One can also add the password (and many more parameters ) to the connection string named "datasource" in the config file. This string is passed to the PostgreSQL driver, that interprets it. The potential options were extended by PostgreSQL over the last years... One more option is to use the standard environment variables as used by PostgreSQL , that might work also without touching the OpenACS config file
i am not sure, whether passing the password via environment variables is the best way, since these can be easily read without any kind of permission checking (when one is able to run a bash/tcl command). I have not done anything with docker, but probably "docker secrets" or other secrets managers provides more security.