From 811053f67c57376a883927c3958564267790b217 Mon Sep 17 00:00:00 2001
From: Roger Gonzalez <roger@rogs.me>
Date: Wed, 27 Nov 2024 16:25:07 -0300
Subject: [PATCH] Enhance security by generating a unique DB password

---
 README.md | 12 +++++++++++-
 setup.sh  | 11 ++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index f7eecdc..8938981 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,15 @@ cd dendrite-docker-bridges
 ./setup.sh
 ```
 
-This script will prompt you for your domain (the one you configured in "Before Starting") and create your private key and config in the `./config/dendrite` directory. When it finishes, make sure to copy the "Registration shared secret," as you will need it for the next step.
+This script will:
+- Prompt you for your domain (the one you configured in "Before Starting")
+- Generate a secure database password
+- Create your private key and config in the `./config/dendrite` directory
+- Display two important pieces of information:
+  - The "Registration shared secret"
+  - The Database URI
+
+**Important**: Make sure to save both the registration shared secret AND the Database URI in a secure location. The Database URI will be needed later when configuring the bridges for WhatsApp, Telegram, and Discord.
 
 3. Open your configuration file located at `./config/dendrite/dendrite.yaml`. **You may need `sudo` to edit this file.** Search for `registration_shared_secret` and paste the registration secret you copied in the previous step. The section should look similar to this:
 
@@ -64,3 +72,5 @@ Dendrite is now up and running! You can proceed with setting up the bridges:
 - [WhatsApp Bridge](./config/mautrix-whatsapp/README.md)
 - [Telegram Bridge](./config/mautrix-telegram/README.md)
 - [Discord Bridge](./config/mautrix-discord/README.md)
+
+**Note**: When configuring each bridge, you'll need to use the Database URI that was displayed during the setup process. Make sure you have saved it somewhere secure!
diff --git a/setup.sh b/setup.sh
index be6ff7b..bc05e02 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 
+# Generate DB password
+DB_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
+
+# Replace the default password in docker-compose.yml
+sed -i "s/POSTGRES_PASSWORD: itsasecret/POSTGRES_PASSWORD: $DB_PASSWORD/" docker-compose.yml
+
 # Prompt for domain input
 read -p "Enter your domain (e.g., example.com): " DOMAIN
 if [[ -z "$DOMAIN" ]]; then
@@ -21,7 +27,7 @@ docker run --rm --entrypoint="/bin/sh" \
   matrixdotorg/dendrite-monolith:latest \
   -c "/usr/bin/generate-config \
     -dir /var/dendrite/ \
-    -db postgres://dendrite:itsasecret@postgres/dendrite?sslmode=disable \
+    -db postgres://dendrite:$DB_PASSWORD@postgres/dendrite?sslmode=disable \
     -server $DOMAIN > /mnt/dendrite.yaml"
 
 # Generate and display the registration shared secret
@@ -29,3 +35,6 @@ SHARED_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 50)
 echo
 echo "Registration shared secret: $SHARED_SECRET"
 echo "Make sure to copy it!"
+echo
+echo "Database URI: postgres://dendrite:$DB_PASSWORD@postgres/dendrite?sslmode=disable"
+echo "Make sure to save this information securely!"