feat: use different creds for api and consumer with restrictive rights

.gitignore

@@ -218,3 +218,8 @@ __marimo__/
 
 # Streamlit
 .streamlit/secrets.toml
+
+
+## Specific env files that may contain secrets
+api.env
+consumer.env

server/api.env.example

@@ -0,0 +1 @@
+DATABASE_URI='postgresql://simugaz_api:changeme@db/simugaz'

server/backend/infrastructure/db.py

@@ -15,7 +15,7 @@ log = logging.getLogger(__name__)
 _MIN_CONN = 1
 _MAX_CONN = 10
 
-DB_URI = os.getenv("DATABASE_URI", "postgresql://simugaz:simugaz@db/simugaz")
+DB_URI = os.getenv("DATABASE_URI", "postgresql://user:password@db/simugaz")
 
 
 @lru_cache(maxsize=1)

server/consumer.env.example

@@ -0,0 +1 @@
+DATABASE_URI='postgresql://simugaz_consumer:changemetoo@db/simugaz'

server/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     networks:
       - lora-gateway_mqtt
       - database
+    env_file: consumer.env
 
   api:
     build: ./backend
@@ -18,6 +19,7 @@ services:
     networks:
       - public
       - database
+    env_file: api.env
 
   webui:
     build: ./frontend

server/initdb/02_roles.sql

@@ -0,0 +1,6 @@
+CREATE USER simugaz_api WITH PASSWORD 'changeme';
+GRANT SELECT ON TABLE device, reading TO simugaz_api;
+
+CREATE USER simugaz_consumer WITH PASSWORD 'changemetoo';
+GRANT SELECT, INSERT ON TABLE device TO simugaz_consumer;
+GRANT INSERT ON TABLE reading TO simugaz_consumer;