Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 6b6c3c600b91807d6ca7b2a940e4fa0ff3ee9c60 / . / modules / common / postgres.nix
blob: 7955bc26a9ea9f31b9197b7eecbd8394ebadde0c [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]2 systemd.services.postgresql.after = [
3 "docker-network-taiga.service" # Needed to listen in 172.20.0.1
4 ];
5
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]6 services.postgresql = {
7 enable = true;
8
9 package = pkgs.postgresql;
10 settings = {
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]11 listen_addresses = lib.mkForce "standard, 172.20.0.1";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]12 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]13 logging_collector = true;
14 log_disconnections = true;
15 log_destination = lib.mkForce "syslog";
16 };
17
Skyler Grey8b4f7b62024-02-17 12:23:02 +0000[diff] [blame]18 ensureDatabases = [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" "taiga" "jinx" ];
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]19
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]20 ensureUsers = [
21 {
22 name = "clicks_grafana";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]23 }
24 {
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]25 name = "matrix-synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]26 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]27 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]28 name = "keycloak";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]29 ensureDBOwnership = true;
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]30 }
31 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]32 name = "vaultwarden";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]33 ensureDBOwnership = true;
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]34 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]35 {
36 name = "privatebin";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]37 ensureDBOwnership = true;
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]38 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]39 {
40 name = "nextcloud";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]41 ensureDBOwnership = true;
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]42 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]43 {
44 name = "taiga";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]45 ensureDBOwnership = true;
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]46 }
Skyler Grey8b4f7b62024-02-17 12:23:02 +0000[diff] [blame]47 {
48 name = "taiga";
49 ensureDBOwnership = true;
50 }
51 {
52 name = "jinx";
53 ensureDBOwnership = true;
54 }
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]55 ] ++ (map (name: ({
56 inherit name;
Skyler Greya7b38dd2023-10-25 21:42:45 +0000[diff] [blame]57 })) [ "minion" "coded" "pineafan" ]);
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]58
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]59 # method database user address auth-method
60 authentication = "host all all samenet scram-sha-256";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]61 };
62
Skyler Grey8b4f7b62024-02-17 12:23:02 +0000[diff] [blame]63 systemd.services.postgresql.restartTriggers = [
64 config.systemd.services.postgresql.postStart
65 ];
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]66 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]67 (let
68 database = "synapse";
69 cfg = config.services.postgresql;
70 in lib.mkBefore (''
71 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]72
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]73 while ! $PSQL -d postgres -c "" 2> /dev/null; do
74 if ! kill -0 "$MAINPID"; then exit 1; fi
75 sleep 0.1
76 done
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]77
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]78 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
79 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]80 )
81 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]82 {
83 user = "clicks_grafana";
84 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
85 }
86 {
87 user = "keycloak";
88 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
89 }
90 {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]91 user = "vaultwarden";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]92 passwordFile = config.sops.secrets.clicks_vaultwarden_db_password.path;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]93 }
94 {
95 user = "privatebin";
96 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
97 }
98 {
99 user = "nextcloud";
100 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
101 }
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]102 {
103 user = "taiga";
104 passwordFile = config.sops.secrets.clicks_taiga_db_password.path;
105 }
Skyler Grey8b4f7b62024-02-17 12:23:02 +0000[diff] [blame]106 {
107 user = "jinx";
108 passwordFile = config.sops.secrets.clicks_jinx_db_password.path;
109 }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]110 ] [
111 (map (userData: ''
112 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
113 ''))
114 (lib.concatStringsSep "\n")
115 ]))
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]116 ''
117 $PSQL -tAc 'ALTER DATABASE synapse OWNER TO "matrix-synapse";'
118 # matrix-synapse is done manually, because the database does not have the same name as the user
119
120 $PSQL -tAc 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "clicks_grafana"'
121 $PSQL -tAc 'GRANT USAGE ON SCHEMA public TO "clicks_grafana"'
122 # grafana is done manually, because it needs read permission in lots of places
123
124 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "coded"'
125 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "minion"'
126 $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pineafan"'
127 # leadership is done manually, because we need owner-level permissions in lots of places but cannot specify ourselves as the database owners (as there may only be 1)
128 ''
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]129 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]130
131 sops.secrets = lib.pipe [
132 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]133 "clicks_keycloak_db_password"
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]134 "clicks_vaultwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]135 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]136 "clicks_nextcloud_db_password"
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]137 "clicks_taiga_db_password"
Skyler Grey8b4f7b62024-02-17 12:23:02 +0000[diff] [blame]138 "clicks_jinx_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]139 ] [
140 (map (name: {
141 inherit name;
142 value = {
143 mode = "0400";
144 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]145 group =
146 config.users.users.${config.services.postgresql.superUser}.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]147 sopsFile = ../../secrets/postgres.json;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]148 format = "json";
149 };
150 }))
151 builtins.listToAttrs
152 ];
153}