oily.mom/site
1
0
Fork 0
forked from finn/site
Code Pull Requests Activity

db user restrict access to container

Browse Source
This commit is contained in:
finn
2024-08-06 09:01:04 -07:00
parent 2ba3fe0a7e
commit bd5b04eeae
5 changed files with 43 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
compose.yaml
View File

@@ -1,6 +1,7 @@
services:
db:
image: mariadb:lts
command: "--skip-name-resolve=OFF"
restart: always
healthcheck:
test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized']
@@ -30,6 +31,7 @@ services:
restart: always
# Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
#command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
container_name: backend
environment:
- MYSQL_USER=flasku
#- MYSQL_PASSWORD=flaskp
@@ -127,4 +129,6 @@ volumes:
networks:
backnet:
name: backnet
frontnet:
name: frontnet

8
db/init/01-databases.sql
View File

@@ -3,10 +3,10 @@ CREATE DATABASE IF NOT EXISTS `gitea`;
CREATE DATABASE IF NOT EXISTS `flask`;
-- create root user and grant rights
CREATE USER 'gitea' IDENTIFIED BY 'giteap';
CREATE USER 'flasku' IDENTIFIED BY 'flaskp';
CREATE USER 'gitea'@'gitea.backnet' IDENTIFIED BY 'giteap';
CREATE USER 'flasku'@'backend.backnet' IDENTIFIED BY 'flaskp';
--CREATE USER 'gitea'@'localhost' IDENTIFIED BY 'gitea';
--GRANT ALL ON `gitea` TO 'gitea'@'localhost';
GRANT ALL ON gitea.* TO 'gitea';
GRANT ALL ON flask.* TO 'flasku';
GRANT ALL ON gitea.* TO 'gitea'@'gitea.backnet';
GRANT ALL ON flask.* TO 'flasku'@'backend.backnet';

16
other/dbbu.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# copy do db mount, use as helper
if [[ -z $1 ]] ; then
echo "dbbu.sh <gitea|flask> <rootpass>"
exit 0
fi
if [[ $1 == "gitea" ]] ; then
mariadb-dump -uroot -p$2 gitea > gitea_bu_$(date +%s).sql
fi
if [[ $1 == "flask" ]] ; then
mariadb-dump -uroot -p$2 flask > flask_bu_$(date +%s).sql
fi

4
other/sqlpass.sh
View File

@@ -19,10 +19,10 @@ echo "Changing app db passwords in 5 seconds..."
sleep 6
# Flask
docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';"
docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'flasku'@'backend.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_FLASK_PASSWORD"';"
# Gitea
docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';"
docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "ALTER USER 'gitea'@'gitea.backnet' IDENTIFIED BY '"$DOTENV_MYSQL_GITEA_PASSWORD"';"
docker-compose exec db mariadb --database=mysql -uroot -p$DOTENV_MYSQL_ROOT_PASSWORD_OLD -e "FLUSH PRIVILEGES;"

17
proxy/giteaconf Normal file
View File

@@ -0,0 +1,17 @@
server {
listen 80;
server_name localhost;
location / {
client_max_body_size 512M;
#proxy_pass http://localhost:3000;
proxy_pass http://gitea:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}