From 1bbd7d6bc50d5841e75d57d7b845b94c97a00169 Mon Sep 17 00:00:00 2001 From: padreug Date: Tue, 23 Dec 2025 13:20:01 +0100 Subject: [PATCH] lamassu: switch to peer authentication for PostgreSQL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace password-based TCP auth with Unix socket peer authentication: - Remove lamassu-db-password secret (no password needed) - Remove lamassu-postgres-setup service entirely - Use DATABASE_URL with Unix socket: postgresql://user@/db?host=/run/postgresql - Remove POSTGRES_HOST, POSTGRES_PORT, POSTGRES_PASSWORD env vars This follows the same pattern as btcpayserver and simplifies the module significantly. Peer auth uses OS-level user authentication via Unix socket. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- modules/lamassu-lnbits.nix | 79 ++++++-------------------------------- 1 file changed, 12 insertions(+), 67 deletions(-) diff --git a/modules/lamassu-lnbits.nix b/modules/lamassu-lnbits.nix index 7bb6b4e..ec25f2b 100644 --- a/modules/lamassu-lnbits.nix +++ b/modules/lamassu-lnbits.nix @@ -101,11 +101,8 @@ in user = mkOption { type = types.str; default = cfg.user; - description = "PostgreSQL username"; + description = "PostgreSQL username (uses peer authentication via Unix socket)"; }; - - # Password is managed by nix-bitcoin secrets system. - # See: ${secretsDir}/lamassu-db-password }; hostname = mkOption { @@ -184,15 +181,10 @@ in user = cfg.user; permissions = "444"; # World readable (it's a public cert) }; - lamassu-db-password = { - user = cfg.user; - group = "postgres"; # PostgreSQL needs to read this too - }; }; nix-bitcoin.generateSecretsCmds.lamassu = '' makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}' - makePasswordSecret lamassu-db-password ''; # ═══════════════════════════════════════════════════════════════════════════ @@ -200,7 +192,7 @@ in # NOTE: Nginx reverse proxy is disabled. See docs/lamassu-future-nginx.md # for future implementation when --ui-port is added to upstream. - # Enable PostgreSQL + # Enable PostgreSQL with peer authentication (no password needed) services.postgresql = { enable = true; package = pkgs.postgresql_15; @@ -211,13 +203,6 @@ in ensureDBOwnership = true; } ]; - # Enable password authentication for localhost connections - authentication = pkgs.lib.mkOverride 10 '' - # TYPE DATABASE USER ADDRESS METHOD - local all all peer - host all all 127.0.0.1/32 md5 - host all all ::1/128 md5 - ''; }; # Create system users and groups @@ -247,47 +232,17 @@ in "Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -" ]; - # Service to set PostgreSQL password from nix-bitcoin secrets - systemd.services.lamassu-postgres-setup = { - description = "Setup PostgreSQL password for lamassu-server"; - wantedBy = [ "multi-user.target" ]; - after = [ "postgresql.service" "nix-bitcoin-secrets.target" ]; - wants = [ "postgresql.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "postgres"; - }; - script = '' - # Wait for user to exist, then set password from secrets - for i in {1..30}; do - if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then - echo "Setting password for ${cfg.database.user}..." - password=$(cat ${secretsDir}/lamassu-db-password) - ${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '$password';" - exit 0 - fi - echo "Waiting for user ${cfg.database.user} to be created (attempt $i/30)..." - sleep 1 - done - echo "ERROR: User ${cfg.database.user} was not created after 30 seconds" - exit 1 - ''; - }; - # Main lamassu server service systemd.services.lamassu-server = { description = "Lamassu Bitcoin ATM Server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" "lamassu-postgres-setup.service" "nix-bitcoin-secrets.target" ]; - wants = [ "postgresql.service" "lamassu-postgres-setup.service" ]; + after = [ "network.target" "postgresql.service" "nix-bitcoin-secrets.target" ]; + wants = [ "postgresql.service" ]; environment = { NODE_ENV = "production"; - # Database configuration (password read at runtime from secrets) - POSTGRES_HOST = "127.0.0.1"; - POSTGRES_PORT = "5432"; + # Database configuration (peer auth via Unix socket) POSTGRES_DB = cfg.database.name; POSTGRES_USER = cfg.database.user; @@ -327,10 +282,8 @@ in #!/bin/bash set -euo pipefail export PATH=${pkgs.nodejs_22}/bin:$PATH - # Read database password from nix-bitcoin secrets - DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password) - export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}" - export POSTGRES_PASSWORD="$DB_PASSWORD" + # Use Unix socket for peer authentication (no password needed) + export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql" export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules cd ${cfg.package} exec "$@" @@ -391,9 +344,7 @@ in CA_PATH = cfg.certPath; CERT_PATH = cfg.certPath; KEY_PATH = cfg.keyPath; - # Database configuration (password read at runtime from secrets) - POSTGRES_HOST = "127.0.0.1"; - POSTGRES_PORT = "5432"; + # Database configuration (peer auth via Unix socket) POSTGRES_DB = cfg.database.name; POSTGRES_USER = cfg.database.user; MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic"; @@ -410,10 +361,8 @@ in #!/bin/bash set -euo pipefail export PATH=${pkgs.nodejs_22}/bin:$PATH - # Read database password from nix-bitcoin secrets - DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password) - export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}" - export POSTGRES_PASSWORD="$DB_PASSWORD" + # Use Unix socket for peer authentication (no password needed) + export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql" export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules cd ${cfg.package} exec "$@" @@ -445,16 +394,12 @@ in nodePackages.pnpm postgresql (writeShellScriptBin "lamassu-register-user" '' - # Read database password from nix-bitcoin secrets - DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password) + # Use Unix socket for peer authentication (no password needed) export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules" - export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}" + export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql" export HOSTNAME="${cfg.hostname}" - export POSTGRES_HOST="127.0.0.1" - export POSTGRES_PORT="5432" export POSTGRES_DB="${cfg.database.name}" export POSTGRES_USER="${cfg.database.user}" - export POSTGRES_PASSWORD="$DB_PASSWORD" export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}" sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@"