Update to NixOS 23.11
Most of the release notes we have the luxury of not caring about, however
for some we needed to make changes
- postgresql ensurePermissions was deprecated. We have replaced it with a
combination of the new ensureDBOwner, and manual permissions grants
where that is not applicable
- fetchPypi should now be used at top-level. We used it once to install
jishaku for ClicksForms. We have replaced the usage. There should be a
broader conversation about the future of ClicksForms, but while
upgrading to 23.11 is probably not the time for that
- fail2ban configs for things we no longer run have been removed
Additionally, the following things were looked at in-detail and deemed
non-important
- passwordFile changes (we do not use passwords, at all)
- matrix changes (we believe this will need no module changes for our
use-case)
- nextcloud phpOptions changes (this may reintroduce some default PHP
options. We didn't realize we were clobbering them and consider this to
be a good thing)
- vaultwarden default host change (we already specify a host)
- RAID changes (neither a1d1 or a1d2 currently use software RAID)
- nixpkgs.config with external packages warnings (we don't use any
nixpkgs.config options, but if we did we could remove them and) keep
the same behavior
- nextcloud upgrade to 27 (we already use nextcloud 27)
- matrix workers and redis configuration (redis doesn't provide a benefit
outside of workers, our deployment is too small to need workers)
- several services have improved requirements. In particular, lots of
dependencies around postgres have been improved
We haven't yet updated mongodb, it may be a good idea to migrate to
ferretdb but this is better placed in a later change as migration will
require migrating all the data which will likely get messy
Change-Id: I8db3cc5bfa68bc591ef5e467e8c7de0cae30b300
Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/122
Tested-by: Samuel Shuert <coded@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/common/postgres.nix b/modules/common/postgres.nix
index 30103e8..a4e107e 100644
--- a/modules/common/postgres.nix
+++ b/modules/common/postgres.nix
@@ -1,4 +1,8 @@
{ lib, config, pkgs, ... }: {
+ systemd.services.postgresql.after = [
+ "docker-network-taiga.service" # Needed to listen in 172.20.0.1
+ ];
+
services.postgresql = {
enable = true;
@@ -17,38 +21,32 @@
ensureUsers = [
{
name = "clicks_grafana";
- ensurePermissions = {
- "ALL TABLES IN SCHEMA public" = "SELECT";
- "SCHEMA public" = "USAGE";
- };
}
{
name = "matrix-synapse";
- ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
}
{
name = "keycloak";
- ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
+ ensureDBOwnership = true;
}
{
name = "vaultwarden";
- ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
+ ensureDBOwnership = true;
}
{
name = "privatebin";
- ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
+ ensureDBOwnership = true;
}
{
name = "nextcloud";
- ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
+ ensureDBOwnership = true;
}
{
name = "taiga";
- ensurePermissions = { "DATABASE taiga" = "ALL PRIVILEGES"; };
+ ensureDBOwnership = true;
}
] ++ (map (name: ({
inherit name;
- ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
})) [ "minion" "coded" "pineafan" ]);
# method database user address auth-method
@@ -101,6 +99,19 @@
''))
(lib.concatStringsSep "\n")
]))
+ ''
+ $PSQL -tAc 'ALTER DATABASE synapse OWNER TO "matrix-synapse";'
+ # matrix-synapse is done manually, because the database does not have the same name as the user
+
+ $PSQL -tAc 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "clicks_grafana"'
+ $PSQL -tAc 'GRANT USAGE ON SCHEMA public TO "clicks_grafana"'
+ # grafana is done manually, because it needs read permission in lots of places
+
+ $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "coded"'
+ $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "minion"'
+ $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pineafan"'
+ # leadership is done manually, because we need owner-level permissions in lots of places but cannot specify ourselves as the database owners (as there may only be 1)
+ ''
];
sops.secrets = lib.pipe [