Merge pull request #52 from fsr/db-passwords
remove postgresql passwords where they are not needed
This commit is contained in:
commit
7839693bad
|
@ -23,7 +23,7 @@ in
|
||||||
port = 3002;
|
port = 3002;
|
||||||
domain = "${domain}";
|
domain = "${domain}";
|
||||||
protocolUseSSL = true;
|
protocolUseSSL = true;
|
||||||
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
|
dbURL = "postgres://hedgedoc@%2Frun%2Fpostgresql/hedgedoc";
|
||||||
sessionSecret = "\${SESSION_SECRET}";
|
sessionSecret = "\${SESSION_SECRET}";
|
||||||
csp = {
|
csp = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -76,7 +76,6 @@ in
|
||||||
user = config.systemd.services.hedgedoc.serviceConfig.User;
|
user = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
postgres_hedgedoc.owner = user;
|
|
||||||
hedgedoc_session_secret.owner = user;
|
hedgedoc_session_secret.owner = user;
|
||||||
hedgedoc_ldap_search = {
|
hedgedoc_ldap_search = {
|
||||||
key = "portunus/search-password";
|
key = "portunus/search-password";
|
||||||
|
@ -85,21 +84,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
||||||
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
|
|
||||||
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
||||||
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
|
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
|
||||||
'';
|
'';
|
||||||
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
|
|
||||||
|
|
||||||
systemd.services.hedgedoc-pgsetup = {
|
|
||||||
description = "Prepare HedgeDoc postgres database";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "networking.target" "postgresql.service" ];
|
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
|
|
||||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
|
||||||
script = ''
|
|
||||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,10 +4,6 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
postgres_nextcloud = {
|
|
||||||
owner = "nextcloud";
|
|
||||||
group = "nextcloud";
|
|
||||||
};
|
|
||||||
nextcloud_adminpass = {
|
nextcloud_adminpass = {
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
|
@ -42,7 +38,6 @@ in
|
||||||
dbuser = "nextcloud";
|
dbuser = "nextcloud";
|
||||||
dbhost = "/run/postgresql";
|
dbhost = "/run/postgresql";
|
||||||
dbname = "nextcloud";
|
dbname = "nextcloud";
|
||||||
dbpassFile = config.sops.secrets.postgres_nextcloud.path;
|
|
||||||
adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
|
adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
|
||||||
adminuser = "root";
|
adminuser = "root";
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,13 +2,9 @@
|
||||||
let
|
let
|
||||||
sogo-hostname = "mail.${config.fsr.domain}";
|
sogo-hostname = "mail.${config.fsr.domain}";
|
||||||
domain = config.fsr.domain;
|
domain = config.fsr.domain;
|
||||||
pg-port = toString config.services.postgresql.port;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
postgres_sogo = {
|
|
||||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
|
||||||
};
|
|
||||||
sogo_ldap_search = {
|
sogo_ldap_search = {
|
||||||
key = "portunus/search-password";
|
key = "portunus/search-password";
|
||||||
owner = config.systemd.services.sogo.serviceConfig.User;
|
owner = config.systemd.services.sogo.serviceConfig.User;
|
||||||
|
@ -36,16 +32,15 @@ in
|
||||||
id = directory;
|
id = directory;
|
||||||
|
|
||||||
});
|
});
|
||||||
SOGoProfileURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_user_profile";
|
SOGoProfileURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_user_profile";
|
||||||
OCSSessionsFolderURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_sessions_folder";
|
OCSSessionsFolderURL = "postgresql://sogo@%2frun%2Fpostgresql/sogo/sogo_sessions_folder";
|
||||||
OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@localhost:${pg-port}/sogo/sogo_folder_info";
|
OCSFolderInfoURL = "postgresql://sogo:POSTGRES_PASSWORD@%2frun%2Fpostgresql/sogo/sogo_folder_info";
|
||||||
SOGoSieveServer = sieve://127.0.0.1:4190;
|
SOGoSieveServer = sieve://127.0.0.1:4190;
|
||||||
SOGoSieveScriptsEnabled = YES;
|
SOGoSieveScriptsEnabled = YES;
|
||||||
SOGoVacationEnabled = YES;
|
SOGoVacationEnabled = YES;
|
||||||
'';
|
'';
|
||||||
configReplaces = {
|
configReplaces = {
|
||||||
"LDAP_SEARCH" = config.sops.secrets.sogo_ldap_search.path;
|
"LDAP_SEARCH" = config.sops.secrets.sogo_ldap_search.path;
|
||||||
"POSTGRES_PASSWORD" = config.sops.secrets.postgres_sogo.path;
|
|
||||||
};
|
};
|
||||||
vhostName = "${sogo-hostname}";
|
vhostName = "${sogo-hostname}";
|
||||||
timezone = "Europe/Berlin";
|
timezone = "Europe/Berlin";
|
||||||
|
@ -106,8 +101,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.sogo.after = [ "sogo-pgsetup.service" ];
|
|
||||||
|
|
||||||
# one of these prevents access to sendmail, don't know which one
|
# one of these prevents access to sendmail, don't know which one
|
||||||
systemd.services.sogo.serviceConfig = {
|
systemd.services.sogo.serviceConfig = {
|
||||||
LockPersonality = lib.mkForce false;
|
LockPersonality = lib.mkForce false;
|
||||||
|
@ -129,17 +122,4 @@ in
|
||||||
ReadWriteDirectories = "/var/lib/postfix/queue/maildrop";
|
ReadWriteDirectories = "/var/lib/postfix/queue/maildrop";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.sogo-pgsetup = {
|
|
||||||
description = "Prepare Sogo postgres database";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "networking.target" "postgresql.service" ];
|
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
|
|
||||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
|
||||||
script = ''
|
|
||||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE sogo WITH PASSWORD '$(cat ${config.sops.secrets.postgres_sogo.path})'"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,7 +11,6 @@ in
|
||||||
config = {
|
config = {
|
||||||
domain = "https://${domain}";
|
domain = "https://${domain}";
|
||||||
signupsAllowed = false;
|
signupsAllowed = false;
|
||||||
# somehow this works
|
|
||||||
databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
|
databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
|
||||||
rocketPort = 8000;
|
rocketPort = 8000;
|
||||||
smtpHost = "127.0.0.1";
|
smtpHost = "127.0.0.1";
|
||||||
|
|
|
@ -1,7 +1,3 @@
|
||||||
postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
|
|
||||||
postgres_hedgedoc: ENC[AES256_GCM,data:PLsPSfAb/b4UyXVW5w/zKkIBySIuPceRx8TvoA1DNok=,iv:v2FtaaJME9Nf/nQNPtpGFwTOXVk5hx7JUc20WI6CpkI=,tag:7obCT3uIPkrYecsraxwWag==,type:str]
|
|
||||||
postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
|
|
||||||
postgres_sogo: ENC[AES256_GCM,data:CkHaLVcDuznmjXWNBDKzXdjMY8EkCg6ARHtVkZxNNgI=,iv:CpzmvN/caV+xozQnxEtR99ZJtMAdH5rSt3SHAKiHAIE=,tag:IeNR2z9FG+XepYwsYEHaoA==,type:str]
|
|
||||||
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
|
||||||
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
|
||||||
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
|
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
|
||||||
|
@ -42,8 +38,8 @@ sops:
|
||||||
NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk
|
NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk
|
||||||
+LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w==
|
+LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-07-19T13:37:39Z"
|
lastmodified: "2023-07-19T15:44:00Z"
|
||||||
mac: ENC[AES256_GCM,data:88GxfgjyJM0LzlaAW1u8CMbKuFXxffY4OAPwxl+nBbzDKwz1M5Vv6EFJnngwYARiE/5F/2lxZIE/uIJtafr+0hmzvaOHg0ISFfg72BmB64P7i8Y1i/ICCsZ28ZDAA5to5J9TzZx+0e1bGziBKvHveEtaAWUbGIBfHCxV9jw0zWw=,iv:Nk61fI0h2QDUunR9xdYpFhIaNtdF0RLyRTliiNTKGHo=,tag:wjQfe2n3c2GeHeRgstARBQ==,type:str]
|
mac: ENC[AES256_GCM,data:pGEkzd78KemWLOsrht9DCHd1Es/zii60nOplfTNTEQjLx/tvnTKUB5756zkAr0vSzeha5M6kfhCRAFhh+Dr680AkUbH5W93PXhIc8zh7rGEo7vpoKg8V91lIvFh+LPQdERLC/Hz4DlJfVv1OA4kn8pkqIa/+1NDvzVgAQmTTLn4=,iv:nTg81OrDWoj27XHbyjMBlGZEYDiwPLok3cmUceLSKxQ=,tag:Y/DchvUgCRZMamTzEV99gA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-04-23T17:48:54Z"
|
- created_at: "2023-04-23T17:48:54Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
Loading…
Reference in a new issue