diff --git a/flake.nix b/flake.nix index d2c8360..fd129c3 100644 --- a/flake.nix +++ b/flake.nix @@ -110,16 +110,6 @@ modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - { - age.secrets = { - postgres-user-password-pda = { - file = ./secrets/postgres-user-password-pda.age; - owner = "postgres"; - group = "postgres"; - mode = "0400"; - }; - }; - } ./hosts/sql ]; }; diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index 9d1ed43..b1a26c4 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -9,10 +9,13 @@ networking = { hostName = "sql"; - firewall.extraInputRules = '' - ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept - ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept - ''; + firewall = { + enable = true; + extraInputRules = '' + ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept + ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept + ''; + }; }; services = { diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix index 86d78de..338950a 100644 --- a/hosts/sql/postgres.nix +++ b/hosts/sql/postgres.nix @@ -1,42 +1,8 @@ -{ config, pkgs, ... }: +{ config, ... }: let fqdn = "sql.${config.networking.domain}"; - # Create postgres- entry in agenix - # mkEntry - entries = [ - (mkEntry "matrix-synapse" 25) - (mkEntry "hedgedoc" 24) - ]; - - mkEntry = name: octet: { - user = { - name = name; - ensureDBOwnership = true; - }; - database = name; - # TYPE DATABASE USER ADDRESS METHOD - auth = '' - #hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 - #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 - host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 - host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 - ''; - }; - mkPasswordSQL = e: '' - DO $do$ - BEGIN - IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN - EXECUTE format( - 'ALTER ROLE %I WITH PASSWORD %L', - '${e.user.name}', - trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}')) - ); - END IF; - END - $do$; - ''; - passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); + mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines"; in { services = { @@ -55,16 +21,23 @@ in # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; #}; - ensureUsers = map (e: e.user) entries; - ensureDatabases = map (e: e.database) entries; - authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; + ensureUsers = [ + { + name = "pda"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + "pda" + ]; + authentication = '' + # TYPE DATABASE USER ADDRESS METHOD + #hostssl pda pda 195.160.173.15/32 scram-sha-256 + #hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256 + host pda pda 195.160.173.15/32 scram-sha-256 + host pda pda 2001:678:760:cccb::15/128 scram-sha-256 + ''; }; }; - systemd.services.postgresql.postStart = '' - ${pkgs.postgresql}/bin/psql \ - --dbname=postgres \ - --no-password \ - --file=${passwordScript} - ''; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7ab1d5b..c09b8c9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,8 +15,6 @@ let ]; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; - _md = ""; - _sql = ""; in { "matrix_admin_password.age".publicKeys = users; @@ -27,6 +25,4 @@ in "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; - "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; - "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; }