lamassu: use nix-bitcoin secrets for database password
Replace hardcoded database password with nix-bitcoin secrets pattern:
- Add lamassu-db-password secret (readable by lamassu user and postgres)
- Generate random 20-char password using makePasswordSecret
- Read password at runtime in service wrapper scripts
- Update lamassu-postgres-setup to read password from secrets
- Update helper scripts to read password at runtime
The password is now automatically generated on first deploy and stored
in ${secretsDir}/lamassu-db-password.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
8ee71833b9
commit
27f133efd8
1 changed files with 26 additions and 23 deletions
|
|
@ -104,11 +104,8 @@ in
|
|||
description = "PostgreSQL username";
|
||||
};
|
||||
|
||||
password = mkOption {
|
||||
type = types.str;
|
||||
default = "lamassu123";
|
||||
description = "PostgreSQL password for lamassu-server user";
|
||||
};
|
||||
# Password is managed by nix-bitcoin secrets system.
|
||||
# See: ${secretsDir}/lamassu-db-password
|
||||
};
|
||||
|
||||
hostname = mkOption {
|
||||
|
|
@ -187,10 +184,15 @@ in
|
|||
user = cfg.user;
|
||||
permissions = "444"; # World readable (it's a public cert)
|
||||
};
|
||||
lamassu-db-password = {
|
||||
user = cfg.user;
|
||||
group = "postgres"; # PostgreSQL needs to read this too
|
||||
};
|
||||
};
|
||||
|
||||
nix-bitcoin.generateSecretsCmds.lamassu = ''
|
||||
makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
||||
makePasswordSecret lamassu-db-password
|
||||
'';
|
||||
|
||||
# ═══════════════════════════════════════════════════════════════════════════
|
||||
|
|
@ -216,10 +218,6 @@ in
|
|||
host all all 127.0.0.1/32 md5
|
||||
host all all ::1/128 md5
|
||||
'';
|
||||
# Set initial password for lamassu-server user
|
||||
initialScript = pkgs.writeText "postgres-init.sql" ''
|
||||
ALTER USER "${cfg.database.user}" WITH PASSWORD '${cfg.database.password}';
|
||||
'';
|
||||
};
|
||||
|
||||
# Create system users and groups
|
||||
|
|
@ -249,11 +247,11 @@ in
|
|||
"Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
# Service to set PostgreSQL password
|
||||
# Service to set PostgreSQL password from nix-bitcoin secrets
|
||||
systemd.services.lamassu-postgres-setup = {
|
||||
description = "Setup PostgreSQL password for lamassu-server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" "nix-bitcoin-secrets.target" ];
|
||||
wants = [ "postgresql.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
|
|
@ -261,11 +259,12 @@ in
|
|||
User = "postgres";
|
||||
};
|
||||
script = ''
|
||||
# Wait for user to exist, then set password
|
||||
# Wait for user to exist, then set password from secrets
|
||||
for i in {1..30}; do
|
||||
if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then
|
||||
echo "Setting password for ${cfg.database.user}..."
|
||||
${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '${cfg.database.password}';"
|
||||
password=$(cat ${secretsDir}/lamassu-db-password)
|
||||
${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '$password';"
|
||||
exit 0
|
||||
fi
|
||||
echo "Waiting for user ${cfg.database.user} to be created (attempt $i/30)..."
|
||||
|
|
@ -286,12 +285,11 @@ in
|
|||
environment = {
|
||||
NODE_ENV = "production";
|
||||
|
||||
# Database configuration (using TCP with password auth)
|
||||
# Database configuration (password read at runtime from secrets)
|
||||
POSTGRES_HOST = "127.0.0.1";
|
||||
POSTGRES_PORT = "5432";
|
||||
POSTGRES_DB = cfg.database.name;
|
||||
POSTGRES_USER = cfg.database.user;
|
||||
POSTGRES_PASSWORD = cfg.database.password;
|
||||
|
||||
# Server configuration
|
||||
SERVER_PORT = toString cfg.serverPort;
|
||||
|
|
@ -329,8 +327,10 @@ in
|
|||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
||||
# Use TCP connection to localhost with password
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}"
|
||||
# Read database password from nix-bitcoin secrets
|
||||
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules
|
||||
cd ${cfg.package}
|
||||
exec "$@"
|
||||
|
|
@ -391,12 +391,11 @@ in
|
|||
CA_PATH = cfg.certPath;
|
||||
CERT_PATH = cfg.certPath;
|
||||
KEY_PATH = cfg.keyPath;
|
||||
# Database configuration (using TCP with password auth)
|
||||
# Database configuration (password read at runtime from secrets)
|
||||
POSTGRES_HOST = "127.0.0.1";
|
||||
POSTGRES_PORT = "5432";
|
||||
POSTGRES_DB = cfg.database.name;
|
||||
POSTGRES_USER = cfg.database.user;
|
||||
POSTGRES_PASSWORD = cfg.database.password;
|
||||
MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic";
|
||||
SKIP_2FA = if cfg.skip2FA then "true" else "false";
|
||||
# Data directories
|
||||
|
|
@ -411,8 +410,10 @@ in
|
|||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
||||
# Use TCP connection to localhost with password
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}"
|
||||
# Read database password from nix-bitcoin secrets
|
||||
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules
|
||||
cd ${cfg.package}
|
||||
exec "$@"
|
||||
|
|
@ -444,14 +445,16 @@ in
|
|||
nodePackages.pnpm
|
||||
postgresql
|
||||
(writeShellScriptBin "lamassu-register-user" ''
|
||||
# Read database password from nix-bitcoin secrets
|
||||
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||
export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules"
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}"
|
||||
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||
export HOSTNAME="${cfg.hostname}"
|
||||
export POSTGRES_HOST="127.0.0.1"
|
||||
export POSTGRES_PORT="5432"
|
||||
export POSTGRES_DB="${cfg.database.name}"
|
||||
export POSTGRES_USER="${cfg.database.user}"
|
||||
export POSTGRES_PASSWORD="${cfg.database.password}"
|
||||
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||
export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}"
|
||||
|
||||
sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue