Merge pull request #52 from fsr/db-passwords

remove postgresql passwords where they are not needed
2023-07-20 12:48:05 +02:00 · 2023-07-20 12:48:05 +02:00 · 7839693bad
commit 7839693bad
parent 10101a9e18 8ef5af5305
5 changed files with 6 additions and 51 deletions
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -23,7 +23,7 @@ in
        port = 3002;
        domain = "${domain}";
        protocolUseSSL = true;
-        dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
+        dbURL = "postgres://hedgedoc@%2Frun%2Fpostgresql/hedgedoc";
        sessionSecret = "\${SESSION_SECRET}";
        csp = {
          enable = true;
@ -76,7 +76,6 @@ in
      user = config.systemd.services.hedgedoc.serviceConfig.User;
    in
    {
-      postgres_hedgedoc.owner = user;
      hedgedoc_session_secret.owner = user;
      hedgedoc_ldap_search = {
        key = "portunus/search-password";
@ -85,21 +84,7 @@ in
    };

  systemd.services.hedgedoc.preStart = lib.mkBefore ''
-    export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
    export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
    export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
  '';
-  systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
-
-  systemd.services.hedgedoc-pgsetup = {
-    description = "Prepare HedgeDoc postgres database";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "networking.target" "postgresql.service" ];
-    serviceConfig.Type = "oneshot";
-
-    path = [ pkgs.sudo config.services.postgresql.package ];
-    script = ''
-      sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'"
-    '';
-  };
 }
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -4,10 +4,6 @@ let
 in
 {
  sops.secrets = {
-    postgres_nextcloud = {
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
    nextcloud_adminpass = {
      owner = "nextcloud";
      group = "nextcloud";
@ -42,7 +38,6 @@ in
        dbuser = "nextcloud";
        dbhost = "/run/postgresql";
        dbname = "nextcloud";
-        dbpassFile = config.sops.secrets.postgres_nextcloud.path;
        adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
        adminuser = "root";
      };
--- a/modules/sogo.nix
+++ b/modules/sogo.nix
@ -2,13 +2,9 @@
 let
  sogo-hostname = "mail.${config.fsr.domain}";
  domain = config.fsr.domain;
-  pg-port = toString config.services.postgresql.port;
 in
 {
  sops.secrets = {
-    postgres_sogo = {
-      owner = config.systemd.services.sogo.serviceConfig.User;
-    };
    sogo_ldap_search = {
      key = "portunus/search-password";
      owner = config.systemd.services.sogo.serviceConfig.User;
@ -36,16 +32,15 @@ in
          id = directory;
      
        });
-        SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile";    
-        OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder";
-        OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info";
+        SOGoProfileURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_user_profile";    
+        OCSSessionsFolderURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_sessions_folder";
+        OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@%2frun%2Fpostgresql/sogo/sogo_folder_info";
        SOGoSieveServer = sieve://127.0.0.1:4190;
        SOGoSieveScriptsEnabled = YES;
        SOGoVacationEnabled = YES;
      '';
      configReplaces = {
        "LDAP_SEARCH" = config.sops.secrets.sogo_ldap_search.path;
-        "POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path;
      };
      vhostName = "${sogo-hostname}";
      timezone = "Europe/Berlin";
@ -106,8 +101,6 @@ in
    };
  };

-  systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
-
  # one of these prevents access to sendmail, don't know which one
  systemd.services.sogo.serviceConfig = {
    LockPersonality = lib.mkForce false;
@ -129,17 +122,4 @@ in
    ReadWriteDirectories = "/var/lib/postfix/queue/maildrop";

  };
-
-  systemd.services.sogo-pgsetup = {
-    description = "Prepare Sogo postgres database";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "networking.target" "postgresql.service" ];
-    serviceConfig.Type = "oneshot";
-
-    path = [ pkgs.sudo config.services.postgresql.package ];
-    script = ''
-      sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
-    '';
-  };
-
 }
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@ -11,7 +11,6 @@ in
    config = {
      domain = "https://${domain}";
      signupsAllowed = false;
-      # somehow this works
      databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
      rocketPort = 8000;
      smtpHost = "127.0.0.1";