oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

feat: add secure PostgreSQL user password generation and loading
Some checks failed
Cross-Node Transaction Testing / transaction-test (push) Has been cancelled
Details
Deploy to Testnet / deploy-testnet (push) Has been cancelled
Details
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Details

Browse Source 
- Generate secure random passwords for all PostgreSQL database users
- Store passwords in /etc/aitbc/credentials/postgres_*_password files
- Update load-keystore-secrets.sh to load PostgreSQL passwords into runtime .env
- Set passwords for both new and existing users with ALTER USER
- Fixes PostgreSQL authentication failures in services
- Ensures secure password management for database access
This commit is contained in:
aitbc
2026-05-26 10:34:16 +02:00
parent ad04f2b785
commit 652fe5e9fb
2 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scripts/setup.sh
View File

@@ -245,11 +245,20 @@ setup_postgresql_databases() {
db_name=$(echo "$db_user" | cut -d':' -f1)
db_user=$(echo "$db_user" | cut -d':' -f2)
# Create user if not exists
# Generate secure password for this user
db_password=$(python3 -c "import secrets; print(secrets.token_urlsafe(32))" 2>/dev/null || openssl rand -base64 32 2>/dev/null || echo "$(date +%s)-$(head -c 16 /dev/urandom | xxd -p)")
# Store password in credentials directory
echo "$db_password" > /etc/aitbc/credentials/postgres_${db_user}_password
chmod 600 /etc/aitbc/credentials/postgres_${db_user}_password
# Create user if not exists with secure password
sudo -u postgres psql -c "DO \$\$
BEGIN
IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '${db_user}') THEN
CREATE USER ${db_user} WITH PASSWORD 'password';
CREATE USER ${db_user} WITH PASSWORD '${db_password}';
ELSE
ALTER USER ${db_user} WITH PASSWORD '${db_password}';
END IF;
END
\$\$;" 2>/dev/null || true
@@ -260,7 +269,7 @@ setup_postgresql_databases() {
# Grant privileges
sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE ${db_name} TO ${db_user};" 2>/dev/null || true
log "Database ${db_name} setup complete"
log "Database ${db_name} setup complete with secure password"
done
fi

8
scripts/utils/load-keystore-secrets.sh
View File

@@ -26,6 +26,14 @@ if [ -f "$CREDENTIALS_DIR/keystore_password" ]; then
echo "KEYSTORE_PASSWORD=$(cat $CREDENTIALS_DIR/keystore_password)" >> "$ENV_FILE"
fi
# Load PostgreSQL database passwords
for db_user in aitbc_user aitbc_marketplace aitbc_governance aitbc_trading aitbc_gpu aitbc_ai aitbc_mempool; do
if [ -f "$CREDENTIALS_DIR/postgres_${db_user}_password" ]; then
db_password=$(cat "$CREDENTIALS_DIR/postgres_${db_user}_password")
echo "POSTGRES_${db_user^^}_PASSWORD=$db_password" >> "$ENV_FILE"
fi
done
# Add non-sensitive config from main .env
if [ -f "/etc/aitbc/.env" ]; then
# Skip lines that are comments or contain migrated secrets