marco/VigilanzaTurni
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update deployment to securely manage database passwords

Browse Source 
Securely manage PostgreSQL credentials by storing them in a dedicated file and updating deployment scripts to reference this file, removing hardcoded passwords from configuration and documentation.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 42d8028a-fa71-4ec2-938c-e43eedf7df01
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/6d543d2c-20b9-4ea6-93fe-70fe9b1d9f80/42d8028a-fa71-4ec2-938c-e43eedf7df01/aazyBOE
This commit is contained in:
marco370 2025-10-16 11:00:27 +00:00
parent 7c456271ac
commit a40b945c84
4 changed files with 95 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.replit
View File

@ -27,6 +27,10 @@ externalPort = 3000
localPort = 42175
externalPort = 3002
[[ports]]
localPort = 45863
externalPort = 3003
[env]
PORT = "5000"

46
DEPLOYMENT.md
View File

@ -80,7 +80,7 @@ Lo script `setup-server.sh` installa automaticamente:
✅ **PostgreSQL 15**
- Database relazionale
- User: `vigilanza_user`
- Password: `553da84c94093919d46055d6ec37dfa2a03d0f46`
- Password: **Generata automaticamente** (salvata in `/root/.vigilanza_db_password`)
- Database: `vigilanza_turni`
✅ **PM2**
@ -140,16 +140,21 @@ cp .env.production.example .env
nano .env
```
**File .env completo:**
**Recupera password e crea .env:**
```bash
# Recupera password da file sicuro
DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
# Crea .env con password reale (non shell var)
cat > .env << EOF
# Database
DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
PGHOST=localhost
PGPORT=5432
PGDATABASE=vigilanza_turni
PGUSER=vigilanza_user
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46
PGPASSWORD=${DB_PASS}
# Session (genera nuovo)
SESSION_SECRET=$(openssl rand -base64 32)
@ -166,6 +171,15 @@ BACKUP_RETENTION_DAYS=30
# Logging
LOG_LEVEL=info
EOF
echo "✅ File .env creato con password sicura"
```
**Verifica .env creato:**
```bash
cat .env | grep DATABASE_URL
# Deve mostrare password reale, non ${DB_PASS}
```
---
@ -250,8 +264,10 @@ pm2 monit
**Backup Manuale:**
```bash
# Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
BACKUP_FILE="/var/backups/vigilanza-turni/backup_manual_$(date +%Y%m%d_%H%M%S).sql"
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
gzip $BACKUP_FILE
echo "Backup salvato: ${BACKUP_FILE}.gz"
@ -259,14 +275,15 @@ echo "Backup salvato: ${BACKUP_FILE}.gz"
**Ripristino Backup:**
```bash
# Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
# Lista backup disponibili
ls -lht /var/backups/vigilanza-turni/*.gz
# Ripristina specifico backup
BACKUP_FILE="/var/backups/vigilanza-turni/backup_20250116_143022.sql.gz"
gunzip -c $BACKUP_FILE | \
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni
gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
# Restart applicazione
pm2 restart vigilanza-turni
@ -274,7 +291,9 @@ pm2 restart vigilanza-turni
**Accesso Database:**
```bash
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
# Carica password da file sicuro
export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni
```
@ -363,7 +382,7 @@ sudo firewall-cmd --list-all
```bash
# 1. Verifica connessione
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
# 2. Check PostgreSQL
@ -428,7 +447,7 @@ pm2 monit
sudo tail -f /var/log/nginx/vigilanza-turni-access.log
# 4. Database performance
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
"SELECT query, calls, mean_exec_time FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
```
@ -440,10 +459,9 @@ PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
pm2 stop vigilanza-turni
# 2. Ripristina database
export $(cat /root/.vigilanza_db_password | xargs)
BACKUP_FILE=$(ls -t /var/backups/vigilanza-turni/*.gz | head -1)
gunzip -c $BACKUP_FILE | \
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni
gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni
# 3. Git rollback
cd /var/www/vigilanza-turni

49
QUICKSTART-DEPLOYMENT.md
View File

@ -30,11 +30,13 @@ sudo bash deploy/setup-server.sh
Lo script installa automaticamente:
- Node.js 20
- PostgreSQL 15 (con password: 553da84c94093919d46055d6ec37dfa2a03d0f46)
- PostgreSQL 15 (password autogenerata)
- PM2
- Nginx
- Certbot (SSL)
⚠️ **Password DB salvata in:** `/root/.vigilanza_db_password`
### 2⃣ Configura Nginx (2 min)
```bash
@ -54,20 +56,41 @@ sudo certbot --nginx -d vt.alfacom.it
```bash
cd /var/www/vigilanza-turni
# Crea .env produzione
cp .env.production.example .env
nano .env
```
**Inserisci in .env:**
```bash
DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
# Recupera password DB da file sicuro
DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
SESSION_SECRET=$(openssl rand -base64 32)
# Crea .env con valori reali (no shell variables)
cat > .env << EOF
# Database
DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
PGHOST=localhost
PGPORT=5432
PGDATABASE=vigilanza_turni
PGUSER=vigilanza_user
PGPASSWORD=${DB_PASS}
# Session
SESSION_SECRET=${SESSION_SECRET}
# Application
NODE_ENV=production
PORT=5000
APP_URL=https://vt.alfacom.it
# Backup
BACKUP_ENABLED=true
BACKUP_DIR=/var/backups/vigilanza-turni
LOG_LEVEL=info
EOF
echo "✅ File .env creato"
```
**Verifica:**
```bash
cat .env | grep DATABASE_URL
# Deve mostrare password reale, non variabili shell
```
### 4⃣ Primo Deploy (2 min)
@ -118,9 +141,9 @@ pm2 restart vigilanza-turni
# Verifica backup
ls -lht /var/backups/vigilanza-turni/
# Ripristina backup
# Ripristina backup (usa password da file)
export $(cat /root/.vigilanza_db_password | xargs)
gunzip -c /var/backups/vigilanza-turni/backup_20250116_143022.sql.gz | \
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
psql -h localhost -U vigilanza_user -d vigilanza_turni
```
@ -137,8 +160,8 @@ sudo systemctl reload nginx
**Errore database:**
```bash
# Verifica connessione
PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
# Verifica connessione (usa password da file)
export $(cat /root/.vigilanza_db_password | xargs)
psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
```

22
deploy/setup-server.sh
View File

@ -50,8 +50,13 @@ postgresql-setup --initdb
systemctl enable postgresql
systemctl start postgresql
# Password database fornita dall'utente
DB_PASSWORD="553da84c94093919d46055d6ec37dfa2a03d0f46"
# Genera password sicura PostgreSQL (o usa variabile ambiente)
if [ -z "$DB_PASSWORD" ]; then
DB_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25)
log_warn "Password PostgreSQL generata automaticamente"
else
log_info "Uso password PostgreSQL da variabile DB_PASSWORD"
fi
# Creazione database e utente
log_info "Configurazione database..."
@ -63,7 +68,10 @@ GRANT ALL PRIVILEGES ON DATABASE vigilanza_turni TO vigilanza_user;
GRANT ALL ON SCHEMA public TO vigilanza_user;
EOF
log_info "✅ Database configurato con password fornita"
# Salva password in file sicuro
echo "PGPASSWORD=${DB_PASSWORD}" > /root/.vigilanza_db_password
chmod 600 /root/.vigilanza_db_password
log_info "✅ Database configurato - Password salvata in /root/.vigilanza_db_password"
# Configurazione PostgreSQL per connessioni locali
log_info "Configurazione autenticazione PostgreSQL..."
@ -115,5 +123,11 @@ echo "3. Crea file .env con DATABASE_URL (password già configurata)"
echo "4. Ottieni certificato SSL: sudo certbot --nginx -d vt.alfacom.it"
echo "5. Esegui primo deploy: bash deploy/deploy.sh"
echo ""
log_warn "⚠️ IMPORTANTE - Password PostgreSQL:"
echo "Salvata in: /root/.vigilanza_db_password"
echo ""
log_info "DATABASE_URL per .env:"
echo "postgresql://vigilanza_user:${DB_PASSWORD}@localhost:5432/vigilanza_turni"
echo "postgresql://vigilanza_user:PASSWORD_DA_FILE@localhost:5432/vigilanza_turni"
echo ""
echo "Recupera password con:"
echo " cat /root/.vigilanza_db_password"