Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 0e05d26279ddd69359eac4262c70e5d07b7e6b80 / . / modules / postgres.nix
blob: d2844c186a96dc31d06355a0d27111fd4d6efa97 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]13 ensureDatabases = [
14 "vaultwarden"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]15 "privatebin"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame^]16 "keycloak"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]17 ];
18
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]19 ensureUsers = [
20 {
21 name = "clicks_grafana";
22 ensurePermissions = {
23 "ALL TABLES IN SCHEMA public" = "SELECT";
24 "SCHEMA public" = "USAGE";
25 };
26 }
27 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]28 name = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]29 ensurePermissions = {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]30 "DATABASE synapse" = "ALL PRIVILEGES";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]31 };
32 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]33 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame^]34 name = "keycloak";
35 ensurePermissions = {
36 "DATABASE keycloak" = "ALL PRIVILEGES";
37 };
38 }
39 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]40 name = "vaultwarden";
41 ensurePermissions = {
42 "DATABASE vaultwarden" = "ALL PRIVILEGES";
43 };
44 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]45 {
46 name = "privatebin";
47 ensurePermissions = {
48 "DATABASE privatebin" = "ALL PRIVILEGES";
49 };
50 }
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]51 ] ++ (map
52 (name: (
53 {
54 inherit name;
55 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
56 }
57 )) [ "minion" "coded" "pinea" ]);
58
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]59 };
60
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]61 systemd.services.postgresql.postStart = lib.mkMerge [
62 (
63 let
64 database = "synapse";
65 cfg = config.services.postgresql;
66 in
67 lib.mkBefore (
68 ''
69 PSQL="psql --port=${toString cfg.port}"
70
71 while ! $PSQL -d postgres -c "" 2> /dev/null; do
72 if ! kill -0 "$MAINPID"; then exit 1; fi
73 sleep 0.1
74 done
75
76 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
77 ''
78 ) # synapse needs C collation, so we can't use ensureDatabases for it
79 )
80 (lib.mkAfter (lib.pipe [
81 { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame^]82 { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]83 { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]84 { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]85 ] [
86 (map (userData: ''
87 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
88 ''))
89 (lib.concatStringsSep "\n")
90 ]))
91 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]92
93 sops.secrets = lib.pipe [
94 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame^]95 "clicks_keycloak_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]96 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]97 "clicks_privatebin_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]98 ] [
99 (map (name: {
100 inherit name;
101 value = {
102 mode = "0400";
103 owner = config.services.postgresql.superUser;
104 group = config.users.users.${config.services.postgresql.superUser}.group;
105 sopsFile = ../secrets/postgres.json;
106 format = "json";
107 };
108 }))
109 builtins.listToAttrs
110 ];
111}