From 909f636cb0a5553d014233b52b5e6add86c62a4d Mon Sep 17 00:00:00 2001
From: Khwezi Mngoma <khwezi@litecharms.co.za>
Date: Sat, 20 Jun 2026 17:02:40 +0200
Subject: [PATCH] Refactored penpot to use its own database

---
 docker-stacks/app-server/penpot.yml | 38 +++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/docker-stacks/app-server/penpot.yml b/docker-stacks/app-server/penpot.yml
index cbb32e5..527d5ca 100644
--- a/docker-stacks/app-server/penpot.yml
+++ b/docker-stacks/app-server/penpot.yml
@@ -1,6 +1,6 @@
 x-flags: &penpot-flags
   # Merged disable-sandbox into the flags array to protect the headless engine
-  PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox
+  PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox enable-login-with-password
 
 x-uri: &penpot-public-uri
   PENPOT_PUBLIC_URI: ${PENPOT_PUBLIC_URI}
@@ -18,6 +18,7 @@ networks:
 
 volumes:
   penpot_assets:
+  penpot_postgres_v15: # Added to persist your local database tables across container restarts
 
 services:
   penpot-frontend:
@@ -45,16 +46,19 @@ services:
       - penpot-net
     ports:
       - "6060:6060"
+    depends_on:
+      penpot-postgres:
+        condition: service_healthy # Binds initialization order to a healthy local database
     environment:
       << : [*penpot-flags, *penpot-public-uri, *penpot-http-body-size, *penpot-secret-key]
       
       # Security Handshake Key for internal Exporter validation routines
       PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}
 
-      ## Database connection parameters pointing directly to your external LXC
-      # Note: Ensure the raw string value assigned to this variable inside your .env 
-      # has special characters URL-encoded (e.g. postgresql://penpot:ddlO%26%40jdw72%23zA@...)
-      PENPOT_DATABASE_URI: ${PENPOT_DATABASE_URI}
+      ## Local Internal Database connection parameters
+      PENPOT_DATABASE_URI: postgresql://penpot-postgres/penpot
+      PENPOT_DATABASE_USERNAME: penpot
+      PENPOT_DATABASE_PASSWORD: penpot
 
       ## Valkey/Redis parameters routed directly to your active k3s node
       PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
@@ -65,7 +69,6 @@ services:
 
       ## Telemetry & Optional settings
       PENPOT_TELEMETRY_ENABLED: "false"
-      PENPOT_FLAGS: enable-login-with-password
 
   penpot-mcp:
     image: "penpotapp/mcp:${PENPOT_VERSION:-latest}"
@@ -87,4 +90,25 @@ services:
       ## Valkey/Redis variables duplicated to satisfy background exporter sub-engines
       PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
       PENPOT_REDIS_URL: ${PENPOT_REDIS_URI}
-      PENPOT_FLAGS: disable-sandbox
\ No newline at end of file
+      PENPOT_FLAGS: disable-sandbox
+
+  # Integrated isolated Database Service
+  penpot-postgres:
+    image: "postgres:15"
+    restart: always
+    stop_signal: SIGINT
+    networks:
+      - penpot-net
+    volumes:
+      - penpot_postgres_v15:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_INITDB_ARGS=--data-checksums
+      - POSTGRES_DB=penpot
+      - POSTGRES_USER=penpot
+      - POSTGRES_PASSWORD=penpot
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U penpot"]
+      interval: 2s
+      timeout: 10s
+      retries: 5
+      start_period: 2s
\ No newline at end of file