improve postgres

2026-02-08 12:36:38 +01:00 · 2026-02-08 12:36:38 +01:00 · 4c9e01e754
commit 4c9e01e754
parent c81d2f00ca
3 changed files with 19 additions and 21 deletions
--- a/hosts/sql/postgresql.nix
+++ b/hosts/sql/postgresql.nix
@ -0,0 +1,88 @@
+{ config, pkgs, ... }:
+
+let
+  fqdn = "sql.${config.networking.domain}";
+  # Create postgres-<username> entry in agenix
+  # mkEntry <username> <last IP address octet>
+  entries = [
+    (mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de
+    (mkEntry "hedgedoc" 26) # md.berlin.ccc.de
+    (mkEntry "grafana" 255) # mon.berlin.ccc.de
+  ];
+  mkEntry = name: octet: {
+    user = {
+      name = name;
+      ensureDBOwnership = true;
+    };
+    database = name;
+    # TYPE DATABASE USER ADDRESS METHOD
+    auth = ''
+      #hostssl ${name} ${name} 195.160.173.${toString octet}/32         scram-sha-256
+      #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
+      host ${name} ${name} 195.160.173.${toString octet}/32         scram-sha-256
+      host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
+    '';
+  };
+  mkPasswordSQL = e: ''
+    DO $do$
+    BEGIN
+      IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
+        EXECUTE format(
+          'ALTER ROLE %I WITH PASSWORD %L',
+          '${e.user.name}',
+          trim(both E'\n' from pg_read_file('${config.age.secrets."postgres-${e.user.name}".path}'))
+        );
+      END IF;
+    END
+    $do$;
+  '';
+  passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
+in
+{
+  services = {
+    #nginx = {
+    #  enable = true;
+    #  virtualHosts."${fqdn}" = {
+    #    enableACME = true;
+    #    locations."/".return = "418";
+    #  };
+    #};
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_18;
+      enableJIT = true;
+      initdbArgs = [
+        "--locale=C"
+        "--encoding=UTF8"
+      ];
+      settings.listen_addresses = "*";
+      enableTCPIP = true;
+      #settings = {
+      #  ssl = "on";
+      #  ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt";
+      #  ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
+      #  ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
+      #};
+      ensureUsers = map (e: e.user) entries;
+      ensureDatabases = map (e: e.database) entries;
+      authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
+    };
+    postgresqlBackup = {
+      enable = true;
+      startAt = "@daily";
+      compression = "zstd";
+    };
+    prometheus.exporters.postgres = {
+      enable = true;
+      openFirewall = true;
+      firewallRules = services.prometheus.exporters.node.firewallRules;
+    }:
+  };
+  systemd.services.postgresql.postStart = ''
+    ${config.services.postgresql.package}/bin/psql \
+      --dbname=postgres \
+      --no-password \
+      --file=${passwordScript}
+  '';
+}
+