xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip

Browse source
This commit is contained in:
XenGi 2026-02-04 00:51:00 +01:00
parent 782ab24661
commit 0f9c1accf1
Signed by: xengi
SSH key fingerprint: SHA256:dM+fLZGsDvyv6kunjE8bGduL24VsCFB4LEOSdmRHdG0
4 changed files with 63 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -110,6 +110,16 @@
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; } { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
postgres-user-password-pda = {
file = ./secrets/postgres-user-password-pda.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
};
}
./hosts/sql ./hosts/sql
]; ];
}; };

11
hosts/sql/default.nix
View file

@ -9,13 +9,10 @@
networking = { networking = {
hostName = "sql"; hostName = "sql";
firewall = { firewall.extraInputRules = ''
enable = true; ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept
extraInputRules = '' ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept '';
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
'';
};
}; };
services = { services = {

63
hosts/sql/postgres.nix
View file

@ -1,8 +1,42 @@
{ config, ... }: { config, pkgs, ... }:
let let
fqdn = "sql.${config.networking.domain}"; fqdn = "sql.${config.networking.domain}";
mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines"; # Create postgres-<username> entry in agenix
# mkEntry <username> <last IP address octet>
entries = [
(mkEntry "matrix-synapse" 25)
(mkEntry "hedgedoc" 24)
];
mkEntry = name: octet: {
user = {
name = name;
ensureDBOwnership = true;
};
database = name;
# TYPE DATABASE USER ADDRESS METHOD
auth = ''
#hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
#hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
'';
};
mkPasswordSQL = e: ''
DO $do$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
EXECUTE format(
'ALTER ROLE %I WITH PASSWORD %L',
'${e.user.name}',
trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}'))
);
END IF;
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
in in
{ {
services = { services = {
@ -21,23 +55,16 @@ in
# ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
# ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
#}; #};
ensureUsers = [ ensureUsers = map (e: e.user) entries;
{ ensureDatabases = map (e: e.database) entries;
name = "pda"; authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"pda"
];
authentication = ''
# TYPE DATABASE USER ADDRESS METHOD
#hostssl pda pda 195.160.173.15/32 scram-sha-256
#hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256
host pda pda 195.160.173.15/32 scram-sha-256
host pda pda 2001:678:760:cccb::15/128 scram-sha-256
'';
}; };
}; };
systemd.services.postgresql.postStart = ''
${pkgs.postgresql}/bin/psql \
--dbname=postgres \
--no-password \
--file=${passwordScript}
'';
} }

4
secrets/secrets.nix
View file

@ -15,6 +15,8 @@ let
]; ];
_matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
_md = "";
_sql = "";
in in
{ {
"matrix_admin_password.age".publicKeys = users; "matrix_admin_password.age".publicKeys = users;
@ -25,4 +27,6 @@ in
"pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
"grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
"grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
} }