From 93e19c74e9bcc453d38d11dc014a1baae9a09016 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Bourdeauducq?= Date: Sun, 11 Aug 2024 12:09:30 +0800 Subject: [PATCH] nixbld/rt: use psql peer authentication --- nixbld-etc-nixos/configuration.nix | 11 +++++++++-- nixbld-etc-nixos/rt.nix | 18 ++---------------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index fae992ed..b89b2627 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -816,12 +816,19 @@ in siteUrl = "https://chat.m-labs.hk/"; mutableConfig = true; }; - services.postgresql.package = pkgs.postgresql_12; services.matterbridge = { enable = true; configPath = "/etc/nixos/secret/matterbridge.toml"; }; - + + services.postgresql = { + package = pkgs.postgresql_12; + identMap = + '' + rt rt rt_user + ''; + }; + nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { nix = super.nix.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ]; diff --git a/nixbld-etc-nixos/rt.nix b/nixbld-etc-nixos/rt.nix index 554406c8..30b8e5a0 100644 --- a/nixbld-etc-nixos/rt.nix +++ b/nixbld-etc-nixos/rt.nix @@ -19,14 +19,9 @@ let Set($Timezone, '${cfg.timeZone}'); Set($DatabaseType, 'Pg'); - Set($DatabaseHost, 'localhost'); - Set($DatabaseUser, 'rt_user'); + Set($DatabaseHost, '/run/postgresql'); + Set($DatabaseUser, 'rt'); Set($DatabaseName, 'rt5'); - # Read database password from file - open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!'; - my $dbpw = do { local $/; <$fh> }; - $dbpw =~ s/^\s+|\s+$//g; - Set($DatabasePassword, $dbpw); # System (Logging) Set($LogToSTDERR, undef); # Don't log twice @@ -154,13 +149,6 @@ in { type = str; }; - dbPasswordFile = mkOption { - description = "File containing the database password"; - type = str; - default = "/etc/nixos/secret/rtpasswd"; - internal = true; - }; - domain = mkOption { description = "Which domain RT is running on"; type = str; @@ -245,8 +233,6 @@ in { PrivateNetwork = false; MemoryDenyWriteExecute = false; - - ReadOnlyPaths = [ cfg.dbPasswordFile ]; }; environment = {