
 
 echo ""
 echo "Successfully built:"
@@ -25,12 +33,18 @@ echo "  - piscal:${VERSION}"
 echo "  - piscal:latest"
 echo "  - piscal:dev"
 echo ""
-echo "Default credentials (v1 layout):"
+if [ -n "${PISCAL_SSH_PASSWORD:-}" ]; then
-echo "  Username: piscaladmin"
+  echo "Credentials (from PISCAL_SSH_PASSWORD / .piscal-build.env):"
-echo "  Password: piscaladmin"
+  echo "  Username: piscaladmin"
+  echo "  Password: (custom)"
+else
+  echo "Default credentials (v1 layout):"
+  echo "  Username: piscaladmin"
+  echo "  Password: piscaladmin"
+fi
 echo "  LeafWeb:  /home/piscaladmin/LeafWeb (scripts + project dirs)"
 echo "  Storage:  /home/piscaladmin/LeafWeb_storage"
 echo "  Executable: /home/piscaladmin/piscal_executable/piscal"
 echo ""
 echo "To run: docker run -d -p 2222:22 --name piscal-server piscal:latest"
-echo "To SSH: ssh -p 2222 piscaladmin@localhost (password: piscaladmin)"
+echo "To SSH: ssh -p 2222 piscaladmin@localhost"