diff --git a/flake.nix b/flake.nix index fd129c3..6d6c0f4 100644 --- a/flake.nix +++ b/flake.nix @@ -93,14 +93,14 @@ ./hosts/matrix ]; }; - nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem { + nixosConfigurations."md" = nixpkgs.lib.nixosSystem { #system = "x86_64-linux"; #pkgs = import nixpkgs { inherit system; }; inherit system; modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } - ./hosts/hedgedoc + ./hosts/md ]; }; nixosConfigurations."sql" = nixpkgs.lib.nixosSystem { @@ -110,6 +110,22 @@ modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + { + age.secrets = { + postgres-matrix-synapse = { + file = ./secrets/postgres-matrix-synapse.age; + owner = "postgres"; + group = "postgres"; + mode = "0400"; + }; + postgres-hedgedoc = { + file = ./secrets/postgres-hedgedoc.age; + owner = "postgres"; + group = "postgres"; + mode = "0400"; + }; + }; + } ./hosts/sql ]; }; diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix deleted file mode 100644 index 92428bd..0000000 --- a/hosts/hedgedoc/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ ... }: - -{ - imports = [ - ../common.nix - ../../services/openssh.nix - ../../services/hedgedoc.nix - ]; - - networking = { - hostName = "hedgedoc"; - firewall = { - allowedTCPPorts = [ - 80 # HTTP/1 - 443 # HTTP/2 - ]; - allowedUDPPorts = [ - 443 # HTTP/3 - ]; - }; - }; - - services = { - openssh.banner = '' - __ __ __ - /\ \ /\ \ /\ \ - \ \ \___ __ \_\ \ __ __ \_\ \ ___ ___ - \ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\ - \ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/ - \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\ - \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/ - /\____/ - \_/__/ - ''; - }; - - system.stateVersion = "25.11"; -} diff --git a/hosts/md/default.nix b/hosts/md/default.nix new file mode 100644 index 0000000..9c7bc32 --- /dev/null +++ b/hosts/md/default.nix @@ -0,0 +1,36 @@ +{ ... }: + +{ + imports = [ + ../common.nix + ../../services/openssh.nix + ../../services/hedgedoc.nix + ]; + + networking = { + hostName = "md"; + firewall = { + allowedTCPPorts = [ + 80 # HTTP/1 + 443 # HTTP/2 + ]; + allowedUDPPorts = [ + 443 # HTTP/3 + ]; + }; + }; + + services = { + openssh.banner = '' + __ + /\ \ + ___ ___ \_\ \ + /' __` __`\ /'_` \ + /\ \/\ \/\ \/\ \L\ \ + \ \_\ \_\ \_\ \___,_\ + \/_/\/_/\/_/\/__,_ / + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix index b1a26c4..e5726f3 100644 --- a/hosts/sql/default.nix +++ b/hosts/sql/default.nix @@ -5,17 +5,15 @@ ../common.nix ../../services/openssh.nix ../../services/postgres.nix + ./postgres.nix ]; networking = { hostName = "sql"; - firewall = { - enable = true; - extraInputRules = '' - ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept - ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept - ''; - }; + firewall.extraInputRules = '' + ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept + ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept + ''; }; services = { diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix index 338950a..61f3af8 100644 --- a/hosts/sql/postgres.nix +++ b/hosts/sql/postgres.nix @@ -1,8 +1,41 @@ -{ config, ... }: +{ config, pkgs, ... }: let fqdn = "sql.${config.networking.domain}"; - mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines"; + # Create postgres- entry in agenix + # mkEntry + entries = [ + (mkEntry "matrix-synapse" 25) # matrix.berlin.ccc.de + (mkEntry "hedgedoc" 26) # md.berlin.ccc.de + ]; + mkEntry = name: octet: { + user = { + name = name; + ensureDBOwnership = true; + }; + database = name; + # TYPE DATABASE USER ADDRESS METHOD + auth = '' + #hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 + #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 + host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 + host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 + ''; + }; + mkPasswordSQL = e: '' + DO $do$ + BEGIN + IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN + EXECUTE format( + 'ALTER ROLE %I WITH PASSWORD %L', + '${e.user.name}', + trim(both E'\n' from pg_read_file('${config.age.secrets."postgres-${e.user.name}".path}')) + ); + END IF; + END + $do$; + ''; + passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); in { services = { @@ -14,30 +47,23 @@ in # }; #}; postgresql = { - #enableTCPIP = true; + enableTCPIP = true; #settings = { # ssl = "on"; # ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; #}; - ensureUsers = [ - { - name = "pda"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ - "pda" - ]; - authentication = '' - # TYPE DATABASE USER ADDRESS METHOD - #hostssl pda pda 195.160.173.15/32 scram-sha-256 - #hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256 - host pda pda 195.160.173.15/32 scram-sha-256 - host pda pda 2001:678:760:cccb::15/128 scram-sha-256 - ''; + ensureUsers = map (e: e.user) entries; + ensureDatabases = map (e: e.database) entries; + authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; }; }; + systemd.services.postgresql.postStart = '' + ${config.services.postgresql.package}/bin/psql \ + --dbname=postgres \ + --no-password \ + --file=${passwordScript} + ''; } diff --git a/secrets/postgres-hedgedoc.age b/secrets/postgres-hedgedoc.age new file mode 100644 index 0000000..4a37aea --- /dev/null +++ b/secrets/postgres-hedgedoc.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w GLixFnca76xHm803JN+KAIfwV20OBqEDT3FeLeSB2l8 +jPB5PyXf/YYeOGDa2TzgiE16n69i5L9hQarnkWo6mmQ +-> ssh-ed25519 EvLbWw EHxXWWxMVJb351HyeCg9ZwhuHa2EsXW9ikj1LEkeyh8 +rN9f1ia2ns2vC8Vc0QKcf3JORhe8OKoHwy/2ayLW6Ak +-> ssh-ed25519 dM+fLQ O2+eaJPzd2+2E5mx/zQE4wRu6HBH6u19p23/HvPXrA8 +RVLocbh9fM2YvyuAAHZZMlB16xj8nlfUd4XsvBwvZhs +-> ssh-ed25519 jxWM2Q oCQINVqZDm5f7QaJw9iP40FaMjoaXOkM1Ij7N7ntzHs +U8zqYADl+KcvcvF7jmaiuUBl2J2HiMGHvlHgmsf6Ew4 +-> ssh-ed25519 /yCUCg Tof5WTA5hxHqGrMgXTIV2hkyw5i+/vxTPrphaZB/JzA +5JDdTlnMTkwb0wccvlrE4OENcGaLKELgrxfbSkeqbkw +-> ssh-ed25519 FGp51g BobAb/lSMY8cTVLcdCCGLOS0iWypf/lM2AMLrcPmdCc +WU8+jDAr1mYBxN9rZvuqQU+lnj8lpvTbsb9ZF9a9/d8 +-> ssh-ed25519 I2FcBQ TLJ9nqhcOEfPOOTciWo/ulKuh7GtqZSDDXI4n1JZwRI +ldBwhmJv6Pw4Fmb3C/qz/JsWDbDICaIwyMoTvkMRt0I +-> ssh-ed25519 fEJY/A Ah/JhYfb+AhxVvr/Tuph4f8jPzlD0iIkHM2izcUfNn8 +I9p4tl2irCop5p14Cu2mn6QyQRJzKMjSk1bvTSf6SZ4 +--- Xy4DryiHOclGL1xaVyK3N3dVLBxr0gYwwTQPZlDNet4 +3p?h6{rɞ{Ew(uŒk{]|NcYIE%USRTݰJat|.\fUږyxE \ No newline at end of file diff --git a/secrets/postgres-matrix-synapse.age b/secrets/postgres-matrix-synapse.age new file mode 100644 index 0000000..b83955b --- /dev/null +++ b/secrets/postgres-matrix-synapse.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w 2c8iSQLommYEwAbcdmos5NUTwxq0Syqzi33LKGheIks +69VeTwPvhySw8zAb7/wi5EjK32U4yUWlXtlhzXPo+5w +-> ssh-ed25519 EvLbWw zxAbVUac7j6ymHcR+veJj91wx6empIcESWry5SJAiSA +kQdfHgTcvwJ6cNOhTQ6n7jyfHwDECqhZKwLHA7EwI2Y +-> ssh-ed25519 dM+fLQ FjU1FmRLYxeWuc3fD1J7UEnQBjH2DkwSFTS0OfRdr0s ++nsheCYHFYSRSzn1rsVVZoywCNF4Nf9WwQQVMLXUTyE +-> ssh-ed25519 jxWM2Q 6s7G67QfhbEPc3dsePIJngE8vHK7uzjV6IqAOIAGX1A +RXz2d3Cmb/4bE+UDwamGmDTw4ITwOQdUJAKznbGV67U +-> ssh-ed25519 /yCUCg K7/3N+yqmtldaQGMwxnHbpCj46e0hQ+mlRbkr85uww8 +7RIUbgdePKWI8nExPbF8b0tWbnf00iVgLiHf5gNfrj4 +-> ssh-ed25519 FGp51g MAxcrUlLbxkEoAx5eb5GR1SB34f5Lo+1Bu4gB+Iuvko +04bv1ugxY1CTKzubwFrffpVGdB7BbWLGP1++NePwAo4 +-> ssh-ed25519 I2FcBQ jVCB1GcCPUdGE4lqhx/tJSo6UBqvXXK/PT6MnaOC/QE +QIYELUgsFNronR2LUQz4vhyCwnUXI1CyzpTZcjGXHs0 +-> ssh-ed25519 yoCmaA IGin0TzhVwNDaofpoRj5NDqkg1iyCx/CRKfjAH7exXE +jX+SCYwU4jsg8zb7hbQh1Oib1IjnKTwgtAr57RKJgck +--- sbAmUYpaAOgxptAoOv9s3V6jhC7uGq98MkV0plKRu8c +I# %OtkxIHOk'hQ"&x h +${9 6|D3\1)Ce=5vMch \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c09b8c9..e8853ac 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,6 +15,8 @@ let ]; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; + _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md"; + _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql"; in { "matrix_admin_password.age".publicKeys = users; @@ -25,4 +27,7 @@ in "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; + "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; + "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; } + diff --git a/services/postgres.nix b/services/postgres.nix index 75eb281..e50f232 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -10,6 +10,7 @@ "--locale=C" "--encoding=UTF8" ]; + settings.listen_addresses = "*"; }; postgresqlBackup = { enable = true;