All passwords are auto-generated during installation (32+ character random strings) and stored in .env.
- File permissions are set to
600(owner-only) byinstall.sh .envis excluded from version control (.gitignore)- Back up
.envsecurely — it contains all service credentials
Services are exposed on individual ports without TLS encryption. Only use in trusted networks (home lab, VPN).
Restrict access to necessary ports:
sudo ufw allow 8080/tcp # Open WebUI
sudo ufw allow 11434/tcp # Ollama API
sudo ufw enableOpen WebUI: The first account created gets admin privileges. Create your account immediately after installation to prevent unauthorized access.
docker compose stop
docker compose start postgres
docker exec postgres psql -U ancroo -c "ALTER USER ancroo PASSWORD 'new-password';"
# Update POSTGRES_PASSWORD and all DATABASE_URL entries in .env
docker compose up -dReport security issues privately via GitHub Security Advisory.
Response time: within 48 hours.