db user restrict access to container

2024-08-06 09:01:04 -07:00 · 2024-08-06 09:01:04 -07:00 · bd5b04eeae
commit bd5b04eeae
parent 2ba3fe0a7e
5 changed files with 43 additions and 6 deletions
--- a/compose.yaml
+++ b/compose.yaml
@ -1,6 +1,7 @@
 services:
  db:
    image: mariadb:lts
    command: "--skip-name-resolve=OFF"
    restart: always
    healthcheck:
      test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized']
@ -30,6 +31,7 @@ services:
    restart: always
    # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
    container_name: backend
    environment:
      - MYSQL_USER=flasku
      #- MYSQL_PASSWORD=flaskp
@ -127,4 +129,6 @@ volumes:
 networks:
  backnet:
    name: backnet
  frontnet:
    name: frontnet
--- a/db/init/01-databases.sql
+++ b/db/init/01-databases.sql
@ -3,10 +3,10 @@ CREATE DATABASE IF NOT EXISTS `gitea`;
 CREATE DATABASE IF NOT EXISTS `flask`;
 -- create root user and grant rights
-CREATE USER 'gitea' IDENTIFIED BY 'giteap';
+CREATE USER 'gitea'@'gitea.backnet' IDENTIFIED BY 'giteap';
-CREATE USER 'flasku' IDENTIFIED BY 'flaskp';
+CREATE USER 'flasku'@'backend.backnet' IDENTIFIED BY 'flaskp';
 --CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea';
 --GRANT ALL ON `gitea` TO 'gitea'@'localhost';
-GRANT ALL ON gitea.* TO 'gitea';
+GRANT ALL ON gitea.* TO 'gitea'@'gitea.backnet';
-GRANT ALL ON flask.* TO 'flasku';
+GRANT ALL ON flask.* TO 'flasku'@'backend.backnet';
--- a/other/dbbu.sh
+++ b/other/dbbu.sh
@ -0,0 +1,16 @@
 #!/bin/bash
 # copy do db mount, use as helper
 if [[ -z $1 ]] ; then
        echo "dbbu.sh <gitea|flask> <rootpass>"
        exit 0
 fi
 if [[ $1 == "gitea" ]] ; then
        mariadb-dump -uroot -p$2 gitea > gitea_bu_$(date +%s).sql
 fi
 if [[ $1 == "flask" ]] ; then
        mariadb-dump -uroot -p$2 flask > flask_bu_$(date +%s).sql
 fi
--- a/other/sqlpass.sh
+++ b/other/sqlpass.sh
@ -19,10 +19,10 @@ echo "Changing app db passwords in 5 seconds..."
 sleep 6
 # Flask
-docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';"
+docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku'@'backend.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';"
 # Gitea
-docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';"
+docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea'@'gitea.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';"
 docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "FLUSH PRIVILEGES;"
--- a/proxy/giteaconf
+++ b/proxy/giteaconf
@ -0,0 +1,17 @@
 server {
    listen       80;
    server_name  localhost;
    location / {
        client_max_body_size 512M;
        #proxy_pass http://localhost:3000;
        proxy_pass http://gitea:3000;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
 }