Security hardening: delete default users and use custom API key

Replace base image startup with custom start.sh that deletes default
Argilla users (owner, admin, argilla) and sets ARGILLA_API_KEY on
the custom admin user. Fixes backup 401 and makes Space safe to go public.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Dockerfile

@@ -3,8 +3,10 @@ FROM argilla/argilla-quickstart:latest
 # Install dependencies for backup script (uses REST API, no argilla client needed)
 RUN pip install --no-cache-dir huggingface_hub
 
-# Copy backup script to a location honcho can find
+# Copy backup script and custom startup
 COPY backup_to_hub.py /home/argilla/backup_to_hub.py
+COPY start.sh /home/argilla/start.sh
+RUN chmod +x /home/argilla/start.sh
 
 # Copy custom Procfile that adds backup process
 COPY Procfile /home/argilla/Procfile

Procfile

@@ -1,3 +1,3 @@
 elastic: /usr/share/elasticsearch/bin/elasticsearch
-argilla: sleep 30; /bin/bash start_argilla_server.sh
+argilla: sleep 30; /bin/bash /home/argilla/start.sh
 backup: sleep 60; python /home/argilla/backup_to_hub.py

start.sh

@@ -1,24 +1,77 @@
 #!/bin/bash
 
-# Initialize database (run migrations)
+# Initialize database (run migrations - this also creates default users)
 echo "Running database migrations..."
 python -m argilla_server database migrate
 
-# Create default user if USERNAME and PASSWORD are set
+# Create custom admin user from env vars
 if [ -n "$USERNAME" ] && [ -n "$PASSWORD" ]; then
-    echo "Creating admin user..."
+    echo "Creating admin user: $USERNAME"
     python -m argilla_server database users create \
         --username "$USERNAME" \
         --password "$PASSWORD" \
         --role owner || echo "User may already exist, continuing..."
 fi
 
-# Start backup script in background (only if HF_TOKEN is set)
-if [ -n "$HF_TOKEN" ]; then
-    python /app/backup_to_hub.py &
-else
-    echo "WARNING: HF_TOKEN not set, backup disabled"
-fi
+# Security hardening: delete default users and set custom API key
+echo "Securing default user accounts..."
+python3 << 'PYEOF'
+import sqlite3
+import os
+import glob
+
+# Find the Argilla SQLite database
+search_paths = [
+    os.path.expanduser("~/.argilla/argilla.db"),
+    "/home/argilla/.argilla/argilla.db",
+]
+# Also search recursively
+search_paths += glob.glob("/home/argilla/.argilla/**/*.db", recursive=True)
+search_paths += glob.glob("/home/argilla/**/*.db", recursive=True)
+
+db_path = None
+for candidate in search_paths:
+    if os.path.exists(candidate):
+        db_path = candidate
+        break
+
+if not db_path:
+    print("WARNING: Could not find Argilla database, skipping security hardening")
+else:
+    print(f"Found database at: {db_path}")
+    conn = sqlite3.connect(db_path)
+    cursor = conn.cursor()
+
+    # Show current users
+    cursor.execute("SELECT username, role FROM users")
+    print(f"Users before hardening: {cursor.fetchall()}")
+
+    username = os.environ.get("USERNAME", "")
+    api_key = os.environ.get("ARGILLA_API_KEY", "")
+
+    # Delete default users (owner, admin, argilla) but keep our custom user
+    default_users = ["owner", "admin", "argilla"]
+    for default_user in default_users:
+        if default_user != username:
+            cursor.execute("DELETE FROM users WHERE username = ?", (default_user,))
+            if cursor.rowcount > 0:
+                print(f"Deleted default user: {default_user}")
+
+    # Set custom API key on our admin user so backup script can authenticate
+    if api_key and username:
+        cursor.execute("UPDATE users SET api_key = ? WHERE username = ?", (api_key, username))
+        if cursor.rowcount > 0:
+            print(f"Updated API key for user: {username}")
+
+    conn.commit()
+
+    # Verify
+    cursor.execute("SELECT username, role FROM users")
+    print(f"Users after hardening: {cursor.fetchall()}")
+    conn.close()
+PYEOF
+
+echo "Security hardening complete."
 
 # Start Argilla server
 exec python -m argilla_server start --host 0.0.0.0 --port 6900