From 24b26bf4a3de1cc96654974e319c00647988f16e Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 30 Jan 2024 22:00:49 +0100 Subject: [PATCH] secure database --- configuration.nix | 1 + modules/ptero.nix | 12 ++++++++---- secrets/ptero_env.age | Bin 0 -> 960 bytes secrets/secrets.nix | 1 + 4 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 secrets/ptero_env.age diff --git a/configuration.nix b/configuration.nix index eb0e65a..edfb26c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -56,6 +56,7 @@ in { (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@") (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@") (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@") + (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@") ]; environment.sessionVariables = { diff --git a/modules/ptero.nix b/modules/ptero.nix index c8486b5..b8026cc 100644 --- a/modules/ptero.nix +++ b/modules/ptero.nix @@ -15,6 +15,9 @@ in { }; users.groups.${panel_user} = {}; + age.secrets.ptero_env = { + file = ../secrets/ptero_env.age; + }; systemd.services.init-ptero-data-dir = { description = "Create the pterodactyl panel data dir"; @@ -24,7 +27,9 @@ in { script ='' mkdir -p ${DATA_DIR}/database mkdir -p ${DATA_DIR}/cache -mkdir -p ${DATA_DIR}/panel +mkdir -p ${DATA_DIR}/panel/var +mkdir -p ${DATA_DIR}/panel/logs +mkdir -p ${DATA_DIR}/panel/nginx chown ${panel_user}:${panel_user} -R ${DATA_DIR} chmod +777 -R ${DATA_DIR} ''; @@ -55,11 +60,10 @@ chmod +777 -R ${DATA_DIR} workdir = "${DATA_DIR}/database"; extraOptions = [ "--pod=ptero" ]; environment = { - "MYSQL_ROOT_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b"; "MYSQL_USER" = "pterodactyl"; - "MYSQL_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b"; "MYSQL_DATABASE" = "panel"; }; + environmentFiles = [ config.age.secrets.ptero_env.path ]; volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"]; cmd=["--default-authentication-plugin=mysql_native_password"]; }; @@ -92,7 +96,6 @@ chmod +777 -R ${DATA_DIR} "MAIL_PASSWORD" = ""; "MAIL_ENCRYPTION" = "true"; - "DB_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b"; "APP_ENV"= "production"; "APP_ENVIRONMENT_ONLY"= "false"; "CACHE_DRIVER" = "redis"; @@ -105,6 +108,7 @@ chmod +777 -R ${DATA_DIR} labels = { "traefik.http.routers.pterodactyl_panel.entrypoints"="web"; }; + environmentFiles = [ config.age.secrets.ptero_env.path ]; }; security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ]; diff --git a/secrets/ptero_env.age b/secrets/ptero_env.age new file mode 100644 index 0000000000000000000000000000000000000000..caa6e46a02a54537b8516313fddef6bdff79da40 GIT binary patch literal 960 zcmWO3TdUgy003b3Bm^8XhBpQto#;k6rb&8L(B;}Rm!@r+D~D}Kn|qVy)-;KzsE>+F zVWOa@h=}5Y55jP|sfY?=;^4dqqI*1e28wu@OmTnV`wYk0wxW4j#kseN9$uvmSU|w` zV_R9~Zl{^CU4j!p2O0*>|uCPd+2#A6fvu2Z6 z4a0d2h8oKOc4L8sRK#JRsx4h7qt;fC$60CE8_ezNB@;;oDJ5e+X<@A4twv%CmSHDz ziwfPCa~(i&PirriM4cgtE5sH|Gc6q?vLHdSn<+*C=Rq*{Ii}TE$mvXGNmVEFO+w5) z6D%ekpxuO88WB<}qf%+d3Kf?{VkMZ3>YTxa{*;5p{eeA`U8@-kOw}PajJTw%9AS%9 zln#J^NS7kvb#S`})euoHIw+kLovAEzO395#UU%e95uv2CX|+<tyr z3SdgkotS8Gh|Ov4#72e$E;iWKs7s4gNr91M&FX}dd(5C|QB=!s3cgAN0%+=x6=P)w zP%#8So8;0_1;s)#%$00rBqz4AXqaWqNxWDgrht#Si3DtKZ*Qqspj0W%r^%Wb;n)DD zgJBaMi=`7nT+Z-%f4xfZu94t9;K%du?iVNCzwqecU-mD3y}q*ldjHT5S5HeHA+P$! z?|bRe#cR*~e(>buhhF^Vg3vqpz+cMFTbFO^T~Hlzw*LQf1;nCIPlH~KVRJ0Vb6c|=DkVzhO literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4c2cbef..f9a0752 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,4 +14,5 @@ in "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ]; "matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ]; "matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ]; + "ptero_env.age".publicKeys = [ contabo_nix_pub ]; }