Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 9fe6128b776bca75df14ef1325c8108659e37aca / . / modules / postgres.nix
blob: 7a5074a9f7a8b786fa825dfa1018f58aadb5df58 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]13 ensureDatabases = [
14 "vaultwarden"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame^]15 "privatebin"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]16 ];
17
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]18 ensureUsers = [
19 {
20 name = "clicks_grafana";
21 ensurePermissions = {
22 "ALL TABLES IN SCHEMA public" = "SELECT";
23 "SCHEMA public" = "USAGE";
24 };
25 }
26 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]27 name = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]28 ensurePermissions = {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]29 "DATABASE synapse" = "ALL PRIVILEGES";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]30 };
31 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]32 {
33 name = "vaultwarden";
34 ensurePermissions = {
35 "DATABASE vaultwarden" = "ALL PRIVILEGES";
36 };
37 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame^]38 {
39 name = "privatebin";
40 ensurePermissions = {
41 "DATABASE privatebin" = "ALL PRIVILEGES";
42 };
43 }
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]44 ] ++ (map
45 (name: (
46 {
47 inherit name;
48 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
49 }
50 )) [ "minion" "coded" "pinea" ]);
51
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]52 };
53
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]54 systemd.services.postgresql.postStart = lib.mkMerge [
55 (
56 let
57 database = "synapse";
58 cfg = config.services.postgresql;
59 in
60 lib.mkBefore (
61 ''
62 PSQL="psql --port=${toString cfg.port}"
63
64 while ! $PSQL -d postgres -c "" 2> /dev/null; do
65 if ! kill -0 "$MAINPID"; then exit 1; fi
66 sleep 0.1
67 done
68
69 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
70 ''
71 ) # synapse needs C collation, so we can't use ensureDatabases for it
72 )
73 (lib.mkAfter (lib.pipe [
74 { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]75 { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame^]76 { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]77 ] [
78 (map (userData: ''
79 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
80 ''))
81 (lib.concatStringsSep "\n")
82 ]))
83 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]84
85 sops.secrets = lib.pipe [
86 "clicks_grafana_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]87 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame^]88 "clicks_privatebin_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]89 ] [
90 (map (name: {
91 inherit name;
92 value = {
93 mode = "0400";
94 owner = config.services.postgresql.superUser;
95 group = config.users.users.${config.services.postgresql.superUser}.group;
96 sopsFile = ../secrets/postgres.json;
97 format = "json";
98 };
99 }))
100 builtins.listToAttrs
101 ];
102}