Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / f68685dc7059e31dcd58135137f601cbd881c30a / . / modules / common / postgres.nix
blob: 397a377cb7281b49ad519b95bbae7cf257bb325a [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ lib, config, pkgs, ... }: {
2 services.postgresql = {
3 enable = true;
4
5 package = pkgs.postgresql;
6 settings = {
7 log_connections = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]8 logging_collector = true;
9 log_disconnections = true;
10 log_destination = lib.mkForce "syslog";
11 };
12
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]13 ensureDatabases =
14 [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" ];
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]15
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]16 ensureUsers = [
17 {
18 name = "clicks_grafana";
19 ensurePermissions = {
20 "ALL TABLES IN SCHEMA public" = "SELECT";
21 "SCHEMA public" = "USAGE";
22 };
23 }
24 {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]25 name = "synapse";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]26 ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]27 }
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]28 {
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]29 name = "keycloak";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]30 ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]31 }
32 {
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]33 name = "vaultwarden";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]34 ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]35 }
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]36 {
37 name = "privatebin";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]38 ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]39 }
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]40 {
41 name = "nextcloud";
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]42 ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]43 }
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]44 ] ++ (map (name: ({
45 inherit name;
46 ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
Skyler Greya7b38dd2023-10-25 21:42:45 +0000[diff] [blame]47 })) [ "minion" "coded" "pineafan" ]);
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]48
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]49 };
50
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]51 systemd.services.postgresql.postStart = lib.mkMerge [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]52 (let
53 database = "synapse";
54 cfg = config.services.postgresql;
55 in lib.mkBefore (''
56 PSQL="psql --port=${toString cfg.port}"
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]57
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]58 while ! $PSQL -d postgres -c "" 2> /dev/null; do
59 if ! kill -0 "$MAINPID"; then exit 1; fi
60 sleep 0.1
61 done
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]62
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]63 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
64 '') # synapse needs C collation, so we can't use ensureDatabases for it
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]65 )
66 (lib.mkAfter (lib.pipe [
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]67 {
68 user = "clicks_grafana";
69 passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
70 }
71 {
72 user = "keycloak";
73 passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
74 }
75 {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]76 user = "vaultwarden";
77 passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path;
78 }
79 {
80 user = "privatebin";
81 passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
82 }
83 {
84 user = "nextcloud";
85 passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
86 }
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]87 ] [
88 (map (userData: ''
89 $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
90 ''))
91 (lib.concatStringsSep "\n")
92 ]))
93 ];
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]94
95 sops.secrets = lib.pipe [
96 "clicks_grafana_db_password"
Skyler Grey0e05d262023-10-09 07:04:36 +0000[diff] [blame]97 "clicks_keycloak_db_password"
TheCodedProfb6184602023-06-13 17:04:59 -0400[diff] [blame]98 "clicks_bitwarden_db_password"
Skyler Grey9fe61282023-08-20 21:52:48 +0000[diff] [blame]99 "clicks_privatebin_db_password"
Skyler Grey09c5cda2023-10-09 07:10:10 +0000[diff] [blame]100 "clicks_nextcloud_db_password"
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]101 ] [
102 (map (name: {
103 inherit name;
104 value = {
105 mode = "0400";
106 owner = config.services.postgresql.superUser;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]107 group =
108 config.users.users.${config.services.postgresql.superUser}.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame^]109 sopsFile = ../../secrets/postgres.json;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]110 format = "json";
111 };
112 }))
113 builtins.listToAttrs
114 ];
115}