fix: scram-sha for shlink user

2026-04-08 00:13:52 +01:00 · 2026-04-08 00:13:52 +01:00 · 131f3b593d
commit 131f3b593d
parent d61e01f8fd
1 changed files with 6 additions and 8 deletions
--- a/hosts/lab/shlink.nix
+++ b/hosts/lab/shlink.nix
@ -2,7 +2,6 @@
 {
  sops.secrets.shlink-db-password = {
    sopsFile = ../../secrets/shlink.yaml;
-    owner = "postgres";
  };

  sops.secrets.shlink-api-key = {
@ -23,18 +22,17 @@
    ensureUsers = [{
      name = "shlink";
      ensureDBOwnership = true;
+      ensureClauses = {
+        login = true;
+        password = "SCRAM-SHA-256$4096:nhQwTFK7rhy8FOrhlgDnvg==$3eB9AlBwUxK1UOiwXAlP5wzxnmKUsBpB1UTsF0cRDIo=:GmxUtrGP6haTPnhPSOL42qsuPwEHV7tME1WfBNucGrU=";
+      };
    }];
    authentication = ''
-      host shlink shlink 127.0.0.1/32 md5
-      host shlink shlink ::1/128 md5
+      host shlink shlink 127.0.0.1/32 scram-sha-256
+      host shlink shlink ::1/128 scram-sha-256
    '';
  };

-  systemd.services.postgresql-setup.postStart = ''
-    ${config.services.postgresql.package}/bin/psql -p $PGPORT -tAc \
-      "ALTER ROLE shlink PASSWORD '$(tr -d '\n' < ${config.sops.secrets.shlink-db-password.path})';"
-  '';
-
  services.caddy.virtualHosts."ily.rs" = {
    extraConfig = ''
      redir / https://wynne.rs permanent