Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / b618460ac3cb7879868f074ab7a9426319e8d754 / . / modules / postgres.nix
blob: 8f6c5f135ce4d82674768baaa44192b85beaec8d [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame^]13 ensureDatabases = [
14 "vaultwarden"
15 ];
16
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]17 ensureUsers = [
18 {
19 name = "clicks_grafana";
20 ensurePermissions = {
21 "ALL TABLES IN SCHEMA public" = "SELECT";
22 "SCHEMA public" = "USAGE";
23 };
24 }
25 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]26 name = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]27 ensurePermissions = {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]28 "DATABASE synapse" = "ALL PRIVILEGES";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]29 };
30 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame^]31 {
32 name = "vaultwarden";
33 ensurePermissions = {
34 "DATABASE vaultwarden" = "ALL PRIVILEGES";
35 };
36 }
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]37 ] ++ (map
38 (name: (
39 {
40 inherit name;
41 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
42 }
43 )) [ "minion" "coded" "pinea" ]);
44
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]45 };
46
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]47 systemd.services.postgresql.postStart = lib.mkMerge [
48 (
49 let
50 database = "synapse";
51 cfg = config.services.postgresql;
52 in
53 lib.mkBefore (
54 ''
55 PSQL="psql --port=${toString cfg.port}"
56
57 while ! $PSQL -d postgres -c "" 2> /dev/null; do
58 if ! kill -0 "$MAINPID"; then exit 1; fi
59 sleep 0.1
60 done
61
62 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
63 ''
64 ) # synapse needs C collation, so we can't use ensureDatabases for it
65 )
66 (lib.mkAfter (lib.pipe [
67 { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame^]68 { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]69 ] [
70 (map (userData: ''
71 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
72 ''))
73 (lib.concatStringsSep "\n")
74 ]))
75 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]76
77 sops.secrets = lib.pipe [
78 "clicks_grafana_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame^]79 "clicks_bitwarden_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]80 ] [
81 (map (name: {
82 inherit name;
83 value = {
84 mode = "0400";
85 owner = config.services.postgresql.superUser;
86 group = config.users.users.${config.services.postgresql.superUser}.group;
87 sopsFile = ../secrets/postgres.json;
88 format = "json";
89 };
90 }))
91 builtins.listToAttrs
92 ];
93}