marco/VigilanzaTurni
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update deployment to securely manage database passwords

Browse Source 
Securely manage PostgreSQL credentials by storing them in a dedicated file and updating deployment scripts to reference this file, removing hardcoded passwords from configuration and documentation.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 42d8028a-fa71-4ec2-938c-e43eedf7df01
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/6d543d2c-20b9-4ea6-93fe-70fe9b1d9f80/42d8028a-fa71-4ec2-938c-e43eedf7df01/aazyBOE
This commit is contained in:
marco370 2025-10-16 11:00:27 +00:00
parent 7c456271ac
commit a40b945c84
4 changed files with 95 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.replit
View File

@ -27,6 +27,10 @@ externalPort = 3000
localPort = 42175 localPort = 42175
externalPort = 3002 externalPort = 3002
[[ports]]
localPort = 45863
externalPort = 3003
[env] [env]
PORT = "5000" PORT = "5000"

46
DEPLOYMENT.md
View File

@ -80,7 +80,7 @@ Lo script `setup-server.sh` installa automaticamente:
✅ **PostgreSQL 15** ✅ **PostgreSQL 15**
- Database relazionale - Database relazionale
- User: `vigilanza_user` - User: `vigilanza_user`
- Password: `553da84c94093919d46055d6ec37dfa2a03d0f46` - Password: **Generata automaticamente** (salvata in `/root/.vigilanza_db_password`)
- Database: `vigilanza_turni` - Database: `vigilanza_turni`
✅ **PM2** ✅ **PM2**
@ -140,16 +140,21 @@ cp .env.production.example .env
nano .env nano .env
``` ```
**File .env completo:** **Recupera password e crea .env:**
```bash ```bash
# Recupera password da file sicuro
DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
# Crea .env con password reale (non shell var)
cat > .env << EOF
# Database # Database
DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
PGHOST=localhost PGHOST=localhost
PGPORT=5432 PGPORT=5432
PGDATABASE=vigilanza_turni PGDATABASE=vigilanza_turni
PGUSER=vigilanza_user PGUSER=vigilanza_user
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 PGPASSWORD=${DB_PASS}
# Session (genera nuovo) # Session (genera nuovo)
SESSION_SECRET=$(openssl rand -base64 32) SESSION_SECRET=$(openssl rand -base64 32)
@ -166,6 +171,15 @@ BACKUP_RETENTION_DAYS=30
# Logging # Logging
LOG_LEVEL=info LOG_LEVEL=info
EOF
echo "✅ File .env creato con password sicura"
```
**Verifica .env creato:**
```bash
cat .env | grep DATABASE_URL
# Deve mostrare password reale, non ${DB_PASS}
``` ```
--- ---
@ -250,8 +264,10 @@ pm2 monit
**Backup Manuale:** **Backup Manuale:**
```bash ```bash
# Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
BACKUP_FILE="/var/backups/vigilanza-turni/backup_manual_$(date +%Y%m%d_%H%M%S).sql" BACKUP_FILE="/var/backups/vigilanza-turni/backup_manual_$(date +%Y%m%d_%H%M%S).sql"
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
gzip $BACKUP_FILE gzip $BACKUP_FILE
echo "Backup salvato: ${BACKUP_FILE}.gz" echo "Backup salvato: ${BACKUP_FILE}.gz"
@ -259,14 +275,15 @@ echo "Backup salvato: ${BACKUP_FILE}.gz"
**Ripristino Backup:** **Ripristino Backup:**
```bash ```bash
# Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
# Lista backup disponibili # Lista backup disponibili
ls -lht /var/backups/vigilanza-turni/*.gz ls -lht /var/backups/vigilanza-turni/*.gz
# Ripristina specifico backup # Ripristina specifico backup
BACKUP_FILE="/var/backups/vigilanza-turni/backup_20250116_143022.sql.gz" BACKUP_FILE="/var/backups/vigilanza-turni/backup_20250116_143022.sql.gz"
gunzip -c $BACKUP_FILE | \ gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni
# Restart applicazione # Restart applicazione
pm2 restart vigilanza-turni pm2 restart vigilanza-turni
@ -274,7 +291,9 @@ pm2 restart vigilanza-turni
**Accesso Database:** **Accesso Database:**
```bash ```bash
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \ # Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni psql -h localhost -U vigilanza_user -d vigilanza_turni
``` ```
@ -363,7 +382,7 @@ sudo firewall-cmd --list-all
```bash ```bash
# 1. Verifica connessione # 1. Verifica connessione
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \ export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();" psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
# 2. Check PostgreSQL # 2. Check PostgreSQL
@ -428,7 +447,7 @@ pm2 monit
sudo tail -f /var/log/nginx/vigilanza-turni-access.log sudo tail -f /var/log/nginx/vigilanza-turni-access.log
# 4. Database performance # 4. Database performance
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \ export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c \ psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
"SELECT query, calls, mean_exec_time FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;" "SELECT query, calls, mean_exec_time FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
``` ```
@ -440,10 +459,9 @@ PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
pm2 stop vigilanza-turni pm2 stop vigilanza-turni
# 2. Ripristina database # 2. Ripristina database
export $(cat /root/.vigilanza_db_password | xargs)
BACKUP_FILE=$(ls -t /var/backups/vigilanza-turni/*.gz | head -1) BACKUP_FILE=$(ls -t /var/backups/vigilanza-turni/*.gz | head -1)
gunzip -c $BACKUP_FILE | \ gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni
# 3. Git rollback # 3. Git rollback
cd /var/www/vigilanza-turni cd /var/www/vigilanza-turni

49
QUICKSTART-DEPLOYMENT.md
View File

@ -30,11 +30,13 @@ sudo bash deploy/setup-server.sh
Lo script installa automaticamente: Lo script installa automaticamente:
- Node.js 20 - Node.js 20
- PostgreSQL 15 (con password: 553da84c94093919d46055d6ec37dfa2a03d0f46) - PostgreSQL 15 (password autogenerata)
- PM2 - PM2
- Nginx - Nginx
- Certbot (SSL) - Certbot (SSL)
⚠️ **Password DB salvata in:** `/root/.vigilanza_db_password`
### 2⃣ Configura Nginx (2 min) ### 2⃣ Configura Nginx (2 min)
```bash ```bash
@ -54,20 +56,41 @@ sudo certbot --nginx -d vt.alfacom.it
```bash ```bash
cd /var/www/vigilanza-turni cd /var/www/vigilanza-turni
# Crea .env produzione # Recupera password DB da file sicuro
cp .env.production.example .env DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
nano .env
```
**Inserisci in .env:**
```bash
DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
SESSION_SECRET=$(openssl rand -base64 32) SESSION_SECRET=$(openssl rand -base64 32)
# Crea .env con valori reali (no shell variables)
cat > .env << EOF
# Database
DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
PGHOST=localhost
PGPORT=5432
PGDATABASE=vigilanza_turni
PGUSER=vigilanza_user
PGPASSWORD=${DB_PASS}
# Session
SESSION_SECRET=${SESSION_SECRET}
# Application
NODE_ENV=production NODE_ENV=production
PORT=5000 PORT=5000
APP_URL=https://vt.alfacom.it APP_URL=https://vt.alfacom.it
# Backup
BACKUP_ENABLED=true BACKUP_ENABLED=true
BACKUP_DIR=/var/backups/vigilanza-turni BACKUP_DIR=/var/backups/vigilanza-turni
LOG_LEVEL=info
EOF
echo "✅ File .env creato"
```
**Verifica:**
```bash
cat .env | grep DATABASE_URL
# Deve mostrare password reale, non variabili shell
``` ```
### 4⃣ Primo Deploy (2 min) ### 4⃣ Primo Deploy (2 min)
@ -118,9 +141,9 @@ pm2 restart vigilanza-turni
# Verifica backup # Verifica backup
ls -lht /var/backups/vigilanza-turni/ ls -lht /var/backups/vigilanza-turni/
# Ripristina backup # Ripristina backup (usa password da file)
export $(cat /root/.vigilanza_db_password | xargs)
gunzip -c /var/backups/vigilanza-turni/backup_20250116_143022.sql.gz | \ gunzip -c /var/backups/vigilanza-turni/backup_20250116_143022.sql.gz | \
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni psql -h localhost -U vigilanza_user -d vigilanza_turni
``` ```
@ -137,8 +160,8 @@ sudo systemctl reload nginx
**Errore database:** **Errore database:**
```bash ```bash
# Verifica connessione # Verifica connessione (usa password da file)
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \ export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();" psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
``` ```

22
deploy/setup-server.sh
View File

@ -50,8 +50,13 @@ postgresql-setup --initdb
systemctl enable postgresql systemctl enable postgresql
systemctl start postgresql systemctl start postgresql
# Password database fornita dall'utente # Genera password sicura PostgreSQL (o usa variabile ambiente)
DB_PASSWORD="553da84c94093919d46055d6ec37dfa2a03d0f46" if [ -z "$DB_PASSWORD" ]; then
DB_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25)
log_warn "Password PostgreSQL generata automaticamente"
else
log_info "Uso password PostgreSQL da variabile DB_PASSWORD"
fi
# Creazione database e utente # Creazione database e utente
log_info "Configurazione database..." log_info "Configurazione database..."
@ -63,7 +68,10 @@ GRANT ALL PRIVILEGES ON DATABASE vigilanza_turni TO vigilanza_user;
GRANT ALL ON SCHEMA public TO vigilanza_user; GRANT ALL ON SCHEMA public TO vigilanza_user;
EOF EOF
log_info "✅ Database configurato con password fornita" # Salva password in file sicuro
echo "PGPASSWORD=${DB_PASSWORD}" > /root/.vigilanza_db_password
chmod 600 /root/.vigilanza_db_password
log_info "✅ Database configurato - Password salvata in /root/.vigilanza_db_password"
# Configurazione PostgreSQL per connessioni locali # Configurazione PostgreSQL per connessioni locali
log_info "Configurazione autenticazione PostgreSQL..." log_info "Configurazione autenticazione PostgreSQL..."
@ -115,5 +123,11 @@ echo "3. Crea file .env con DATABASE_URL (password già configurata)"
echo "4. Ottieni certificato SSL: sudo certbot --nginx -d vt.alfacom.it" echo "4. Ottieni certificato SSL: sudo certbot --nginx -d vt.alfacom.it"
echo "5. Esegui primo deploy: bash deploy/deploy.sh" echo "5. Esegui primo deploy: bash deploy/deploy.sh"
echo "" echo ""
log_warn "⚠️ IMPORTANTE - Password PostgreSQL:"
echo "Salvata in: /root/.vigilanza_db_password"
echo ""
log_info "DATABASE_URL per .env:" log_info "DATABASE_URL per .env:"
echo "postgresql://vigilanza_user:${DB_PASSWORD}@localhost:5432/vigilanza_turni" echo "postgresql://vigilanza_user:PASSWORD_DA_FILE@localhost:5432/vigilanza_turni"
echo ""
echo "Recupera password con:"
echo " cat /root/.vigilanza_db_password"