| Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame^] | 1 | { lib, config, pkgs, ... }: { |
| 2 | services.postgresql = { |
| 3 | enable = true; |
| 4 | |
| 5 | package = pkgs.postgresql; |
| 6 | settings = { |
| 7 | log_connections = true; |
| 8 | log_statement = "all"; |
| 9 | logging_collector = true; |
| 10 | log_disconnections = true; |
| 11 | log_destination = lib.mkForce "syslog"; |
| 12 | }; |
| 13 | |
| 14 | ensureUsers = [ |
| 15 | { |
| 16 | name = "clicks_grafana"; |
| 17 | ensurePermissions = { |
| 18 | "ALL TABLES IN SCHEMA public" = "SELECT"; |
| 19 | "SCHEMA public" = "USAGE"; |
| 20 | }; |
| 21 | } |
| 22 | { |
| 23 | name = "dendrite"; |
| 24 | ensurePermissions = { |
| 25 | "DATABASE dendrite_account_database" = "ALL PRIVILEGES"; |
| 26 | "DATABASE dendrite_device_database" = "ALL PRIVILEGES"; |
| 27 | "DATABASE dendrite_sync_api" = "ALL PRIVILEGES"; |
| 28 | "DATABASE dendrite_room_server" = "ALL PRIVILEGES"; |
| 29 | "DATABASE dendrite_mscs" = "ALL PRIVILEGES"; |
| 30 | "DATABASE dendrite_media_api" = "ALL PRIVILEGES"; |
| 31 | "DATABASE dendrite_key_server" = "ALL PRIVILEGES"; |
| 32 | "DATABASE dendrite_federation_api" = "ALL PRIVILEGES"; |
| 33 | "DATABASE dendrite_app_service_api" = "ALL PRIVILEGES"; |
| 34 | }; |
| 35 | } |
| 36 | ] ++ (map |
| 37 | (name: ( |
| 38 | { |
| 39 | inherit name; |
| 40 | ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; }; |
| 41 | } |
| 42 | )) [ "minion" "coded" "pinea" ]); |
| 43 | |
| 44 | ensureDatabases = [ |
| 45 | "dendrite_account_database" |
| 46 | "dendrite_device_database" |
| 47 | "dendrite_sync_api" |
| 48 | "dendrite_sync_api" |
| 49 | "dendrite_room_server" |
| 50 | "dendrite_mscs" |
| 51 | "dendrite_media_api" |
| 52 | "dendrite_key_server" |
| 53 | "dendrite_federation_api" |
| 54 | "dendrite_app_service_api" |
| 55 | ]; |
| 56 | }; |
| 57 | |
| 58 | systemd.services.postgresql.postStart = lib.mkAfter (lib.pipe [ |
| 59 | { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; } |
| 60 | { user = "dendrite"; passwordFile = config.sops.secrets.dendrite_db_password.path; } |
| 61 | ] [ |
| 62 | (map (userData: '' |
| 63 | $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';" |
| 64 | '')) |
| 65 | (lib.concatStringsSep "\n") |
| 66 | ]); |
| 67 | |
| 68 | sops.secrets = lib.pipe [ |
| 69 | "clicks_grafana_db_password" |
| 70 | "dendrite_db_password" |
| 71 | ] [ |
| 72 | (map (name: { |
| 73 | inherit name; |
| 74 | value = { |
| 75 | mode = "0400"; |
| 76 | owner = config.services.postgresql.superUser; |
| 77 | group = config.users.users.${config.services.postgresql.superUser}.group; |
| 78 | sopsFile = ../secrets/postgres.json; |
| 79 | format = "json"; |
| 80 | }; |
| 81 | })) |
| 82 | builtins.listToAttrs |
| 83 | ]; |
| 84 | } |