From d9262bd6c68ddf39cc22c147ecf40867f4ec3fb9 Mon Sep 17 00:00:00 2001
From: Griffin Smith <grfn@gws.fyi>
Date: Mon, 27 Jul 2020 21:30:47 -0400
Subject: feat(ops/nixos): Use database password for Panettone

It appears this didn't even *work* without a password, so we've been
forced into being more secure.

Change-Id: I4ff9d04961a703a85299dafb79e8447b0a933fc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1491
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
---
 ops/nixos/panettone.nix      | 15 ++++++++++++---
 ops/nixos/whitby/default.nix |  9 ++++++---
 2 files changed, 18 insertions(+), 6 deletions(-)

(limited to 'ops')

diff --git a/ops/nixos/panettone.nix b/ops/nixos/panettone.nix
index 3d31d79caf..c95fb7ffde 100644
--- a/ops/nixos/panettone.nix
+++ b/ops/nixos/panettone.nix
@@ -15,21 +15,29 @@ in {
 
     dbHost = mkOption {
       description = "Postgresql host to connect to for Panettone";
-      type = types.string;
+      type = types.str;
       default = "localhost";
     };
 
     dbName = mkOption {
       description = "Name of the database for Panettone";
-      type = types.string;
+      type = types.str;
       default = "panettone";
     };
 
     dbUser = mkOption {
       description = "Name of the database user for Panettone";
-      type = types.string;
+      type = types.str;
       default = "panettone";
     };
+
+    secretsFile = mkOption {
+      description = ''
+        Path to a file containing secrets, in the format accepted
+        by systemd's EnvironmentFile
+      '';
+      type = types.str;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -63,6 +71,7 @@ in {
         DynamicUser = true;
         Restart = "always";
         StateDirectory = "panettone";
+        EnvironmentFile = cfg.secretsFile;
       };
 
       environment = {
diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index ad631e7959..f28e8789f8 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -221,6 +221,7 @@ in lib.fix(self: {
       enable = true;
       dbUser = "panettone";
       dbName = "panettone";
+      secretsFile = "/etc/secrets/panettone";
     };
   };
 
@@ -228,10 +229,12 @@ in lib.fix(self: {
     enable = true;
     enableTCPIP = true;
 
-    authentication = lib.mkOverride 10 ''
+    authentication = lib.mkForce ''
       local all all trust
-      host all all ::1/128 trust
-      hostnossl all all ::1/128 trust
+      host all all 127.0.0.1/32 password
+      host all all ::1/128 password
+      hostnossl all all 127.0.0.1/32 password
+      hostnossl all all ::1/128  password
     '';
 
     ensureDatabases = [
-- 
cgit 1.4.1