hosts/plover: update config

2025-02-07 12:19:07 +00:00 · 2022-12-04 08:55:55 +08:00 · 2022-12-04 08:55:55 +08:00 · cb11ceb3a9
commit cb11ceb3a9
parent ac32593fda
2 changed files with 39 additions and 16 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -40,12 +40,13 @@ in
          secrets;
    in
    getSecrets (let
-      giteaUserGroup = config.users.users."${config.services.gitea.user}".group;
+      giteaUserGroup = config.users.users."${config.services.gitea.user}".name;

      # It is hardcoded but as long as the module is stable that way.
      vaultwardenUserGroup = config.users.groups.vaultwarden.name;
    in {
      "ssh-key" = {};
+      "lego/env" = {};
      "gitea/db/password".owner = giteaUserGroup;
      "gitea/smtp/password".owner = giteaUserGroup;
      "vaultwarden/env".owner = vaultwardenUserGroup;
@ -77,11 +78,6 @@ in
    type = "ed25519";
  }];

-  # Some additional dependencies for this system.
-  environment.systemPackages = with pkgs; [
-    asciidoctor # This is needed for additional markup for Gitea.
-  ];
-
  # The main server where it will tie all of the services in one neat little
  # place.
  services.nginx = {
@ -140,6 +136,30 @@ in
    package = pkgs.postgresql_15;
    enableTCPIP = true;

+    # Create per-user schema as documented from Usage Patterns. This is to make
+    # use of the secure schema usage pattern they encouraged to do.
+    #
+    # Now, you just have to keep in mind about applications making use of them.
+    # Most of them should have the setting to set the schema to be used. If
+    # not, then screw them (or just file an issue and politely ask for the
+    # feature).
+    initialScript = let
+      perUserSchemas = lib.lists.map
+        (user: "CREATE SCHEMA ${user.name};")
+        config.services.postgresql.ensureUsers;
+      script = pkgs.writeText "plover-initial-postgresql-script" ''
+        ${lib.concatStringsSep "\n" perUserSchemas}
+      '';
+    in script;
+
+    settings = {
+      log_connections = true;
+      log_disconnections = true;
+
+      # Still doing the secure schema usage pattern.
+      search_path = "\"$user\"";
+    };
+
    # There's no database and user checks for Vaultwarden service.
    ensureDatabases = [ vaultwardenDbName ];
    ensureUsers = [
@ -147,7 +167,7 @@ in
        name = vaultwardenUser;
        ensurePermissions = {
          "DATABASE ${vaultwardenDbName}" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+          "SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES";
        };
      }
    ];
@ -177,10 +197,7 @@ in

      "ui.meta" = {
        AUTHOR = "foodogsquared's code forge";
-        DESCRIPTION = ''
-          foodogsquared's personal Git forge.
-          Mainly personal projects and some archived and mirrored codebases.
-        '';
+        DESCRIPTION = "foodogsquared's personal projects and some archived and mirrored codebases.";
        KEYWORDS = "foodogsquared,gitea,self-hosted";
      };

@ -197,7 +214,7 @@ in
        ENABLED = true;
        NEED_POSTPROCESS = true;
        FILE_EXTENSIONS = ".adoc,.asciidoc";
-        RENDER_COMMANDS = "asciidoc --out-file=- -";
+        RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor --out-file=- -";
        IS_INPUT_FILE = false;
      };

@ -219,6 +236,12 @@ in
      # Enable mirroring feature...
      mirror.ENABLED = true;

+      # Session configuration.
+      session.COOKIE_SECURE = true;
+
+      # Some more database configuration.
+      database.SCHEMA = config.services.gitea.user;
+
      other = {
        SHOW_FOOTER_VERSION = true;
        ENABLE_SITEMAP = true;
@ -262,7 +285,7 @@ in

      # Configuring the database. Take note it is required to create a password
      # for the user.
-      DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}";
+      DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}?application_name=vaultwarden&options=-c%20search_path%3D${vaultwardenUser}";
    };
  };

--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@ -6,7 +6,7 @@ sourcehut:
    service-key: ENC[AES256_GCM,data:glZuT+e9c2UOXieP313ny6Dl15HRXpeHtGr4XPWjhNSAvFgcwp/1AgFYrHDWZBf771MkN0pgVE/d/fx0oBOgSg==,iv:S4BzMYPZtVFhXV0g5qBxjItqCyEQ25Ct6swBut7FefQ=,tag:w3t59DqroYuAmgHlu/BhEQ==,type:str]
    webhook-key: ENC[AES256_GCM,data:DDCHLYgYLnecG48XJJXqnsFP/Kl1W+R6eTGC4Ria0Rf5Z0dw8p0r+XaY4TY=,iv:nUCkIgw5lNzEha6HVjBHtGD8ZzBwOlP8yMRQ/usD/64=,tag:LenhvQyDDVulA9PCa2RWDQ==,type:str]
    smtp:
-        user: ENC[AES256_GCM,data:9edqw3E=,iv:kF7GXxsJupbGZlvvgfL6gKGZl1+W2rsr++XsVykVYOI=,tag:0jNo1SDorCRJ8uNLERU8MA==,type:str]
+        user: ENC[AES256_GCM,data:AEiA29Tn,iv:TSEsNvMk0r0zpu/NuzRv90Oa2Z3GXJwtu39vF7d8SQI=,tag:fv3dZ9V1+SgViEEfNhhq/Q==,type:str]
        password: ENC[AES256_GCM,data:1VvHDAkAI7cBEziZNN8uZNmeojiHxtsR08MpFEEuOLdwWeKj+OFtKGK6TTu/V6sUQKWsTV5cvBAvk0siE/G+mB/rmY63,iv:O180YVKBJXRA/PvEotdBua6U6O6OQqncQsOepCNDGlM=,tag:h0XPBWnJIj3JTR6M4GVLtQ==,type:str]
 gitea:
    db:
@ -34,8 +34,8 @@ sops:
            ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
            miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-03T04:34:10Z"
-    mac: ENC[AES256_GCM,data:AfTha4YswSgi7Z/RlIZdTY0KnG7SyeVp1/eLXm8Gbg34j1UAyezfQI4C26Ily1/O+l4YX9T1RSIO2jdwiRmgLy7LVMTtlmHt12fLb720UJ6L2P4yWBWdxnMAuarC7eFQSX+q8XT0IS9rWZEntVQkGjRw+bJJquJvMTZs5+UrR+I=,iv:uzR3Cr7+s8DjKw3OrmDTPt9RLYtZ7EixPoZMHwGOJzg=,tag:+AhzAFQGWt5GvjPeZoIDCA==,type:str]
+    lastmodified: "2022-12-03T14:59:16Z"
+    mac: ENC[AES256_GCM,data:3fTcf7rb7XpWGQvwJhf40XUwqT/pHQB1RyU4dh9XE0XHdJ2ASa3CAqVLVNj07JS2uuzcvAnSjRGTNge4xtqDcuRFZ5UT5lzzl/YJBfXhKdfZISuUqsqSqggpkhO64R+A65oMyA+98COJ/FtVtNpV7P21pn1EjOdJEMkXobOfnls=,iv:/ULWDXcvFpR/Rlqd3uqhvflM4dN0vl9C8X+JXvH+yUo=,tag:QYWpV+QFGWMcGgSTGF5teA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3