Services are ready

2026-02-23 23:05:54 +01:00
parent 944ffcea85
commit 4bbd62a93e
11 changed files with 276 additions and 133 deletions
@@ -3,8 +3,10 @@
 with lib;

 let
+  # Version tagging
  passboltVersion = "5.9.0-1-ce-non-root";
  databaseVersion = "12.2";
+  # Helper
  helper = import ./lib.nix { inherit config pkgs lib; };
  cfg = config.numbus.services.passbolt;
 in
@@ -15,8 +17,18 @@ helper.mkPodmanService {
  pod = "passbolt";
  defaultPort = "4433";
  scheme = "https";
-  configDir = false;
-  dataDir = false;
+  dataDirEnabled = false;
+  generatedSecrets = {
+    DB_NAME = "xkcdpass -n 2 -d -";
+    DB_USERNAME = "xkcdpass -n 2 -d -";
+    DB_PASSWORD = "xkcdpass -n 10 -d -";
+    SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
+  };
+  dirPermissions = [
+    "100032:users ${cfg.configDir}/gpg"
+    "100032:users ${cfg.configDir}/jwt"
+    "100999:users ${cfg.configDir}/database"
+  ];

 # Compose file good
  composeText = ''
@@ -25,24 +37,25 @@ helper.mkPodmanService {
        image: docker.io/passbolt/passbolt:${passboltVersion}
        container_name: passbolt-server
        hostname: passbolt-server
+        user: '33:33'
        networks:
          passbolt:
        ports:
          - "${cfg.port}:4433/tcp"
        volumes:
-          - passbolt-gpg:/etc/passbolt/gpg
-          - passbolt-jwt:/etc/passbolt/jwt
+          - ${cfg.configDir}/gpg:/etc/passbolt/gpg
+          - ${cfg.configDir}/jwt:/etc/passbolt/jwt
        environment:
-          APP_DEFAULT_TIMEZONE: $TZ
+          APP_DEFAULT_TIMEZONE: ${time.timeZone}
          APP_FULL_BASE_URL: https://${cfg.subdomain}.${config.numbus.services.domain}
          DATASOURCES_DEFAULT_HOST: "passbolt-database"
-          DATASOURCES_DEFAULT_USERNAME: $PASSBOLT_MYSQL_USER
-          DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
-          DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE
+          DATASOURCES_DEFAULT_USERNAME: $DB_USERNAME
+          DATASOURCES_DEFAULT_PASSWORD: $DB_PASSWORD
+          DATASOURCES_DEFAULT_DATABASE: $DB_NAME
          EMAIL_DEFAULT_FROM_NAME: "Passbolt"
-          EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST
-          EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT
-          EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME
+          EMAIL_TRANSPORT_DEFAULT_HOST: ${config.numbus.mail.smtpServer}
+          EMAIL_TRANSPORT_DEFAULT_PORT: ${config.numbus.mail.smtpPort}
+          EMAIL_TRANSPORT_DEFAULT_USERNAME: ${config.numbus.mail.smtpUsername}
          EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD
          EMAIL_TRANSPORT_DEFAULT_TLS: true
          EMAIL_DEFAULT_FROM: passbolt-noreply@${config.numbus.services.domain}
@@ -67,27 +80,21 @@ helper.mkPodmanService {
        image: docker.io/library/mariadb:${databaseVersion}
        container_name: passbolt-database
        hostname: passbolt-database
+        user: '1000:1000'
        networks:
          passbolt:
        volumes:
-          - passbolt-database:/var/lib/mysql
+          - ${cfg.configDir}/database:/var/lib/mysql
        environment:
          MYSQL_RANDOM_ROOT_PASSWORD: "true"
-          MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE
-          MYSQL_USER: $PASSBOLT_MYSQL_USER
-          MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
+          MYSQL_DATABASE: $DB_NAME
+          MYSQL_USER: $DB_USERNAME
+          MYSQL_PASSWORD: $DB_PASSWORD
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped
-    volumes:
-      passbolt-database:
-        name: passbolt-database
-      passbolt-gpg:
-        name: passbolt-gpg
-      passbolt-jwt:
-        name: passbolt-jwt
    networks:
      passbolt:
        name: passbolt