Add configurable admin password via environment variable

backend/app/auth.py

@@ -360,21 +360,36 @@ def create_default_admin(db: Session) -> Optional[User]:
     """Create the default admin user if no users exist.
 
     Returns the created user, or None if users already exist.
+
+    The admin password can be set via ORCHARD_ADMIN_PASSWORD environment variable.
+    If not set, defaults to 'changeme123' and requires password change on first login.
     """
     # Check if any users exist
     user_count = db.query(User).count()
     if user_count > 0:
         return None
 
+    settings = get_settings()
+
+    # Use configured password or default
+    password = settings.admin_password if settings.admin_password else "changeme123"
+    # Only require password change if using the default password
+    must_change = not settings.admin_password
+
     # Create default admin
     auth_service = AuthService(db)
     admin = auth_service.create_user(
         username="admin",
-        password="changeme123",
+        password=password,
         is_admin=True,
-        must_change_password=True,
+        must_change_password=must_change,
     )
 
+    if settings.admin_password:
+        logger.info("Created default admin user with configured password")
+    else:
+        logger.info("Created default admin user with default password (changeme123)")
+
     return admin
 
 

backend/app/config.py

@@ -53,6 +53,9 @@ class Settings(BaseSettings):
     log_level: str = "INFO"  # DEBUG, INFO, WARNING, ERROR, CRITICAL
     log_format: str = "auto"  # "json", "standard", or "auto" (json in production)
 
+    # Initial admin user settings
+    admin_password: str = ""  # Initial admin password (if empty, uses 'changeme123')
+
     # JWT Authentication settings (optional, for external identity providers)
     jwt_enabled: bool = False  # Enable JWT token validation
     jwt_secret: str = ""  # Secret key for HS256, or leave empty for RS256 with JWKS