xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip

Browse source
This commit is contained in:
XenGi 2026-02-04 00:51:00 +01:00
parent 782ab24661
commit 0f9c1accf1
Signed by: xengi
SSH key fingerprint: SHA256:dM+fLZGsDvyv6kunjE8bGduL24VsCFB4LEOSdmRHdG0
4 changed files with 63 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -110,6 +110,16 @@
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
postgres-user-password-pda = {
file = ./secrets/postgres-user-password-pda.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
};
}
./hosts/sql
];
};

11
hosts/sql/default.nix
View file

@ -9,13 +9,10 @@
networking = {
hostName = "sql";
firewall = {
enable = true;
extraInputRules = ''
ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
'';
};
firewall.extraInputRules = ''
ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
'';
};
services = {

63
hosts/sql/postgres.nix
View file

@ -1,8 +1,42 @@
{ config, ... }:
{ config, pkgs, ... }:
let
fqdn = "sql.${config.networking.domain}";
mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines";
# Create postgres-<username> entry in agenix
# mkEntry <username> <last IP address octet>
entries = [
(mkEntry "matrix-synapse" 25)
(mkEntry "hedgedoc" 24)
];
mkEntry = name: octet: {
user = {
name = name;
ensureDBOwnership = true;
};
database = name;
# TYPE DATABASE USER ADDRESS METHOD
auth = ''
#hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
#hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
'';
};
mkPasswordSQL = e: ''
DO $do$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
EXECUTE format(
'ALTER ROLE %I WITH PASSWORD %L',
'${e.user.name}',
trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}'))
);
END IF;
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
in
{
services = {
@ -21,23 +55,16 @@ in
# ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
# ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
#};
ensureUsers = [
{
name = "pda";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"pda"
];
authentication = ''
# TYPE DATABASE USER ADDRESS METHOD
#hostssl pda pda 195.160.173.15/32 scram-sha-256
#hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256
host pda pda 195.160.173.15/32 scram-sha-256
host pda pda 2001:678:760:cccb::15/128 scram-sha-256
'';
ensureUsers = map (e: e.user) entries;
ensureDatabases = map (e: e.database) entries;
authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
};
};
systemd.services.postgresql.postStart = ''
${pkgs.postgresql}/bin/psql \
--dbname=postgres \
--no-password \
--file=${passwordScript}
'';
}

4
secrets/secrets.nix
View file

@ -15,6 +15,8 @@ let
];
_matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
_md = "";
_sql = "";
in
{
"matrix_admin_password.age".publicKeys = users;
@ -25,4 +27,6 @@ in
"pushover_user_key.age".publicKeys = users ++ [ _matrix ];
"grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
"grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
}