aiolabs/nix-bitcoin
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

lamassu: use nix-bitcoin secrets for database password

Browse source 
Replace hardcoded database password with nix-bitcoin secrets pattern:
- Add lamassu-db-password secret (readable by lamassu user and postgres)
- Generate random 20-char password using makePasswordSecret
- Read password at runtime in service wrapper scripts
- Update lamassu-postgres-setup to read password from secrets
- Update helper scripts to read password at runtime

The password is now automatically generated on first deploy and stored
in ${secretsDir}/lamassu-db-password.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
padreug 2025-12-23 13:14:14 +01:00
parent 8ee71833b9
commit 27f133efd8
1 changed files with 26 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

49
modules/lamassu-lnbits.nix
View file

@ -104,11 +104,8 @@ in
description = "PostgreSQL username"; description = "PostgreSQL username";
}; };
password = mkOption { # Password is managed by nix-bitcoin secrets system.
type = types.str; # See: ${secretsDir}/lamassu-db-password
default = "lamassu123";
description = "PostgreSQL password for lamassu-server user";
};
}; };
hostname = mkOption { hostname = mkOption {
@ -187,10 +184,15 @@ in
user = cfg.user; user = cfg.user;
permissions = "444"; # World readable (it's a public cert) permissions = "444"; # World readable (it's a public cert)
}; };
lamassu-db-password = {
user = cfg.user;
group = "postgres"; # PostgreSQL needs to read this too
};
}; };
nix-bitcoin.generateSecretsCmds.lamassu = '' nix-bitcoin.generateSecretsCmds.lamassu = ''
makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}' makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}'
makePasswordSecret lamassu-db-password
''; '';
# ═══════════════════════════════════════════════════════════════════════════ # ═══════════════════════════════════════════════════════════════════════════
@ -216,10 +218,6 @@ in
host all all 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5
host all all ::1/128 md5 host all all ::1/128 md5
''; '';
# Set initial password for lamassu-server user
initialScript = pkgs.writeText "postgres-init.sql" ''
ALTER USER "${cfg.database.user}" WITH PASSWORD '${cfg.database.password}';
'';
}; };
# Create system users and groups # Create system users and groups
@ -249,11 +247,11 @@ in
"Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -" "Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -"
]; ];
# Service to set PostgreSQL password # Service to set PostgreSQL password from nix-bitcoin secrets
systemd.services.lamassu-postgres-setup = { systemd.services.lamassu-postgres-setup = {
description = "Setup PostgreSQL password for lamassu-server"; description = "Setup PostgreSQL password for lamassu-server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" "nix-bitcoin-secrets.target" ];
wants = [ "postgresql.service" ]; wants = [ "postgresql.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -261,11 +259,12 @@ in
User = "postgres"; User = "postgres";
}; };
script = '' script = ''
# Wait for user to exist, then set password # Wait for user to exist, then set password from secrets
for i in {1..30}; do for i in {1..30}; do
if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then
echo "Setting password for ${cfg.database.user}..." echo "Setting password for ${cfg.database.user}..."
${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '${cfg.database.password}';" password=$(cat ${secretsDir}/lamassu-db-password)
${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '$password';"
exit 0 exit 0
fi fi
echo "Waiting for user ${cfg.database.user} to be created (attempt $i/30)..." echo "Waiting for user ${cfg.database.user} to be created (attempt $i/30)..."
@ -286,12 +285,11 @@ in
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
# Database configuration (using TCP with password auth) # Database configuration (password read at runtime from secrets)
POSTGRES_HOST = "127.0.0.1"; POSTGRES_HOST = "127.0.0.1";
POSTGRES_PORT = "5432"; POSTGRES_PORT = "5432";
POSTGRES_DB = cfg.database.name; POSTGRES_DB = cfg.database.name;
POSTGRES_USER = cfg.database.user; POSTGRES_USER = cfg.database.user;
POSTGRES_PASSWORD = cfg.database.password;
# Server configuration # Server configuration
SERVER_PORT = toString cfg.serverPort; SERVER_PORT = toString cfg.serverPort;
@ -329,8 +327,10 @@ in
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
export PATH=${pkgs.nodejs_22}/bin:$PATH export PATH=${pkgs.nodejs_22}/bin:$PATH
# Use TCP connection to localhost with password # Read database password from nix-bitcoin secrets
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}" DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
export POSTGRES_PASSWORD="$DB_PASSWORD"
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules
cd ${cfg.package} cd ${cfg.package}
exec "$@" exec "$@"
@ -391,12 +391,11 @@ in
CA_PATH = cfg.certPath; CA_PATH = cfg.certPath;
CERT_PATH = cfg.certPath; CERT_PATH = cfg.certPath;
KEY_PATH = cfg.keyPath; KEY_PATH = cfg.keyPath;
# Database configuration (using TCP with password auth) # Database configuration (password read at runtime from secrets)
POSTGRES_HOST = "127.0.0.1"; POSTGRES_HOST = "127.0.0.1";
POSTGRES_PORT = "5432"; POSTGRES_PORT = "5432";
POSTGRES_DB = cfg.database.name; POSTGRES_DB = cfg.database.name;
POSTGRES_USER = cfg.database.user; POSTGRES_USER = cfg.database.user;
POSTGRES_PASSWORD = cfg.database.password;
MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic"; MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic";
SKIP_2FA = if cfg.skip2FA then "true" else "false"; SKIP_2FA = if cfg.skip2FA then "true" else "false";
# Data directories # Data directories
@ -411,8 +410,10 @@ in
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
export PATH=${pkgs.nodejs_22}/bin:$PATH export PATH=${pkgs.nodejs_22}/bin:$PATH
# Use TCP connection to localhost with password # Read database password from nix-bitcoin secrets
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}" DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
export POSTGRES_PASSWORD="$DB_PASSWORD"
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules
cd ${cfg.package} cd ${cfg.package}
exec "$@" exec "$@"
@ -444,14 +445,16 @@ in
nodePackages.pnpm nodePackages.pnpm
postgresql postgresql
(writeShellScriptBin "lamassu-register-user" '' (writeShellScriptBin "lamassu-register-user" ''
# Read database password from nix-bitcoin secrets
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules" export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules"
export DATABASE_URL="postgresql://${cfg.database.user}:${cfg.database.password}@127.0.0.1:5432/${cfg.database.name}" export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
export HOSTNAME="${cfg.hostname}" export HOSTNAME="${cfg.hostname}"
export POSTGRES_HOST="127.0.0.1" export POSTGRES_HOST="127.0.0.1"
export POSTGRES_PORT="5432" export POSTGRES_PORT="5432"
export POSTGRES_DB="${cfg.database.name}" export POSTGRES_DB="${cfg.database.name}"
export POSTGRES_USER="${cfg.database.user}" export POSTGRES_USER="${cfg.database.user}"
export POSTGRES_PASSWORD="${cfg.database.password}" export POSTGRES_PASSWORD="$DB_PASSWORD"
export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}" export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}"
sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@" sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@"