Revert "lamassu: switch to peer authentication for PostgreSQL"
This reverts commit a819ec5ad2fef050fd878afde8243576ebaa7f88.
This commit is contained in:
parent
1bbd7d6bc5
commit
2b46736e69
1 changed files with 67 additions and 12 deletions
|
|
@ -101,8 +101,11 @@ in
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = cfg.user;
|
default = cfg.user;
|
||||||
description = "PostgreSQL username (uses peer authentication via Unix socket)";
|
description = "PostgreSQL username";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Password is managed by nix-bitcoin secrets system.
|
||||||
|
# See: ${secretsDir}/lamassu-db-password
|
||||||
};
|
};
|
||||||
|
|
||||||
hostname = mkOption {
|
hostname = mkOption {
|
||||||
|
|
@ -181,10 +184,15 @@ in
|
||||||
user = cfg.user;
|
user = cfg.user;
|
||||||
permissions = "444"; # World readable (it's a public cert)
|
permissions = "444"; # World readable (it's a public cert)
|
||||||
};
|
};
|
||||||
|
lamassu-db-password = {
|
||||||
|
user = cfg.user;
|
||||||
|
group = "postgres"; # PostgreSQL needs to read this too
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nix-bitcoin.generateSecretsCmds.lamassu = ''
|
nix-bitcoin.generateSecretsCmds.lamassu = ''
|
||||||
makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
makeCert lamassu '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
||||||
|
makePasswordSecret lamassu-db-password
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# ═══════════════════════════════════════════════════════════════════════════
|
# ═══════════════════════════════════════════════════════════════════════════
|
||||||
|
|
@ -192,7 +200,7 @@ in
|
||||||
# NOTE: Nginx reverse proxy is disabled. See docs/lamassu-future-nginx.md
|
# NOTE: Nginx reverse proxy is disabled. See docs/lamassu-future-nginx.md
|
||||||
# for future implementation when --ui-port is added to upstream.
|
# for future implementation when --ui-port is added to upstream.
|
||||||
|
|
||||||
# Enable PostgreSQL with peer authentication (no password needed)
|
# Enable PostgreSQL
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.postgresql_15;
|
package = pkgs.postgresql_15;
|
||||||
|
|
@ -203,6 +211,13 @@ in
|
||||||
ensureDBOwnership = true;
|
ensureDBOwnership = true;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
# Enable password authentication for localhost connections
|
||||||
|
authentication = pkgs.lib.mkOverride 10 ''
|
||||||
|
# TYPE DATABASE USER ADDRESS METHOD
|
||||||
|
local all all peer
|
||||||
|
host all all 127.0.0.1/32 md5
|
||||||
|
host all all ::1/128 md5
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Create system users and groups
|
# Create system users and groups
|
||||||
|
|
@ -232,17 +247,47 @@ in
|
||||||
"Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -"
|
"Z '${cfg.package}' 0755 ${cfg.user} ${cfg.group} - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# Service to set PostgreSQL password from nix-bitcoin secrets
|
||||||
|
systemd.services.lamassu-postgres-setup = {
|
||||||
|
description = "Setup PostgreSQL password for lamassu-server";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "postgresql.service" "nix-bitcoin-secrets.target" ];
|
||||||
|
wants = [ "postgresql.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
User = "postgres";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
# Wait for user to exist, then set password from secrets
|
||||||
|
for i in {1..30}; do
|
||||||
|
if ${pkgs.postgresql}/bin/psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='${cfg.database.user}'" | grep -q 1; then
|
||||||
|
echo "Setting password for ${cfg.database.user}..."
|
||||||
|
password=$(cat ${secretsDir}/lamassu-db-password)
|
||||||
|
${pkgs.postgresql}/bin/psql -c "ALTER USER \"${cfg.database.user}\" WITH PASSWORD '$password';"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
echo "Waiting for user ${cfg.database.user} to be created (attempt $i/30)..."
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
echo "ERROR: User ${cfg.database.user} was not created after 30 seconds"
|
||||||
|
exit 1
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
# Main lamassu server service
|
# Main lamassu server service
|
||||||
systemd.services.lamassu-server = {
|
systemd.services.lamassu-server = {
|
||||||
description = "Lamassu Bitcoin ATM Server";
|
description = "Lamassu Bitcoin ATM Server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" "postgresql.service" "nix-bitcoin-secrets.target" ];
|
after = [ "network.target" "postgresql.service" "lamassu-postgres-setup.service" "nix-bitcoin-secrets.target" ];
|
||||||
wants = [ "postgresql.service" ];
|
wants = [ "postgresql.service" "lamassu-postgres-setup.service" ];
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
NODE_ENV = "production";
|
NODE_ENV = "production";
|
||||||
|
|
||||||
# Database configuration (peer auth via Unix socket)
|
# Database configuration (password read at runtime from secrets)
|
||||||
|
POSTGRES_HOST = "127.0.0.1";
|
||||||
|
POSTGRES_PORT = "5432";
|
||||||
POSTGRES_DB = cfg.database.name;
|
POSTGRES_DB = cfg.database.name;
|
||||||
POSTGRES_USER = cfg.database.user;
|
POSTGRES_USER = cfg.database.user;
|
||||||
|
|
||||||
|
|
@ -282,8 +327,10 @@ in
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
||||||
# Use Unix socket for peer authentication (no password needed)
|
# Read database password from nix-bitcoin secrets
|
||||||
export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql"
|
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||||
|
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||||
|
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||||
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules
|
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules
|
||||||
cd ${cfg.package}
|
cd ${cfg.package}
|
||||||
exec "$@"
|
exec "$@"
|
||||||
|
|
@ -344,7 +391,9 @@ in
|
||||||
CA_PATH = cfg.certPath;
|
CA_PATH = cfg.certPath;
|
||||||
CERT_PATH = cfg.certPath;
|
CERT_PATH = cfg.certPath;
|
||||||
KEY_PATH = cfg.keyPath;
|
KEY_PATH = cfg.keyPath;
|
||||||
# Database configuration (peer auth via Unix socket)
|
# Database configuration (password read at runtime from secrets)
|
||||||
|
POSTGRES_HOST = "127.0.0.1";
|
||||||
|
POSTGRES_PORT = "5432";
|
||||||
POSTGRES_DB = cfg.database.name;
|
POSTGRES_DB = cfg.database.name;
|
||||||
POSTGRES_USER = cfg.database.user;
|
POSTGRES_USER = cfg.database.user;
|
||||||
MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic";
|
MNEMONIC_PATH = "${cfg.dataDir}/lamassu-mnemonic";
|
||||||
|
|
@ -361,8 +410,10 @@ in
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
export PATH=${pkgs.nodejs_22}/bin:$PATH
|
||||||
# Use Unix socket for peer authentication (no password needed)
|
# Read database password from nix-bitcoin secrets
|
||||||
export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql"
|
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||||
|
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||||
|
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||||
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules
|
export NODE_PATH=${cfg.package}/node_modules:${cfg.package}/packages/admin-server/node_modules
|
||||||
cd ${cfg.package}
|
cd ${cfg.package}
|
||||||
exec "$@"
|
exec "$@"
|
||||||
|
|
@ -394,12 +445,16 @@ in
|
||||||
nodePackages.pnpm
|
nodePackages.pnpm
|
||||||
postgresql
|
postgresql
|
||||||
(writeShellScriptBin "lamassu-register-user" ''
|
(writeShellScriptBin "lamassu-register-user" ''
|
||||||
# Use Unix socket for peer authentication (no password needed)
|
# Read database password from nix-bitcoin secrets
|
||||||
|
DB_PASSWORD=$(cat ${secretsDir}/lamassu-db-password)
|
||||||
export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules"
|
export NODE_PATH="${cfg.package}/node_modules:${cfg.package}/packages/server/node_modules"
|
||||||
export DATABASE_URL="postgresql://${cfg.database.user}@/${cfg.database.name}?host=/run/postgresql"
|
export DATABASE_URL="postgresql://${cfg.database.user}:$DB_PASSWORD@127.0.0.1:5432/${cfg.database.name}"
|
||||||
export HOSTNAME="${cfg.hostname}"
|
export HOSTNAME="${cfg.hostname}"
|
||||||
|
export POSTGRES_HOST="127.0.0.1"
|
||||||
|
export POSTGRES_PORT="5432"
|
||||||
export POSTGRES_DB="${cfg.database.name}"
|
export POSTGRES_DB="${cfg.database.name}"
|
||||||
export POSTGRES_USER="${cfg.database.user}"
|
export POSTGRES_USER="${cfg.database.user}"
|
||||||
|
export POSTGRES_PASSWORD="$DB_PASSWORD"
|
||||||
export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}"
|
export SKIP_2FA="${if cfg.skip2FA then "true" else "false"}"
|
||||||
|
|
||||||
sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@"
|
sudo -E -u ${cfg.user} bash -c "cd ${cfg.package}/packages/server && ${pkgs.nodejs_22}/bin/node bin/lamassu-register \"\$@\"" -- "$@"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue