Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 52d38f129683dc16ec32fff8cf8c4814fdd7feed / . / modules / common / postgres.nix
blob: a4e107e10160d6ee78baedf280bf641d1679c105 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]2 systemd.services.postgresql.after = [
3 "docker-network-taiga.service" # Needed to listen in 172.20.0.1
4 ];
5
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]6 services.postgresql = {
7 enable = true;
8
9 package = pkgs.postgresql;
10 settings = {
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]11 listen_addresses = lib.mkForce "standard, 172.20.0.1";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]12 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]13 logging_collector = true;
14 log_disconnections = true;
15 log_destination = lib.mkForce "syslog";
16 };
17
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]18 ensureDatabases =
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]19 [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" "taiga" ];
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]20
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]21 ensureUsers = [
22 {
23 name = "clicks_grafana";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]24 }
25 {
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]26 name = "matrix-synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]27 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]28 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]29 name = "keycloak";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]30 ensureDBOwnership = true;
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]31 }
32 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]33 name = "vaultwarden";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]34 ensureDBOwnership = true;
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]35 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]36 {
37 name = "privatebin";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]38 ensureDBOwnership = true;
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]39 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]40 {
41 name = "nextcloud";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]42 ensureDBOwnership = true;
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]43 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]44 {
45 name = "taiga";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]46 ensureDBOwnership = true;
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]47 }
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]48 ] ++ (map (name: ({
49 inherit name;
Skyler Greya7b38dd2023-10-25 21:42:45 +0000[diff] [blame]50 })) [ "minion" "coded" "pineafan" ]);
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]51
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]52 # method database user address auth-method
53 authentication = "host all all samenet scram-sha-256";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]54 };
55
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]56 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]57 (let
58 database = "synapse";
59 cfg = config.services.postgresql;
60 in lib.mkBefore (''
61 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]62
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]63 while ! $PSQL -d postgres -c "" 2> /dev/null; do
64 if ! kill -0 "$MAINPID"; then exit 1; fi
65 sleep 0.1
66 done
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]67
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]68 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
69 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]70 )
71 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]72 {
73 user = "clicks_grafana";
74 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
75 }
76 {
77 user = "keycloak";
78 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
79 }
80 {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]81 user = "vaultwarden";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]82 passwordFile = config.sops.secrets.clicks_vaultwarden_db_password.path;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]83 }
84 {
85 user = "privatebin";
86 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
87 }
88 {
89 user = "nextcloud";
90 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
91 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]92 {
93 user = "taiga";
94 passwordFile = config.sops.secrets.clicks_taiga_db_password.path;
95 }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]96 ] [
97 (map (userData: ''
98 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
99 ''))
100 (lib.concatStringsSep "\n")
101 ]))
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]102 ''
103 $PSQL -tAc 'ALTER DATABASE synapse OWNER TO "matrix-synapse";'
104 # matrix-synapse is done manually, because the database does not have the same name as the user
105
106 $PSQL -tAc 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "clicks_grafana"'
107 $PSQL -tAc 'GRANT USAGE ON SCHEMA public TO "clicks_grafana"'
108 # grafana is done manually, because it needs read permission in lots of places
109
110 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "coded"'
111 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "minion"'
112 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pineafan"'
113 # leadership is done manually, because we need owner-level permissions in lots of places but cannot specify ourselves as the database owners (as there may only be 1)
114 ''
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]115 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]116
117 sops.secrets = lib.pipe [
118 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]119 "clicks_keycloak_db_password"
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]120 "clicks_vaultwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]121 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]122 "clicks_nextcloud_db_password"
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]123 "clicks_taiga_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]124 ] [
125 (map (name: {
126 inherit name;
127 value = {
128 mode = "0400";
129 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]130 group =
131 config.users.users.${config.services.postgresql.superUser}.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]132 sopsFile = ../../secrets/postgres.json;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]133 format = "json";
134 };
135 }))
136 builtins.listToAttrs
137 ];
138}