Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 1 | { lib, config, pkgs, ... }: { |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 2 | systemd.services.postgresql.after = [ |
| 3 | "docker-network-taiga.service" # Needed to listen in 172.20.0.1 |
| 4 | ]; |
| 5 | |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 6 | services.postgresql = { |
| 7 | enable = true; |
| 8 | |
| 9 | package = pkgs.postgresql; |
| 10 | settings = { |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 11 | listen_addresses = lib.mkForce "standard, 172.20.0.1"; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 12 | log_connections = true; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 13 | logging_collector = true; |
| 14 | log_disconnections = true; |
| 15 | log_destination = lib.mkForce "syslog"; |
| 16 | }; |
| 17 | |
Skyler Grey | f1c352b | 2024-04-19 00:07:44 +0000 | [diff] [blame] | 18 | ensureDatabases = [ |
| 19 | "vaultwarden" |
| 20 | "gerrit" |
| 21 | "privatebin" |
| 22 | "keycloak" |
| 23 | "nextcloud" |
| 24 | "synapse" |
| 25 | "taiga" |
| 26 | "jinx" |
| 27 | "wiki" |
| 28 | ]; |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 29 | |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 30 | ensureUsers = [ |
| 31 | { |
| 32 | name = "clicks_grafana"; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 33 | } |
| 34 | { |
Skyler Grey | 22428b0 | 2023-11-19 13:20:56 +0000 | [diff] [blame] | 35 | name = "matrix-synapse"; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 36 | } |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 37 | { |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 38 | name = "keycloak"; |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 39 | ensureDBOwnership = true; |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 40 | } |
| 41 | { |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 42 | name = "vaultwarden"; |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 43 | ensureDBOwnership = true; |
TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 44 | } |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 45 | { |
| 46 | name = "privatebin"; |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 47 | ensureDBOwnership = true; |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 48 | } |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 49 | { |
| 50 | name = "nextcloud"; |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 51 | ensureDBOwnership = true; |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 52 | } |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 53 | { |
| 54 | name = "taiga"; |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 55 | ensureDBOwnership = true; |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 56 | } |
Skyler Grey | 8b4f7b6 | 2024-02-17 12:23:02 +0000 | [diff] [blame] | 57 | { |
| 58 | name = "taiga"; |
| 59 | ensureDBOwnership = true; |
| 60 | } |
| 61 | { |
| 62 | name = "jinx"; |
| 63 | ensureDBOwnership = true; |
| 64 | } |
Skyler Grey | f1c352b | 2024-04-19 00:07:44 +0000 | [diff] [blame] | 65 | { |
| 66 | name = "wiki"; |
| 67 | ensureDBOwnership = true; |
| 68 | } |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 69 | ] ++ (map (name: ({ |
| 70 | inherit name; |
Skyler Grey | a7b38dd | 2023-10-25 21:42:45 +0000 | [diff] [blame] | 71 | })) [ "minion" "coded" "pineafan" ]); |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 72 | |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 73 | # method database user address auth-method |
| 74 | authentication = "host all all samenet scram-sha-256"; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 75 | }; |
| 76 | |
Skyler Grey | 8b4f7b6 | 2024-02-17 12:23:02 +0000 | [diff] [blame] | 77 | systemd.services.postgresql.restartTriggers = [ |
| 78 | config.systemd.services.postgresql.postStart |
| 79 | ]; |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 80 | systemd.services.postgresql.postStart = lib.mkMerge [ |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 81 | (let |
| 82 | database = "synapse"; |
| 83 | cfg = config.services.postgresql; |
| 84 | in lib.mkBefore ('' |
| 85 | PSQL="psql --port=${toString cfg.port}" |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 86 | |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 87 | while ! $PSQL -d postgres -c "" 2> /dev/null; do |
| 88 | if ! kill -0 "$MAINPID"; then exit 1; fi |
| 89 | sleep 0.1 |
| 90 | done |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 91 | |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 92 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"' |
| 93 | '') # synapse needs C collation, so we can't use ensureDatabases for it |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 94 | ) |
| 95 | (lib.mkAfter (lib.pipe [ |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 96 | { |
| 97 | user = "clicks_grafana"; |
| 98 | passwordFile = config.sops.secrets.clicks_grafana_db_password.path; |
| 99 | } |
| 100 | { |
| 101 | user = "keycloak"; |
| 102 | passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; |
| 103 | } |
| 104 | { |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 105 | user = "vaultwarden"; |
Skyler Grey | 22428b0 | 2023-11-19 13:20:56 +0000 | [diff] [blame] | 106 | passwordFile = config.sops.secrets.clicks_vaultwarden_db_password.path; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 107 | } |
| 108 | { |
| 109 | user = "privatebin"; |
| 110 | passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; |
| 111 | } |
| 112 | { |
| 113 | user = "nextcloud"; |
| 114 | passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path; |
| 115 | } |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 116 | { |
| 117 | user = "taiga"; |
| 118 | passwordFile = config.sops.secrets.clicks_taiga_db_password.path; |
| 119 | } |
Skyler Grey | 8b4f7b6 | 2024-02-17 12:23:02 +0000 | [diff] [blame] | 120 | { |
| 121 | user = "jinx"; |
| 122 | passwordFile = config.sops.secrets.clicks_jinx_db_password.path; |
| 123 | } |
Skyler Grey | f1c352b | 2024-04-19 00:07:44 +0000 | [diff] [blame] | 124 | { |
| 125 | user = "wiki"; |
| 126 | passwordFile = config.sops.secrets.clicks_wiki_db_password.path; |
| 127 | } |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 128 | ] [ |
| 129 | (map (userData: '' |
| 130 | $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';" |
| 131 | '')) |
| 132 | (lib.concatStringsSep "\n") |
| 133 | ])) |
Skyler Grey | 915067d | 2023-12-03 13:46:53 +0000 | [diff] [blame] | 134 | '' |
| 135 | $PSQL -tAc 'ALTER DATABASE synapse OWNER TO "matrix-synapse";' |
| 136 | # matrix-synapse is done manually, because the database does not have the same name as the user |
| 137 | |
| 138 | $PSQL -tAc 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "clicks_grafana"' |
| 139 | $PSQL -tAc 'GRANT USAGE ON SCHEMA public TO "clicks_grafana"' |
| 140 | # grafana is done manually, because it needs read permission in lots of places |
| 141 | |
| 142 | $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "coded"' |
| 143 | $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "minion"' |
| 144 | $PSQL -tAc 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pineafan"' |
| 145 | # leadership is done manually, because we need owner-level permissions in lots of places but cannot specify ourselves as the database owners (as there may only be 1) |
| 146 | '' |
Skyler Grey | 8e32c83 | 2023-05-20 22:54:30 +0200 | [diff] [blame] | 147 | ]; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 148 | |
| 149 | sops.secrets = lib.pipe [ |
| 150 | "clicks_grafana_db_password" |
Skyler Grey | 0e05d26 | 2023-10-09 07:04:36 +0000 | [diff] [blame] | 151 | "clicks_keycloak_db_password" |
Skyler Grey | 22428b0 | 2023-11-19 13:20:56 +0000 | [diff] [blame] | 152 | "clicks_vaultwarden_db_password" |
Skyler Grey | 9fe6128 | 2023-08-20 21:52:48 +0000 | [diff] [blame] | 153 | "clicks_privatebin_db_password" |
Skyler Grey | 09c5cda | 2023-10-09 07:10:10 +0000 | [diff] [blame] | 154 | "clicks_nextcloud_db_password" |
Samuel Shuert | 4548998 | 2023-11-29 15:29:36 -0500 | [diff] [blame] | 155 | "clicks_taiga_db_password" |
Skyler Grey | 8b4f7b6 | 2024-02-17 12:23:02 +0000 | [diff] [blame] | 156 | "clicks_jinx_db_password" |
Skyler Grey | f1c352b | 2024-04-19 00:07:44 +0000 | [diff] [blame] | 157 | "clicks_wiki_db_password" |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 158 | ] [ |
| 159 | (map (name: { |
| 160 | inherit name; |
| 161 | value = { |
| 162 | mode = "0400"; |
| 163 | owner = config.services.postgresql.superUser; |
Skyler Grey | fe1740c | 2023-10-21 01:24:18 +0000 | [diff] [blame] | 164 | group = |
| 165 | config.users.users.${config.services.postgresql.superUser}.group; |
Samuel Shuert | f68685d | 2023-10-28 20:07:56 -0400 | [diff] [blame] | 166 | sopsFile = ../../secrets/postgres.json; |
Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame] | 167 | format = "json"; |
| 168 | }; |
| 169 | })) |
| 170 | builtins.listToAttrs |
| 171 | ]; |
| 172 | } |