diff --git a/flake.nix b/flake.nix index fd129c3..d2c8360 100644 --- a/flake.nix +++ b/flake.nix @@ -110,6 +110,16 @@ modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + { + age.secrets = { + postgres-user-password-pda = { + file = ./secrets/postgres-user-password-pda.age; + owner = "postgres"; + group = "postgres"; + mode = "0400"; + }; + }; + } ./hosts/sql ]; }; diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index b1a26c4..9d1ed43 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -9,13 +9,10 @@ networking = { hostName = "sql"; - firewall = { - enable = true; - extraInputRules = '' - ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept - ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept - ''; - }; + firewall.extraInputRules = '' + ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept + ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept + ''; }; services = { diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix index 338950a..86d78de 100644 --- a/hosts/sql/postgres.nix +++ b/hosts/sql/postgres.nix @@ -1,8 +1,42 @@ -{ config, ... }: +{ config, pkgs, ... }: let fqdn = "sql.${config.networking.domain}"; - mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines"; + # Create postgres- entry in agenix + # mkEntry + entries = [ + (mkEntry "matrix-synapse" 25) + (mkEntry "hedgedoc" 24) + ]; + + mkEntry = name: octet: { + user = { + name = name; + ensureDBOwnership = true; + }; + database = name; + # TYPE DATABASE USER ADDRESS METHOD + auth = '' + #hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 + #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 + host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 + host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 + ''; + }; + mkPasswordSQL = e: '' + DO $do$ + BEGIN + IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN + EXECUTE format( + 'ALTER ROLE %I WITH PASSWORD %L', + '${e.user.name}', + trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}')) + ); + END IF; + END + $do$; + ''; + passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); in { services = { @@ -21,23 +55,16 @@ in # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; #}; - ensureUsers = [ - { - name = "pda"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ - "pda" - ]; - authentication = '' - # TYPE DATABASE USER ADDRESS METHOD - #hostssl pda pda 195.160.173.15/32 scram-sha-256 - #hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256 - host pda pda 195.160.173.15/32 scram-sha-256 - host pda pda 2001:678:760:cccb::15/128 scram-sha-256 - ''; + ensureUsers = map (e: e.user) entries; + ensureDatabases = map (e: e.database) entries; + authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; }; }; + systemd.services.postgresql.postStart = '' + ${pkgs.postgresql}/bin/psql \ + --dbname=postgres \ + --no-password \ + --file=${passwordScript} + ''; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c09b8c9..7ab1d5b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,6 +15,8 @@ let ]; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; + _md = ""; + _sql = ""; in { "matrix_admin_password.age".publicKeys = users; @@ -25,4 +27,6 @@ in "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; + "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; + "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; }