diff options
| author | Griffin Smith <grfn@gws.fyi> | 2020-07-28T01·30-0400 |
|---|---|---|
| committer | glittershark <grfn@gws.fyi> | 2020-07-28T01·35+0000 |
| commit | d9262bd6c68ddf39cc22c147ecf40867f4ec3fb9 (patch) | |
| tree | dc1e32ce587fd511a3c111a18898f493299e450c /ops | |
| parent | b2c34c4ba3ec7e8bf3110c05b31dc909c395e916 (diff) | |
feat(ops/nixos): Use database password for Panettone r/1502
It appears this didn't even *work* without a password, so we've been forced into being more secure. Change-Id: I4ff9d04961a703a85299dafb79e8447b0a933fc1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/1491 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops')
| -rw-r--r-- | ops/nixos/panettone.nix | 15 | ||||
| -rw-r--r-- | ops/nixos/whitby/default.nix | 9 |
2 files changed, 18 insertions, 6 deletions
diff --git a/ops/nixos/panettone.nix b/ops/nixos/panettone.nix index 3d31d79caf..c95fb7ffde 100644 --- a/ops/nixos/panettone.nix +++ b/ops/nixos/panettone.nix @@ -15,21 +15,29 @@ in { dbHost = mkOption { description = "Postgresql host to connect to for Panettone"; - type = types.string; + type = types.str; default = "localhost"; }; dbName = mkOption { description = "Name of the database for Panettone"; - type = types.string; + type = types.str; default = "panettone"; }; dbUser = mkOption { description = "Name of the database user for Panettone"; - type = types.string; + type = types.str; default = "panettone"; }; + + secretsFile = mkOption { + description = '' + Path to a file containing secrets, in the format accepted + by systemd's EnvironmentFile + ''; + type = types.str; + }; }; config = lib.mkIf cfg.enable { @@ -63,6 +71,7 @@ in { DynamicUser = true; Restart = "always"; StateDirectory = "panettone"; + EnvironmentFile = cfg.secretsFile; }; environment = { diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix index ad631e7959..f28e8789f8 100644 --- a/ops/nixos/whitby/default.nix +++ b/ops/nixos/whitby/default.nix @@ -221,6 +221,7 @@ in lib.fix(self: { enable = true; dbUser = "panettone"; dbName = "panettone"; + secretsFile = "/etc/secrets/panettone"; }; }; @@ -228,10 +229,12 @@ in lib.fix(self: { enable = true; enableTCPIP = true; - authentication = lib.mkOverride 10 '' + authentication = lib.mkForce '' local all all trust - host all all ::1/128 trust - hostnossl all all ::1/128 trust + host all all 127.0.0.1/32 password + host all all ::1/128 password + hostnossl all all 127.0.0.1/32 password + hostnossl all all ::1/128 password ''; ensureDatabases = [ |