diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index d97a10d1..5fce5ff0 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -40,12 +40,13 @@ in secrets; in getSecrets (let - giteaUserGroup = config.users.users."${config.services.gitea.user}".group; + giteaUserGroup = config.users.users."${config.services.gitea.user}".name; # It is hardcoded but as long as the module is stable that way. vaultwardenUserGroup = config.users.groups.vaultwarden.name; in { "ssh-key" = {}; + "lego/env" = {}; "gitea/db/password".owner = giteaUserGroup; "gitea/smtp/password".owner = giteaUserGroup; "vaultwarden/env".owner = vaultwardenUserGroup; @@ -77,11 +78,6 @@ in type = "ed25519"; }]; - # Some additional dependencies for this system. - environment.systemPackages = with pkgs; [ - asciidoctor # This is needed for additional markup for Gitea. - ]; - # The main server where it will tie all of the services in one neat little # place. services.nginx = { @@ -140,6 +136,30 @@ in package = pkgs.postgresql_15; enableTCPIP = true; + # Create per-user schema as documented from Usage Patterns. This is to make + # use of the secure schema usage pattern they encouraged to do. + # + # Now, you just have to keep in mind about applications making use of them. + # Most of them should have the setting to set the schema to be used. If + # not, then screw them (or just file an issue and politely ask for the + # feature). + initialScript = let + perUserSchemas = lib.lists.map + (user: "CREATE SCHEMA ${user.name};") + config.services.postgresql.ensureUsers; + script = pkgs.writeText "plover-initial-postgresql-script" '' + ${lib.concatStringsSep "\n" perUserSchemas} + ''; + in script; + + settings = { + log_connections = true; + log_disconnections = true; + + # Still doing the secure schema usage pattern. + search_path = "\"$user\""; + }; + # There's no database and user checks for Vaultwarden service. ensureDatabases = [ vaultwardenDbName ]; ensureUsers = [ @@ -147,7 +167,7 @@ in name = vaultwardenUser; ensurePermissions = { "DATABASE ${vaultwardenDbName}" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + "SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES"; }; } ]; @@ -177,10 +197,7 @@ in "ui.meta" = { AUTHOR = "foodogsquared's code forge"; - DESCRIPTION = '' - foodogsquared's personal Git forge. - Mainly personal projects and some archived and mirrored codebases. - ''; + DESCRIPTION = "foodogsquared's personal projects and some archived and mirrored codebases."; KEYWORDS = "foodogsquared,gitea,self-hosted"; }; @@ -197,7 +214,7 @@ in ENABLED = true; NEED_POSTPROCESS = true; FILE_EXTENSIONS = ".adoc,.asciidoc"; - RENDER_COMMANDS = "asciidoc --out-file=- -"; + RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor --out-file=- -"; IS_INPUT_FILE = false; }; @@ -219,6 +236,12 @@ in # Enable mirroring feature... mirror.ENABLED = true; + # Session configuration. + session.COOKIE_SECURE = true; + + # Some more database configuration. + database.SCHEMA = config.services.gitea.user; + other = { SHOW_FOOTER_VERSION = true; ENABLE_SITEMAP = true; @@ -262,7 +285,7 @@ in # Configuring the database. Take note it is required to create a password # for the user. - DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}"; + DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}?application_name=vaultwarden&options=-c%20search_path%3D${vaultwardenUser}"; }; }; diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml index 29433be2..5073dfe0 100644 --- a/hosts/plover/secrets/secrets.yaml +++ b/hosts/plover/secrets/secrets.yaml @@ -6,7 +6,7 @@ sourcehut: service-key: ENC[AES256_GCM,data:glZuT+e9c2UOXieP313ny6Dl15HRXpeHtGr4XPWjhNSAvFgcwp/1AgFYrHDWZBf771MkN0pgVE/d/fx0oBOgSg==,iv:S4BzMYPZtVFhXV0g5qBxjItqCyEQ25Ct6swBut7FefQ=,tag:w3t59DqroYuAmgHlu/BhEQ==,type:str] webhook-key: ENC[AES256_GCM,data:DDCHLYgYLnecG48XJJXqnsFP/Kl1W+R6eTGC4Ria0Rf5Z0dw8p0r+XaY4TY=,iv:nUCkIgw5lNzEha6HVjBHtGD8ZzBwOlP8yMRQ/usD/64=,tag:LenhvQyDDVulA9PCa2RWDQ==,type:str] smtp: - user: ENC[AES256_GCM,data:9edqw3E=,iv:kF7GXxsJupbGZlvvgfL6gKGZl1+W2rsr++XsVykVYOI=,tag:0jNo1SDorCRJ8uNLERU8MA==,type:str] + user: ENC[AES256_GCM,data:AEiA29Tn,iv:TSEsNvMk0r0zpu/NuzRv90Oa2Z3GXJwtu39vF7d8SQI=,tag:fv3dZ9V1+SgViEEfNhhq/Q==,type:str] password: ENC[AES256_GCM,data:1VvHDAkAI7cBEziZNN8uZNmeojiHxtsR08MpFEEuOLdwWeKj+OFtKGK6TTu/V6sUQKWsTV5cvBAvk0siE/G+mB/rmY63,iv:O180YVKBJXRA/PvEotdBua6U6O6OQqncQsOepCNDGlM=,tag:h0XPBWnJIj3JTR6M4GVLtQ==,type:str] gitea: db: @@ -34,8 +34,8 @@ sops: ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-03T04:34:10Z" - mac: ENC[AES256_GCM,data:AfTha4YswSgi7Z/RlIZdTY0KnG7SyeVp1/eLXm8Gbg34j1UAyezfQI4C26Ily1/O+l4YX9T1RSIO2jdwiRmgLy7LVMTtlmHt12fLb720UJ6L2P4yWBWdxnMAuarC7eFQSX+q8XT0IS9rWZEntVQkGjRw+bJJquJvMTZs5+UrR+I=,iv:uzR3Cr7+s8DjKw3OrmDTPt9RLYtZ7EixPoZMHwGOJzg=,tag:+AhzAFQGWt5GvjPeZoIDCA==,type:str] + lastmodified: "2022-12-03T14:59:16Z" + mac: ENC[AES256_GCM,data:3fTcf7rb7XpWGQvwJhf40XUwqT/pHQB1RyU4dh9XE0XHdJ2ASa3CAqVLVNj07JS2uuzcvAnSjRGTNge4xtqDcuRFZ5UT5lzzl/YJBfXhKdfZISuUqsqSqggpkhO64R+A65oMyA+98COJ/FtVtNpV7P21pn1EjOdJEMkXobOfnls=,iv:/ULWDXcvFpR/Rlqd3uqhvflM4dN0vl9C8X+JXvH+yUo=,tag:QYWpV+QFGWMcGgSTGF5teA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3