Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 45489981b685fdf0bd22d90b58ae2946e6b3ed9a / . / modules / common / postgres.nix
blob: 30103e81ebc82fdf4e3a9211a6aabad94db9aefd [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]7 listen_addresses = lib.mkForce "standard, 172.20.0.1";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]9 logging_collector = true;
10 log_disconnections = true;
11 log_destination = lib.mkForce "syslog";
12 };
13
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]14 ensureDatabases =
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]15 [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" "taiga" ];
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]16
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]17 ensureUsers = [
18 {
19 name = "clicks_grafana";
20 ensurePermissions = {
21 "ALL TABLES IN SCHEMA public" = "SELECT";
22 "SCHEMA public" = "USAGE";
23 };
24 }
25 {
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]26 name = "matrix-synapse";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]27 ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]28 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]29 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]30 name = "keycloak";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]31 ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]32 }
33 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]34 name = "vaultwarden";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]35 ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]36 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]37 {
38 name = "privatebin";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]39 ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]40 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]41 {
42 name = "nextcloud";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]43 ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]44 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]45 {
46 name = "taiga";
47 ensurePermissions = { "DATABASE taiga" = "ALL PRIVILEGES"; };
48 }
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]49 ] ++ (map (name: ({
50 inherit name;
51 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
Skyler Greya7b38dd2023-10-25 21:42:45 +0000[diff] [blame]52 })) [ "minion" "coded" "pineafan" ]);
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]53
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]54 # method database user address auth-method
55 authentication = "host all all samenet scram-sha-256";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]56 };
57
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]58 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]59 (let
60 database = "synapse";
61 cfg = config.services.postgresql;
62 in lib.mkBefore (''
63 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]64
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]65 while ! $PSQL -d postgres -c "" 2> /dev/null; do
66 if ! kill -0 "$MAINPID"; then exit 1; fi
67 sleep 0.1
68 done
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]69
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]70 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
71 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]72 )
73 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]74 {
75 user = "clicks_grafana";
76 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
77 }
78 {
79 user = "keycloak";
80 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
81 }
82 {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]83 user = "vaultwarden";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]84 passwordFile = config.sops.secrets.clicks_vaultwarden_db_password.path;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]85 }
86 {
87 user = "privatebin";
88 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
89 }
90 {
91 user = "nextcloud";
92 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
93 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]94 {
95 user = "taiga";
96 passwordFile = config.sops.secrets.clicks_taiga_db_password.path;
97 }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]98 ] [
99 (map (userData: ''
100 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
101 ''))
102 (lib.concatStringsSep "\n")
103 ]))
104 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]105
106 sops.secrets = lib.pipe [
107 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]108 "clicks_keycloak_db_password"
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]109 "clicks_vaultwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]110 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]111 "clicks_nextcloud_db_password"
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame^]112 "clicks_taiga_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]113 ] [
114 (map (name: {
115 inherit name;
116 value = {
117 mode = "0400";
118 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]119 group =
120 config.users.users.${config.services.postgresql.superUser}.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]121 sopsFile = ../../secrets/postgres.json;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]122 format = "json";
123 };
124 }))
125 builtins.listToAttrs
126 ];
127}