blob: 0613633c6fea37081a79b4d015b87780d192b738 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +02001{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +02008 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
Skyler Greyfe1740c2023-10-21 01:24:18 +000013 ensureDatabases =
14 [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" ];
TheCodedProfb6184602023-06-13 17:04:59 -040015
Skyler Greya78aa672023-05-20 13:48:18 +020016 ensureUsers = [
17 {
18 name = "clicks_grafana";
19 ensurePermissions = {
20 "ALL TABLES IN SCHEMA public" = "SELECT";
21 "SCHEMA public" = "USAGE";
22 };
23 }
24 {
Skyler Grey8e32c832023-05-20 22:54:30 +020025 name = "synapse";
Skyler Greyfe1740c2023-10-21 01:24:18 +000026 ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
Skyler Greya78aa672023-05-20 13:48:18 +020027 }
TheCodedProfb6184602023-06-13 17:04:59 -040028 {
Skyler Grey0e05d262023-10-09 07:04:36 +000029 name = "keycloak";
Skyler Greyfe1740c2023-10-21 01:24:18 +000030 ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
Skyler Grey0e05d262023-10-09 07:04:36 +000031 }
32 {
Skyler Grey08758a62023-10-09 07:35:09 +000033 name = "gerrit";
Skyler Greyfe1740c2023-10-21 01:24:18 +000034 ensurePermissions = { "DATABASE gerrit" = "ALL PRIVILEGES"; };
Skyler Grey08758a62023-10-09 07:35:09 +000035 }
36 {
TheCodedProfb6184602023-06-13 17:04:59 -040037 name = "vaultwarden";
Skyler Greyfe1740c2023-10-21 01:24:18 +000038 ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
TheCodedProfb6184602023-06-13 17:04:59 -040039 }
Skyler Grey9fe61282023-08-20 21:52:48 +000040 {
41 name = "privatebin";
Skyler Greyfe1740c2023-10-21 01:24:18 +000042 ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
Skyler Grey9fe61282023-08-20 21:52:48 +000043 }
Skyler Grey09c5cda2023-10-09 07:10:10 +000044 {
45 name = "nextcloud";
Skyler Greyfe1740c2023-10-21 01:24:18 +000046 ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
Skyler Grey09c5cda2023-10-09 07:10:10 +000047 }
Skyler Greyfe1740c2023-10-21 01:24:18 +000048 ] ++ (map (name: ({
49 inherit name;
50 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
51 })) [ "minion" "coded" "pinea" ]);
Skyler Greya78aa672023-05-20 13:48:18 +020052
Skyler Greya78aa672023-05-20 13:48:18 +020053 };
54
Skyler Grey8e32c832023-05-20 22:54:30 +020055 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +000056 (let
57 database = "synapse";
58 cfg = config.services.postgresql;
59 in lib.mkBefore (''
60 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +020061
Skyler Greyfe1740c2023-10-21 01:24:18 +000062 while ! $PSQL -d postgres -c "" 2> /dev/null; do
63 if ! kill -0 "$MAINPID"; then exit 1; fi
64 sleep 0.1
65 done
Skyler Grey8e32c832023-05-20 22:54:30 +020066
Skyler Greyfe1740c2023-10-21 01:24:18 +000067 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
68 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +020069 )
70 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +000071 {
72 user = "clicks_grafana";
73 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
74 }
75 {
76 user = "keycloak";
77 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
78 }
79 {
80 user = "gerrit";
81 passwordFile = config.sops.secrets.clicks_gerrit_db_password.path;
82 }
83 {
84 user = "vaultwarden";
85 passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path;
86 }
87 {
88 user = "privatebin";
89 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
90 }
91 {
92 user = "nextcloud";
93 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
94 }
Skyler Grey8e32c832023-05-20 22:54:30 +020095 ] [
96 (map (userData: ''
97 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
98 ''))
99 (lib.concatStringsSep "\n")
100 ]))
101 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200102
103 sops.secrets = lib.pipe [
104 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000105 "clicks_keycloak_db_password"
Skyler Grey08758a62023-10-09 07:35:09 +0000106 "clicks_gerrit_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400107 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000108 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000109 "clicks_nextcloud_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200110 ] [
111 (map (name: {
112 inherit name;
113 value = {
114 mode = "0400";
115 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000116 group =
117 config.users.users.${config.services.postgresql.superUser}.group;
Skyler Greya78aa672023-05-20 13:48:18 +0200118 sopsFile = ../secrets/postgres.json;
119 format = "json";
120 };
121 }))
122 builtins.listToAttrs
123 ];
124}