forked from wurzel/fruitbasket
remove postgresql passwords where they are unneeded
This commit is contained in:
parent
6d28293c86
commit
defc2f2324
GPG key ID:
B95E8FE6B11C4D09
5 changed files with 6 additions and 50 deletions
|
|
@ -23,7 +23,7 @@ in
|
|||
port = 3002;
|
||||
domain = "${domain}";
|
||||
protocolUseSSL = true;
|
||||
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
|
||||
dbURL = "postgres://hedgedoc@%2Frun%2Fpostgresql/hedgedoc";
|
||||
sessionSecret = "\${SESSION_SECRET}";
|
||||
csp = {
|
||||
enable = true;
|
||||
|
|
@ -76,7 +76,6 @@ in
|
|||
user = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||
in
|
||||
{
|
||||
postgres_hedgedoc.owner = user;
|
||||
hedgedoc_session_secret.owner = user;
|
||||
hedgedoc_ldap_search = {
|
||||
key = "portunus/search-password";
|
||||
|
|
@ -85,21 +84,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
||||
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
|
||||
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
||||
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
|
||||
'';
|
||||
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
|
||||
|
||||
systemd.services.hedgedoc-pgsetup = {
|
||||
description = "Prepare HedgeDoc postgres database";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "networking.target" "postgresql.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
||||
script = ''
|
||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'"
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,10 +4,6 @@ let
|
|||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
postgres_nextcloud = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
};
|
||||
nextcloud_adminpass = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
|
|
@ -42,7 +38,6 @@ in
|
|||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql";
|
||||
dbname = "nextcloud";
|
||||
dbpassFile = config.sops.secrets.postgres_nextcloud.path;
|
||||
adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
|
||||
adminuser = "root";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -2,13 +2,9 @@
|
|||
let
|
||||
sogo-hostname = "mail.${config.fsr.domain}";
|
||||
domain = config.fsr.domain;
|
||||
pg-port = toString config.services.postgresql.port;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
postgres_sogo = {
|
||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||
};
|
||||
sogo_ldap_search = {
|
||||
key = "portunus/search-password";
|
||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||
|
|
@ -36,9 +32,9 @@ in
|
|||
id = directory;
|
||||
|
||||
});
|
||||
SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile";
|
||||
OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder";
|
||||
OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info";
|
||||
SOGoProfileURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_user_profile";
|
||||
OCSSessionsFolderURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_sessions_folder";
|
||||
OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@%2frun%2Fpostgresql/sogo/sogo_folder_info";
|
||||
SOGoSieveServer = sieve://127.0.0.1:4190;
|
||||
SOGoSieveScriptsEnabled = YES;
|
||||
SOGoVacationEnabled = YES;
|
||||
|
|
@ -106,8 +102,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
|
||||
|
||||
# one of these prevents access to sendmail, don't know which one
|
||||
systemd.services.sogo.serviceConfig = {
|
||||
LockPersonality = lib.mkForce false;
|
||||
|
|
@ -129,17 +123,4 @@ in
|
|||
ReadWriteDirectories = "/var/lib/postfix/queue/maildrop";
|
||||
|
||||
};
|
||||
|
||||
systemd.services.sogo-pgsetup = {
|
||||
description = "Prepare Sogo postgres database";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "networking.target" "postgresql.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
||||
script = ''
|
||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ in
|
|||
config = {
|
||||
domain = "https://${domain}";
|
||||
signupsAllowed = false;
|
||||
# somehow this works
|
||||
databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
|
||||
rocketPort = 8000;
|
||||
smtpHost = "127.0.0.1";
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue