Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 08758a6f58bb93fc1af2a295ca451dae6f66ab3f / . / modules / postgres.nix
blob: d1f8a311dbd6b3098bc943a2cde7843357d56c6a [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]13 ensureDatabases = [
14 "vaultwarden"
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]15 "gerrit"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]16 "privatebin"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]17 "keycloak"
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]18 "nextcloud"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]19 ];
20
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]21 ensureUsers = [
22 {
23 name = "clicks_grafana";
24 ensurePermissions = {
25 "ALL TABLES IN SCHEMA public" = "SELECT";
26 "SCHEMA public" = "USAGE";
27 };
28 }
29 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]30 name = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]31 ensurePermissions = {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]32 "DATABASE synapse" = "ALL PRIVILEGES";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]33 };
34 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]35 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]36 name = "keycloak";
37 ensurePermissions = {
38 "DATABASE keycloak" = "ALL PRIVILEGES";
39 };
40 }
41 {
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]42 name = "gerrit";
43 ensurePermissions = {
44 "DATABASE gerrit" = "ALL PRIVILEGES";
45 };
46 }
47 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]48 name = "vaultwarden";
49 ensurePermissions = {
50 "DATABASE vaultwarden" = "ALL PRIVILEGES";
51 };
52 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]53 {
54 name = "privatebin";
55 ensurePermissions = {
56 "DATABASE privatebin" = "ALL PRIVILEGES";
57 };
58 }
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]59 {
60 name = "nextcloud";
61 ensurePermissions = {
62 "DATABASE nextcloud" = "ALL PRIVILEGES";
63 };
64 }
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]65 ] ++ (map
66 (name: (
67 {
68 inherit name;
69 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
70 }
71 )) [ "minion" "coded" "pinea" ]);
72
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]73 };
74
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]75 systemd.services.postgresql.postStart = lib.mkMerge [
76 (
77 let
78 database = "synapse";
79 cfg = config.services.postgresql;
80 in
81 lib.mkBefore (
82 ''
83 PSQL="psql --port=${toString cfg.port}"
84
85 while ! $PSQL -d postgres -c "" 2> /dev/null; do
86 if ! kill -0 "$MAINPID"; then exit 1; fi
87 sleep 0.1
88 done
89
90 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
91 ''
92 ) # synapse needs C collation, so we can't use ensureDatabases for it
93 )
94 (lib.mkAfter (lib.pipe [
95 { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]96 { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]97 { user = "gerrit"; passwordFile = config.sops.secrets.clicks_gerrit_db_password.path; }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]98 { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]99 { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]100 ] [
101 (map (userData: ''
102 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
103 ''))
104 (lib.concatStringsSep "\n")
105 ]))
106 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]107
108 sops.secrets = lib.pipe [
109 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]110 "clicks_keycloak_db_password"
Skyler Grey08758a62023-10-09 07:35:09 +0000[diff] [blame^]111 "clicks_gerrit_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]112 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]113 "clicks_privatebin_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]114 ] [
115 (map (name: {
116 inherit name;
117 value = {
118 mode = "0400";
119 owner = config.services.postgresql.superUser;
120 group = config.users.users.${config.services.postgresql.superUser}.group;
121 sopsFile = ../secrets/postgres.json;
122 format = "json";
123 };
124 }))
125 builtins.listToAttrs
126 ];
127}