From defc2f2324a636074d0ebd163771616d7d55e0b5 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 19 Jul 2023 17:44:49 +0200 Subject: [PATCH 1/2] remove postgresql passwords where they are unneeded --- modules/hedgedoc.nix | 17 +---------------- modules/nextcloud.nix | 5 ----- modules/sogo.nix | 25 +++---------------------- modules/vaultwarden.nix | 1 - secrets/quitte.yaml | 8 ++------ 5 files changed, 6 insertions(+), 50 deletions(-) diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index c29b36b..5e087c4 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -23,7 +23,7 @@ in port = 3002; domain = "${domain}"; protocolUseSSL = true; - dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; + dbURL = "postgres://hedgedoc@%2Frun%2Fpostgresql/hedgedoc"; sessionSecret = "\${SESSION_SECRET}"; csp = { enable = true; @@ -76,7 +76,6 @@ in user = config.systemd.services.hedgedoc.serviceConfig.User; in { - postgres_hedgedoc.owner = user; hedgedoc_session_secret.owner = user; hedgedoc_ldap_search = { key = "portunus/search-password"; @@ -85,21 +84,7 @@ in }; systemd.services.hedgedoc.preStart = lib.mkBefore '' - export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})" ''; - systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; - - systemd.services.hedgedoc-pgsetup = { - description = "Prepare HedgeDoc postgres database"; - wantedBy = [ "multi-user.target" ]; - after = [ "networking.target" "postgresql.service" ]; - serviceConfig.Type = "oneshot"; - - path = [ pkgs.sudo config.services.postgresql.package ]; - script = '' - sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'" - ''; - }; } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 031c4f1..8cf37ee 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -4,10 +4,6 @@ let in { sops.secrets = { - postgres_nextcloud = { - owner = "nextcloud"; - group = "nextcloud"; - }; nextcloud_adminpass = { owner = "nextcloud"; group = "nextcloud"; @@ -42,7 +38,6 @@ in dbuser = "nextcloud"; dbhost = "/run/postgresql"; dbname = "nextcloud"; - dbpassFile = config.sops.secrets.postgres_nextcloud.path; adminpassFile = config.sops.secrets.nextcloud_adminpass.path; adminuser = "root"; }; diff --git a/modules/sogo.nix b/modules/sogo.nix index 4747628..75b5fc6 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -2,13 +2,9 @@ let sogo-hostname = "mail.${config.fsr.domain}"; domain = config.fsr.domain; - pg-port = toString config.services.postgresql.port; in { sops.secrets = { - postgres_sogo = { - owner = config.systemd.services.sogo.serviceConfig.User; - }; sogo_ldap_search = { key = "portunus/search-password"; owner = config.systemd.services.sogo.serviceConfig.User; @@ -36,9 +32,9 @@ in id = directory; }); - SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile"; - OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder"; - OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info"; + SOGoProfileURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_user_profile"; + OCSSessionsFolderURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_sessions_folder"; + OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@%2frun%2Fpostgresql/sogo/sogo_folder_info"; SOGoSieveServer = sieve://127.0.0.1:4190; SOGoSieveScriptsEnabled = YES; SOGoVacationEnabled = YES; @@ -106,8 +102,6 @@ in }; }; - systemd.services.sogo.after = [ "sogo-pgsetup.service" ]; - # one of these prevents access to sendmail, don't know which one systemd.services.sogo.serviceConfig = { LockPersonality = lib.mkForce false; @@ -129,17 +123,4 @@ in ReadWriteDirectories = "/var/lib/postfix/queue/maildrop"; }; - - systemd.services.sogo-pgsetup = { - description = "Prepare Sogo postgres database"; - wantedBy = [ "multi-user.target" ]; - after = [ "networking.target" "postgresql.service" ]; - serviceConfig.Type = "oneshot"; - - path = [ pkgs.sudo config.services.postgresql.package ]; - script = '' - sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'" - ''; - }; - } diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 4ea4116..ad62910 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -11,7 +11,6 @@ in config = { domain = "https://${domain}"; signupsAllowed = false; - # somehow this works databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden"; rocketPort = 8000; smtpHost = "127.0.0.1"; diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 7df8a20..9d8bb88 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -1,7 +1,3 @@ -postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str] -postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str] -postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str] -postgres_sogo: ENC[AES256_GCM,data:CkHaLVcDuznmjXWNBDKzXdjMY8EkCg6ARHtVkZxNNgI=,iv:CpzmvN/caV+xozQnxEtR99ZJtMAdH5rSt3SHAKiHAIE=,tag:IeNR2z9FG+XepYwsYEHaoA==,type:str] nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str] @@ -42,8 +38,8 @@ sops: NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk +LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-19T13:37:39Z" - mac: ENC[AES256_GCM,data:88GxfgjyJM0LzlaAW1u8CMbKuFXxffY4OAPwxl+nBbzDKwz1M5Vv6EFJnngwYARiE/5F/2lxZIE/uIJtafr+0hmzvaOHg0ISFfg72BmB64P7i8Y1i/ICCsZ28ZDAA5to5J9TzZx+0e1bGziBKvHveEtaAWUbGIBfHCxV9jw0zWw=,iv:Nk61fI0h2QDUunR9xdYpFhIaNtdF0RLyRTliiNTKGHo=,tag:wjQfe2n3c2GeHeRgstARBQ==,type:str] + lastmodified: "2023-07-19T15:44:00Z" + mac: ENC[AES256_GCM,data:pGEkzd78KemWLOsrht9DCHd1Es/zii60nOplfTNTEQjLx/tvnTKUB5756zkAr0vSzeha5M6kfhCRAFhh+Dr680AkUbH5W93PXhIc8zh7rGEo7vpoKg8V91lIvFh+LPQdERLC/Hz4DlJfVv1OA4kn8pkqIa/+1NDvzVgAQmTTLn4=,iv:nTg81OrDWoj27XHbyjMBlGZEYDiwPLok3cmUceLSKxQ=,tag:Y/DchvUgCRZMamTzEV99gA==,type:str] pgp: - created_at: "2023-04-23T17:48:54Z" enc: | From 8ef5af530579214a8654343a4a400f3361bfd2ca Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Wed, 19 Jul 2023 17:49:32 +0200 Subject: [PATCH 2/2] fix sogo replacements --- modules/sogo.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/sogo.nix b/modules/sogo.nix index 75b5fc6..d7e5189 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -41,7 +41,6 @@ in ''; configReplaces = { "LDAP_SEARCH" = config.sops.secrets.sogo_ldap_search.path; - "POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path; }; vhostName = "${sogo-hostname}"; timezone = "Europe/Berlin";