search

WeAreWizards / passopolis-server

Server component of Passopolis (formerly Mitro)
GNU General Public License v3.0
79 stars 16 forks source link

postgresql configuration #12

Open disassembler opened 7 years ago

disassembler commented 7 years ago

I'm working on making passopolis easier to use for nixos folks by adding a package to nixpkgs. Currently, I have it building fine, but I'm not sure how to go about making postgresql configuration changes. The way I've done it manually is to alter build.xml and rebuild, but wondering if there's a better way.

Here's a link to my nixpkgs expression: https://github.com/disassembler/nixpkgs/blob/passopolis-server/pkgs/servers/passopolis/default.nix

teh commented 7 years ago

Nice!

We don't have a better config system - happy to accept PRs though :)

disassembler commented 7 years ago

Made some progress looking at build.xml and the resulting process started using ant server command. The database_url is passed as a parameter to the java process. I don't see any easy way to add authentication, but using trust 127.0.0.1 in postgresql config it works. Here's my PR for nixpkgs to get this service added:

https://github.com/NixOS/nixpkgs/pull/25907

disassembler commented 7 years ago

The PR we have works using host based ident authorization with postgresql, but that's inherently insecure and not recommended. The other option we have is passing user/pass in the database_url parameter, but then anyone on the system can run a ps and get the database credentials. Are there any secure ways to get the database_url into the application? I know you said you don't have a config system in place, but is your team just using ident postgresql authentication? Or are you doing something different? Thanks for your help!

teh commented 7 years ago

We're using nixops which supports deploy keys [1], but we're also a single-purpose machine so using ident auth would be OK as well in our case.

[1] https://nixos.org/nixops/manual/#idm140737318306400

disassembler commented 7 years ago

That actually would work perfectly (we could do something similar with a passwordFile). How do you get the deploy key into the java app? That's where we're kinda getting stuck.

Thanks,

Sam

On Wed, May 31, 2017 at 2:48 PM teh notifications@github.com wrote:

We're using nixops which supports deploy keys [1], but we're also a single-purpose machine so using ident auth would be OK as well in our case.

[1] https://nixos.org/nixops/manual/#idm140737318306400

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/WeAreWizards/passopolis-server/issues/12#issuecomment-305281460, or mute the thread https://github.com/notifications/unsubscribe-auth/AAnvxWMWQMRNQTiWjFzEOFI11ephnK8xks5r_bYPgaJpZM4NflGk .