Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 09c5cda37a72c12f793f87f24cfcb178a5ad06dc / . / modules / postgres.nix
blob: cedb2223c26049507a1884ce7d38a094074630bf [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]13 ensureDatabases = [
14 "vaultwarden"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]15 "privatebin"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]16 "keycloak"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame^]17 "nextcloud"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]18 ];
19
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]20 ensureUsers = [
21 {
22 name = "clicks_grafana";
23 ensurePermissions = {
24 "ALL TABLES IN SCHEMA public" = "SELECT";
25 "SCHEMA public" = "USAGE";
26 };
27 }
28 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]29 name = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]30 ensurePermissions = {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]31 "DATABASE synapse" = "ALL PRIVILEGES";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]32 };
33 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]34 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]35 name = "keycloak";
36 ensurePermissions = {
37 "DATABASE keycloak" = "ALL PRIVILEGES";
38 };
39 }
40 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]41 name = "vaultwarden";
42 ensurePermissions = {
43 "DATABASE vaultwarden" = "ALL PRIVILEGES";
44 };
45 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]46 {
47 name = "privatebin";
48 ensurePermissions = {
49 "DATABASE privatebin" = "ALL PRIVILEGES";
50 };
51 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame^]52 {
53 name = "nextcloud";
54 ensurePermissions = {
55 "DATABASE nextcloud" = "ALL PRIVILEGES";
56 };
57 }
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]58 ] ++ (map
59 (name: (
60 {
61 inherit name;
62 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
63 }
64 )) [ "minion" "coded" "pinea" ]);
65
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]66 };
67
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]68 systemd.services.postgresql.postStart = lib.mkMerge [
69 (
70 let
71 database = "synapse";
72 cfg = config.services.postgresql;
73 in
74 lib.mkBefore (
75 ''
76 PSQL="psql --port=${toString cfg.port}"
77
78 while ! $PSQL -d postgres -c "" 2> /dev/null; do
79 if ! kill -0 "$MAINPID"; then exit 1; fi
80 sleep 0.1
81 done
82
83 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
84 ''
85 ) # synapse needs C collation, so we can't use ensureDatabases for it
86 )
87 (lib.mkAfter (lib.pipe [
88 { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]89 { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]90 { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]91 { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame^]92 { user = "nextcloud"; passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path; }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]93 ] [
94 (map (userData: ''
95 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
96 ''))
97 (lib.concatStringsSep "\n")
98 ]))
99 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]100
101 sops.secrets = lib.pipe [
102 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]103 "clicks_keycloak_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]104 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]105 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame^]106 "clicks_nextcloud_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]107 ] [
108 (map (name: {
109 inherit name;
110 value = {
111 mode = "0400";
112 owner = config.services.postgresql.superUser;
113 group = config.users.users.${config.services.postgresql.superUser}.group;
114 sopsFile = ../secrets/postgres.json;
115 format = "json";
116 };
117 }))
118 builtins.listToAttrs
119 ];
120}