Switch database connections to mTLS auth on new server

Unit files now use the direct mTLS connection string (no password) and deploy script no longer extracts or injects a database password. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-21 18:57:19 +03:00
parent e3ca2ae502
commit 60a1640327
4 changed files with 3 additions and 9 deletions
--- a/asset/systemd/rbv-api.service
+++ b/asset/systemd/rbv-api.service
@@ -7,7 +7,7 @@ ExecStart=/usr/local/bin/rbv-api \
    --ca-cert /etc/pki/ca-trust/source/anchors/root-internal.pem \
    --server-cert /etc/nginx/tls/rbv/rbv.pem \
    --server-key /etc/nginx/tls/rbv/key.pem \
-    --database postgres://rbv:password@localhost:4432/rbv \
+    --database postgres://rbv@10.3.0.194:5432/rbv?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/%H.pem&sslkey=/etc/pki/tls/private/%H.pem \
    --face-cache /tank/data/rbv/cache/face \
    --model-dir /tank/containers/immich/ml-cache \
    --cdn-map /tank/data/rbv/vault=/vault
--- a/asset/systemd/rbv-cluster.service
+++ b/asset/systemd/rbv-cluster.service
@@ -8,7 +8,7 @@ Conflicts=rbv-index@vault.service
 Type=oneshot
 Environment=RUST_LOG=info,ort=off,sqlx::query=off
 ExecStart=/usr/local/bin/rbv cluster \
-    --database postgres://rbv:password@localhost:4432/rbv \
+    --database postgres://rbv@10.3.0.194:5432/rbv?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/%H.pem&sslkey=/etc/pki/tls/private/%H.pem \
    --concurrency 24 \
    --threshold 0.55
 ExecStartPost=/usr/bin/systemctl start rbv-index@vault.service
--- a/asset/systemd/rbv-index@.service
+++ b/asset/systemd/rbv-index@.service
@@ -11,7 +11,7 @@ ExecStart=/usr/local/bin/rbv index \
    --target /tank/data/rbv/%i \
    --face-cache /tank/data/rbv/cache/face \
    --concurrency 24 \
-    --database postgres://rbv:password@localhost:4432/rbv \
+    --database postgres://rbv@10.3.0.194:5432/rbv?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/%H.pem&sslkey=/etc/pki/tls/private/%H.pem \
    --model-dir /tank/containers/immich/ml-cache \
    --face-score-thresh 0.7
 ExecStartPost=/usr/bin/systemctl start rbv-cluster.service
--- a/script/deploy.sh
+++ b/script/deploy.sh
@@ -33,7 +33,6 @@ deploy_db() {

 deploy_index() {
    cargo build --release
-    postgres_password=$(grep POSTGRES_PASSWORD asset/quadlet/.env | cut -d '=' -f 2)

    for unit in rbv-{index@vault,cluster}.service; do
        state=$(ssh ${index_host} "systemctl is-active ${unit} 2>/dev/null")
@@ -68,7 +67,6 @@ deploy_index() {
            --chown root:root \
            asset/systemd/rbv-cluster.service \
            ${index_host}:/etc/systemd/system/rbv-cluster.service \
-        && ssh ${index_host} sudo sed -i -e "s/password/${postgres_password}/" /etc/systemd/system/rbv-index@.service /etc/systemd/system/rbv-cluster.service \
        && ssh ${index_host} sudo systemctl daemon-reload \
        && ssh ${index_host} sudo systemctl start --no-block rbv-index@vault.service \
        && ssh ${index_host} '(systemctl is-enabled --quiet rbv-index@vault.service || sudo systemctl enable rbv-index@vault.service)'; then
@@ -81,7 +79,6 @@ deploy_index() {

 deploy_api() {
    cargo build --release
-    postgres_password=$(grep POSTGRES_PASSWORD asset/quadlet/.env | cut -d '=' -f 2)

    ssh ${api_host} "systemctl is-active --quiet rbv-api.service && sudo systemctl stop rbv-api.service"
    if rsync \
@@ -99,7 +96,6 @@ deploy_api() {
            --chown root:root \
            asset/systemd/rbv-api.service \
            ${api_host}:/etc/systemd/system/rbv-api.service \
-        && ssh ${api_host} sudo sed -i -e "s/password/${postgres_password}/" /etc/systemd/system/rbv-api.service \
        && ssh ${api_host} sudo systemctl daemon-reload \
        && ssh ${api_host} sudo systemctl start rbv-api.service \
        && ssh ${index_host} '(systemctl is-enabled --quiet rbv-api.service || sudo systemctl enable rbv-api.service)'; then
@@ -112,7 +108,6 @@ deploy_api() {

 deploy_caption() {
    cargo build --release -p rbv-caption
-    postgres_password=$(grep POSTGRES_PASSWORD asset/quadlet/.env | cut -d '=' -f 2)

    for unit in rbv-caption@{florence-2-base,florence-2-base-ocr,vit-gpt2}.service; do
        state=$(ssh ${caption_host} "systemctl is-active ${unit} 2>/dev/null")
@@ -140,7 +135,6 @@ deploy_caption() {
            --chown root:root \
            asset/systemd/rbv-caption@.service \
            ${caption_host}:/etc/systemd/system/rbv-caption@.service \
-        && ssh ${caption_host} sudo sed -i -e "s/password/${postgres_password}/" /etc/systemd/system/rbv-caption@.service \
        && ssh ${caption_host} sudo systemctl daemon-reload \
        && ssh ${caption_host} sudo systemctl start --no-block rbv-caption@florence-2-base.service \
        && ssh ${caption_host} sudo systemctl start --no-block rbv-caption@florence-2-base-ocr.service \