about summary refs log tree commit diff
path: root/ops/nixos/whitby
diff options
context:
space:
mode:
authorGriffin Smith <grfn@gws.fyi>2020-07-28T01·30-0400
committerglittershark <grfn@gws.fyi>2020-07-28T01·35+0000
commitd9262bd6c68ddf39cc22c147ecf40867f4ec3fb9 (patch)
treedc1e32ce587fd511a3c111a18898f493299e450c /ops/nixos/whitby
parentb2c34c4ba3ec7e8bf3110c05b31dc909c395e916 (diff)
feat(ops/nixos): Use database password for Panettone r/1502
It appears this didn't even *work* without a password, so we've been
forced into being more secure.

Change-Id: I4ff9d04961a703a85299dafb79e8447b0a933fc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1491
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/nixos/whitby')
-rw-r--r--ops/nixos/whitby/default.nix9
1 files changed, 6 insertions, 3 deletions
diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index ad631e7959b3..f28e8789f821 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -221,6 +221,7 @@ in lib.fix(self: {
       enable = true;
       dbUser = "panettone";
       dbName = "panettone";
+      secretsFile = "/etc/secrets/panettone";
     };
   };
 
@@ -228,10 +229,12 @@ in lib.fix(self: {
     enable = true;
     enableTCPIP = true;
 
-    authentication = lib.mkOverride 10 ''
+    authentication = lib.mkForce ''
       local all all trust
-      host all all ::1/128 trust
-      hostnossl all all ::1/128 trust
+      host all all 127.0.0.1/32 password
+      host all all ::1/128 password
+      hostnossl all all 127.0.0.1/32 password
+      hostnossl all all ::1/128  password
     '';
 
     ensureDatabases = [