Update deployment to securely manage database passwords

Securely manage PostgreSQL credentials by storing them in a dedicated file and updating deployment scripts to reference this file, removing hardcoded passwords from configuration and documentation. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 42d8028a-fa71-4ec2-938c-e43eedf7df01 Replit-Commit-Checkpoint-Type: intermediate_checkpoint Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/6d543d2c-20b9-4ea6-93fe-70fe9b1d9f80/42d8028a-fa71-4ec2-938c-e43eedf7df01/aazyBOE
2025-10-16 11:00:27 +00:00 · 2025-10-16 11:00:27 +00:00 · a40b945c84
commit a40b945c84
parent 7c456271ac
4 changed files with 95 additions and 36 deletions
--- a/.replit
+++ b/.replit
@ -27,6 +27,10 @@ externalPort = 3000
 localPort = 42175
 externalPort = 3002

+[[ports]]
+localPort = 45863
+externalPort = 3003
+
 [env]
 PORT = "5000"

--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@ -80,7 +80,7 @@ Lo script `setup-server.sh` installa automaticamente:
 ✅ **PostgreSQL 15**
 - Database relazionale
 - User: `vigilanza_user`
- Password: `553da84c94093919d46055d6ec37dfa2a03d0f46`
+- Password: **Generata automaticamente** (salvata in `/root/.vigilanza_db_password`)
 - Database: `vigilanza_turni`

 ✅ **PM2**
@ -140,16 +140,21 @@ cp .env.production.example .env
 nano .env
 ```

-**File .env completo:**
+**Recupera password e crea .env:**

 ```bash
+# Recupera password da file sicuro
+DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
+
+# Crea .env con password reale (non shell var)
+cat > .env << EOF
 # Database
-DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
+DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
 PGHOST=localhost
 PGPORT=5432
 PGDATABASE=vigilanza_turni
 PGUSER=vigilanza_user
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46
+PGPASSWORD=${DB_PASS}

 # Session (genera nuovo)
 SESSION_SECRET=$(openssl rand -base64 32)
@ -166,6 +171,15 @@ BACKUP_RETENTION_DAYS=30

 # Logging
 LOG_LEVEL=info
+EOF
+
+echo "✅ File .env creato con password sicura"
+```
+
+**Verifica .env creato:**
+```bash
+cat .env | grep DATABASE_URL
+# Deve mostrare password reale, non ${DB_PASS}
 ```

 ---
@ -250,23 +264,26 @@ pm2 monit

 **Backup Manuale:**
 ```bash
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
 BACKUP_FILE="/var/backups/vigilanza-turni/backup_manual_$(date +%Y%m%d_%H%M%S).sql"
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
+pg_dump -h localhost -U vigilanza_user -d vigilanza_turni > $BACKUP_FILE
 gzip $BACKUP_FILE
 echo "Backup salvato: ${BACKUP_FILE}.gz"
 ```

 **Ripristino Backup:**
 ```bash
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
 # Lista backup disponibili
 ls -lht /var/backups/vigilanza-turni/*.gz

 # Ripristina specifico backup
 BACKUP_FILE="/var/backups/vigilanza-turni/backup_20250116_143022.sql.gz"
-gunzip -c $BACKUP_FILE | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni

 # Restart applicazione
 pm2 restart vigilanza-turni
@ -274,8 +291,10 @@ pm2 restart vigilanza-turni

 **Accesso Database:**
 ```bash
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+# Carica password da file sicuro
+export $(cat /root/.vigilanza_db_password | xargs)
+
+psql -h localhost -U vigilanza_user -d vigilanza_turni
 ```

 ### Log Management
@ -363,8 +382,8 @@ sudo firewall-cmd --list-all

 ```bash
 # 1. Verifica connessione
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"

 # 2. Check PostgreSQL
 sudo systemctl status postgresql
@ -428,8 +447,8 @@ pm2 monit
 sudo tail -f /var/log/nginx/vigilanza-turni-access.log

 # 4. Database performance
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c \
  "SELECT query, calls, mean_exec_time FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
 ```

@ -440,10 +459,9 @@ PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
 pm2 stop vigilanza-turni

 # 2. Ripristina database
+export $(cat /root/.vigilanza_db_password | xargs)
 BACKUP_FILE=$(ls -t /var/backups/vigilanza-turni/*.gz | head -1)
-gunzip -c $BACKUP_FILE | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni
+gunzip -c $BACKUP_FILE | psql -h localhost -U vigilanza_user -d vigilanza_turni

 # 3. Git rollback
 cd /var/www/vigilanza-turni
--- a/QUICKSTART-DEPLOYMENT.md
+++ b/QUICKSTART-DEPLOYMENT.md
@ -30,11 +30,13 @@ sudo bash deploy/setup-server.sh

 Lo script installa automaticamente:
 - Node.js 20
- PostgreSQL 15 (con password: 553da84c94093919d46055d6ec37dfa2a03d0f46)
+- PostgreSQL 15 (password autogenerata)
 - PM2
 - Nginx
 - Certbot (SSL)

+⚠️ **Password DB salvata in:** `/root/.vigilanza_db_password`
+
 ### 2️⃣ Configura Nginx (2 min)

 ```bash
@ -54,20 +56,41 @@ sudo certbot --nginx -d vt.alfacom.it
 ```bash
 cd /var/www/vigilanza-turni

-# Crea .env produzione
-cp .env.production.example .env
-nano .env
-```
-
-**Inserisci in .env:**
-```bash
-DATABASE_URL=postgresql://vigilanza_user:553da84c94093919d46055d6ec37dfa2a03d0f46@localhost:5432/vigilanza_turni
+# Recupera password DB da file sicuro
+DB_PASS=$(grep PGPASSWORD /root/.vigilanza_db_password | cut -d= -f2)
 SESSION_SECRET=$(openssl rand -base64 32)
+
+# Crea .env con valori reali (no shell variables)
+cat > .env << EOF
+# Database
+DATABASE_URL=postgresql://vigilanza_user:${DB_PASS}@localhost:5432/vigilanza_turni
+PGHOST=localhost
+PGPORT=5432
+PGDATABASE=vigilanza_turni
+PGUSER=vigilanza_user
+PGPASSWORD=${DB_PASS}
+
+# Session
+SESSION_SECRET=${SESSION_SECRET}
+
+# Application
 NODE_ENV=production
 PORT=5000
 APP_URL=https://vt.alfacom.it
+
+# Backup
 BACKUP_ENABLED=true
 BACKUP_DIR=/var/backups/vigilanza-turni
+LOG_LEVEL=info
+EOF
+
+echo "✅ File .env creato"
+```
+
+**Verifica:**
+```bash
+cat .env | grep DATABASE_URL
+# Deve mostrare password reale, non variabili shell
 ```

 ### 4️⃣ Primo Deploy (2 min)
@ -118,9 +141,9 @@ pm2 restart vigilanza-turni
 # Verifica backup
 ls -lht /var/backups/vigilanza-turni/

-# Ripristina backup
+# Ripristina backup (usa password da file)
+export $(cat /root/.vigilanza_db_password | xargs)
 gunzip -c /var/backups/vigilanza-turni/backup_20250116_143022.sql.gz | \
-  PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
  psql -h localhost -U vigilanza_user -d vigilanza_turni
 ```

@ -137,9 +160,9 @@ sudo systemctl reload nginx

 **Errore database:**
 ```bash
-# Verifica connessione
-PGPASSWORD=553da84c94093919d46055d6ec37dfa2a03d0f46 \
-  psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
+# Verifica connessione (usa password da file)
+export $(cat /root/.vigilanza_db_password | xargs)
+psql -h localhost -U vigilanza_user -d vigilanza_turni -c "SELECT version();"
 ```

 **Build fallito:**
--- a/deploy/setup-server.sh
+++ b/deploy/setup-server.sh
@ -50,8 +50,13 @@ postgresql-setup --initdb
 systemctl enable postgresql
 systemctl start postgresql

-# Password database fornita dall'utente
-DB_PASSWORD="553da84c94093919d46055d6ec37dfa2a03d0f46"
+# Genera password sicura PostgreSQL (o usa variabile ambiente)
+if [ -z "$DB_PASSWORD" ]; then
+    DB_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-25)
+    log_warn "Password PostgreSQL generata automaticamente"
+else
+    log_info "Uso password PostgreSQL da variabile DB_PASSWORD"
+fi

 # Creazione database e utente
 log_info "Configurazione database..."
@ -63,7 +68,10 @@ GRANT ALL PRIVILEGES ON DATABASE vigilanza_turni TO vigilanza_user;
 GRANT ALL ON SCHEMA public TO vigilanza_user;
 EOF

-log_info "✅ Database configurato con password fornita"
+# Salva password in file sicuro
+echo "PGPASSWORD=${DB_PASSWORD}" > /root/.vigilanza_db_password
+chmod 600 /root/.vigilanza_db_password
+log_info "✅ Database configurato - Password salvata in /root/.vigilanza_db_password"

 # Configurazione PostgreSQL per connessioni locali
 log_info "Configurazione autenticazione PostgreSQL..."
@ -115,5 +123,11 @@ echo "3. Crea file .env con DATABASE_URL (password già configurata)"
 echo "4. Ottieni certificato SSL: sudo certbot --nginx -d vt.alfacom.it"
 echo "5. Esegui primo deploy: bash deploy/deploy.sh"
 echo ""
+log_warn "⚠️  IMPORTANTE - Password PostgreSQL:"
+echo "Salvata in: /root/.vigilanza_db_password"
+echo ""
 log_info "DATABASE_URL per .env:"
-echo "postgresql://vigilanza_user:${DB_PASSWORD}@localhost:5432/vigilanza_turni"
+echo "postgresql://vigilanza_user:PASSWORD_DA_FILE@localhost:5432/vigilanza_turni"
+echo ""
+echo "Recupera password con:"
+echo "  cat /root/.vigilanza_db_password"