Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 1 | { lib, config, pkgs, ... }: { |
| 2 | services.postgresql = { |
| 3 | enable = true; |
| 4 | |
| 5 | package = pkgs.postgresql; |
| 6 | settings = { |
| 7 | log_connections = true; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 8 | logging_collector = true; |
| 9 | log_disconnections = true; |
| 10 | log_destination = lib.mkForce "syslog"; |
| 11 | }; |
| 12 | |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 13 | ensureDatabases = |
| 14 | [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" ]; |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 15 | |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 16 | ensureUsers = [ |
| 17 | { |
| 18 | name = "clicks_grafana"; |
| 19 | ensurePermissions = { |
| 20 | "ALL TABLES IN SCHEMA public" = "SELECT"; |
| 21 | "SCHEMA public" = "USAGE"; |
| 22 | }; |
| 23 | } |
| 24 | { |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 25 | name = "synapse"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 26 | ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; }; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 27 | } |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 28 | { |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 29 | name = "keycloak"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 30 | ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; }; |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 31 | } |
| 32 | { |
Skyler Grey | 08758a6 | 2023-10-09 07:35:09 +0000 | [diff] [blame] | 33 | name = "gerrit"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 34 | ensurePermissions = { "DATABASE gerrit" = "ALL PRIVILEGES"; }; |
Skyler Grey | 08758a6 | 2023-10-09 07:35:09 +0000 | [diff] [blame] | 35 | } |
| 36 | { |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 37 | name = "vaultwarden"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 38 | ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; }; |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 39 | } |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 40 | { |
| 41 | name = "privatebin"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 42 | ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; }; |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 43 | } |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 44 | { |
| 45 | name = "nextcloud"; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 46 | ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 47 | } |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 48 | ] ++ (map (name: ({ |
| 49 | inherit name; |
| 50 | ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; }; |
| 51 | })) [ "minion" "coded" "pinea" ]); |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 52 | |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 53 | }; |
| 54 | |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 55 | systemd.services.postgresql.postStart = lib.mkMerge [ |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 56 | (let |
| 57 | database = "synapse"; |
| 58 | cfg = config.services.postgresql; |
| 59 | in lib.mkBefore ('' |
| 60 | PSQL="psql --port=${toString cfg.port}" |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 61 | |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 62 | while ! $PSQL -d postgres -c "" 2> /dev/null; do |
| 63 | if ! kill -0 "$MAINPID"; then exit 1; fi |
| 64 | sleep 0.1 |
| 65 | done |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 66 | |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 67 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"' |
| 68 | '') # synapse needs C collation, so we can't use ensureDatabases for it |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 69 | ) |
| 70 | (lib.mkAfter (lib.pipe [ |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 71 | { |
| 72 | user = "clicks_grafana"; |
| 73 | passwordFile = config.sops.secrets.clicks_grafana_db_password.path; |
| 74 | } |
| 75 | { |
| 76 | user = "keycloak"; |
| 77 | passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; |
| 78 | } |
| 79 | { |
| 80 | user = "gerrit"; |
| 81 | passwordFile = config.sops.secrets.clicks_gerrit_db_password.path; |
| 82 | } |
| 83 | { |
| 84 | user = "vaultwarden"; |
| 85 | passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; |
| 86 | } |
| 87 | { |
| 88 | user = "privatebin"; |
| 89 | passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; |
| 90 | } |
| 91 | { |
| 92 | user = "nextcloud"; |
| 93 | passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path; |
| 94 | } |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 95 | ] [ |
| 96 | (map (userData: '' |
| 97 | $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';" |
| 98 | '')) |
| 99 | (lib.concatStringsSep "\n") |
| 100 | ])) |
| 101 | ]; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 102 | |
| 103 | sops.secrets = lib.pipe [ |
| 104 | "clicks_grafana_db_password" |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 105 | "clicks_keycloak_db_password" |
Skyler Grey | 08758a6 | 2023-10-09 07:35:09 +0000 | [diff] [blame] | 106 | "clicks_gerrit_db_password" |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 107 | "clicks_bitwarden_db_password" |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 108 | "clicks_privatebin_db_password" |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 109 | "clicks_nextcloud_db_password" |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 110 | ] [ |
| 111 | (map (name: { |
| 112 | inherit name; |
| 113 | value = { |
| 114 | mode = "0400"; |
| 115 | owner = config.services.postgresql.superUser; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 116 | group = |
| 117 | config.users.users.${config.services.postgresql.superUser}.group; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 118 | sopsFile = ../secrets/postgres.json; |
| 119 | format = "json"; |
| 120 | }; |
| 121 | })) |
| 122 | builtins.listToAttrs |
| 123 | ]; |
| 124 | } |