Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / fae88b19f563eeb714bf6b1466c92f90b21c7069 / . / modules / common / postgres.nix
blob: f77346a10efda42ad3b4ffceee7c312ed72aa816 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
Samuel Shuertfe00e182023-11-22 18:35:01 -0500[diff] [blame]7 listen_addresses = lib.mkForce "standard";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]9 logging_collector = true;
10 log_disconnections = true;
11 log_destination = lib.mkForce "syslog";
12 };
13
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]14 ensureDatabases =
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]15 [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" ];
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]16
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]17 ensureUsers = [
18 {
19 name = "clicks_grafana";
20 ensurePermissions = {
21 "ALL TABLES IN SCHEMA public" = "SELECT";
22 "SCHEMA public" = "USAGE";
23 };
24 }
25 {
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]26 name = "matrix-synapse";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]27 ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]28 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]29 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]30 name = "keycloak";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]31 ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]32 }
33 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]34 name = "vaultwarden";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]35 ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]36 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]37 {
38 name = "privatebin";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]39 ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]40 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]41 {
42 name = "nextcloud";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]43 ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]44 }
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]45 ] ++ (map (name: ({
46 inherit name;
47 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
Skyler Greya7b38dd2023-10-25 21:42:45 +0000[diff] [blame]48 })) [ "minion" "coded" "pineafan" ]);
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]49
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]50 };
51
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]52 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]53 (let
54 database = "synapse";
55 cfg = config.services.postgresql;
56 in lib.mkBefore (''
57 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]58
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]59 while ! $PSQL -d postgres -c "" 2> /dev/null; do
60 if ! kill -0 "$MAINPID"; then exit 1; fi
61 sleep 0.1
62 done
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]63
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]64 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
65 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]66 )
67 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]68 {
69 user = "clicks_grafana";
70 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
71 }
72 {
73 user = "keycloak";
74 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
75 }
76 {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]77 user = "vaultwarden";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]78 passwordFile = config.sops.secrets.clicks_vaultwarden_db_password.path;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]79 }
80 {
81 user = "privatebin";
82 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
83 }
84 {
85 user = "nextcloud";
86 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
87 }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]88 ] [
89 (map (userData: ''
90 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
91 ''))
92 (lib.concatStringsSep "\n")
93 ]))
94 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]95
96 sops.secrets = lib.pipe [
97 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]98 "clicks_keycloak_db_password"
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]99 "clicks_vaultwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]100 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]101 "clicks_nextcloud_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]102 ] [
103 (map (name: {
104 inherit name;
105 value = {
106 mode = "0400";
107 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]108 group =
109 config.users.users.${config.services.postgresql.superUser}.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]110 sopsFile = ../../secrets/postgres.json;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]111 format = "json";
112 };
113 }))
114 builtins.listToAttrs
115 ];
116}