xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: xengi:wip
Branches Tags
xengi:main
xengi:wip
..
compare: xengi:main
Branches Tags
xengi:wip
xengi:main

No commits in common. "wip" and "main" have entirely different histories.
wip ... main

4 changed files with 25 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -110,16 +110,6 @@
modules = [ modules = [
agenix.nixosModules.default agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; } { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
postgres-user-password-pda = {
file = ./secrets/postgres-user-password-pda.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
};
}
./hosts/sql ./hosts/sql
]; ];
}; };

5
hosts/sql/default.nix
View file

@ -9,11 +9,14 @@
networking = { networking = {
hostName = "sql"; hostName = "sql";
firewall.extraInputRules = '' firewall = {
enable = true;
extraInputRules = ''
ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept ip saddr 195.160.173.0/24 ip daddr 195.160.173.15 tcp dport 5432 accept
ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept ip6 saddr 2001:678:760:cccb::/64 ip6 daddr 2001:678:760:cccb::15 tcp dport 5432 accept
''; '';
}; };
};
services = { services = {
openssh.banner = '' openssh.banner = ''

65
hosts/sql/postgres.nix
View file

@ -1,42 +1,8 @@
{ config, pkgs, ... }: { config, ... }:
let let
fqdn = "sql.${config.networking.domain}"; fqdn = "sql.${config.networking.domain}";
# Create postgres-<username> entry in agenix mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines";
# mkEntry <username> <last IP address octet>
entries = [
(mkEntry "matrix-synapse" 25)
(mkEntry "hedgedoc" 24)
];
mkEntry = name: octet: {
user = {
name = name;
ensureDBOwnership = true;
};
database = name;
# TYPE DATABASE USER ADDRESS METHOD
auth = ''
#hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
#hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
'';
};
mkPasswordSQL = e: ''
DO $do$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
EXECUTE format(
'ALTER ROLE %I WITH PASSWORD %L',
'${e.user.name}',
trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}'))
);
END IF;
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
in in
{ {
services = { services = {
@ -55,16 +21,23 @@ in
# ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
# ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
#}; #};
ensureUsers = map (e: e.user) entries; ensureUsers = [
ensureDatabases = map (e: e.database) entries; {
authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; name = "pda";
}; ensureDBOwnership = true;
}; }
systemd.services.postgresql.postStart = '' ];
${pkgs.postgresql}/bin/psql \ ensureDatabases = [
--dbname=postgres \ "pda"
--no-password \ ];
--file=${passwordScript} authentication = ''
# TYPE DATABASE USER ADDRESS METHOD
#hostssl pda pda 195.160.173.15/32 scram-sha-256
#hostssl pda pda 2001:678:760:cccb::15/128 scram-sha-256
host pda pda 195.160.173.15/32 scram-sha-256
host pda pda 2001:678:760:cccb::15/128 scram-sha-256
''; '';
};
};
} }

4
secrets/secrets.nix
View file

@ -15,8 +15,6 @@ let
]; ];
_matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
_md = "";
_sql = "";
in in
{ {
"matrix_admin_password.age".publicKeys = users; "matrix_admin_password.age".publicKeys = users;
@ -27,6 +25,4 @@ in
"pushover_user_key.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
"grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; "grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
"grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
"postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
"postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
} }