{ config, pkgs, ... }: let fqdn = "sql.${config.networking.domain}"; # Create postgres- entry in agenix # mkEntry entries = [ (mkEntry "matrix-synapse" 25) (mkEntry "hedgedoc" 24) ]; mkEntry = name: octet: { user = { name = name; ensureDBOwnership = true; }; database = name; # TYPE DATABASE USER ADDRESS METHOD auth = '' #hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 #hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256 host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256 ''; }; mkPasswordSQL = e: '' DO $do$ BEGIN IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN EXECUTE format( 'ALTER ROLE %I WITH PASSWORD %L', '${e.user.name}', trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}')) ); END IF; END $do$; ''; passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries)); in { services = { #nginx = { # enable = true; # virtualHosts."${fqdn}" = { # enableACME = true; # locations."/".return = "418"; # }; #}; postgresql = { #enableTCPIP = true; #settings = { # ssl = "on"; # ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt"; # ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key"; # ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt"; #}; ensureUsers = map (e: e.user) entries; ensureDatabases = map (e: e.database) entries; authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}"; }; }; systemd.services.postgresql.postStart = '' ${pkgs.postgresql}/bin/psql \ --dbname=postgres \ --no-password \ --file=${passwordScript} ''; }