secure database

2024-01-30 22:00:49 +01:00 · 2024-01-30 22:00:49 +01:00 · 24b26bf4a3
commit 24b26bf4a3
parent 30bdaa6e9f
4 changed files with 10 additions and 4 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -56,6 +56,7 @@ in {
    (writeShellScriptBin "pufferpanel-nix" "pufferpanel --workDir /var/lib/pufferpanel $@")
    (writeShellScriptBin "nix-referrers" "nix-store --query --referrers $@")
    (writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
    (writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
  ];
  environment.sessionVariables = {
--- a/modules/ptero.nix
+++ b/modules/ptero.nix
@ -15,6 +15,9 @@ in {
  };
  users.groups.${panel_user} = {};
  age.secrets.ptero_env = {
    file = ../secrets/ptero_env.age;
  };
  systemd.services.init-ptero-data-dir = {
    description = "Create the pterodactyl panel data dir";
@ -24,7 +27,9 @@ in {
    script =''
 mkdir -p ${DATA_DIR}/database
 mkdir -p ${DATA_DIR}/cache
-mkdir -p ${DATA_DIR}/panel
+mkdir -p ${DATA_DIR}/panel/var
 mkdir -p ${DATA_DIR}/panel/logs
 mkdir -p ${DATA_DIR}/panel/nginx
 chown ${panel_user}:${panel_user} -R ${DATA_DIR}
 chmod +777 -R ${DATA_DIR}
 '';
@ -55,11 +60,10 @@ chmod +777 -R ${DATA_DIR}
    workdir = "${DATA_DIR}/database";
    extraOptions = [ "--pod=ptero" ];
    environment = {
      "MYSQL_ROOT_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b";
      "MYSQL_USER" = "pterodactyl";
      "MYSQL_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b";
      "MYSQL_DATABASE" = "panel";
    };
    environmentFiles = [ config.age.secrets.ptero_env.path ];
    volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
    cmd=["--default-authentication-plugin=mysql_native_password"];
  };
@ -92,7 +96,6 @@ chmod +777 -R ${DATA_DIR}
      "MAIL_PASSWORD" = "";
      "MAIL_ENCRYPTION" = "true";
      "DB_PASSWORD" = "JMK1VmZDwoVAUhvClQ7DncOEw5B1XcKXwqERw45Cw4/CoMKKwqHCocKXwqZrwr9b";
      "APP_ENV"= "production";
      "APP_ENVIRONMENT_ONLY"= "false";
      "CACHE_DRIVER" = "redis";
@ -105,6 +108,7 @@ chmod +777 -R ${DATA_DIR}
    labels = {
      "traefik.http.routers.pterodactyl_panel.entrypoints"="web";
    };
    environmentFiles = [ config.age.secrets.ptero_env.path ];
  };
  security.acme.certs."${root_host}".extraDomainNames = [ ptero_host ];
--- a/secrets/ptero_env.age
+++ b/secrets/ptero_env.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,4 +14,5 @@ in
  "matrix_mjolnir_pass.age".publicKeys = [ contabo_nix_pub ];
  "matrix_mjolnir_tle_pass.age".publicKeys = [ contabo_nix_pub ];
  "matrix_discord_bridge_token.age".publicKeys = [ contabo_nix_pub ];
  "ptero_env.age".publicKeys = [ contabo_nix_pub ];
 }