xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/hosts/sql/postgres.nix
Ricardo (XenGi) Band 0f9c1accf1
wip
2026-02-04 00:51:00 +01:00

70 lines
2.1 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
let
fqdn = "sql.${config.networking.domain}";
# Create postgres-<username> entry in agenix
# mkEntry <username> <last IP address octet>
entries = [
(mkEntry "matrix-synapse" 25)
(mkEntry "hedgedoc" 24)
];
mkEntry = name: octet: {
user = {
name = name;
ensureDBOwnership = true;
};
database = name;
# TYPE DATABASE USER ADDRESS METHOD
auth = ''
#hostssl ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
#hostssl ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
host ${name} ${name} 195.160.173.${toString octet}/32 scram-sha-256
host ${name} ${name} 2001:678:760:cccb::${toString octet}/128 scram-sha-256
'';
};
mkPasswordSQL = e: ''
DO $do$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${e.user.name}') THEN
EXECUTE format(
'ALTER ROLE %I WITH PASSWORD %L',
'${e.user.name}',
trim(both E'\n' from pg_read_file('${config.age.secrets.postgres-${entry.user.name}.path}'))
);
END IF;
END
$do$;
'';
passwordScript = pkgs.writeText "postgres-passwords.sql" (builtins.concatStringsSep "\n" (map mkPasswordSQL entries));
in
{
services = {
#nginx = {
# enable = true;
# virtualHosts."${fqdn}" = {
# enableACME = true;
# locations."/".return = "418";
# };
#};
postgresql = {
#enableTCPIP = true;
#settings = {
# ssl = "on";
# ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt";
# ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
# ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
#};
ensureUsers = map (e: e.user) entries;
ensureDatabases = map (e: e.database) entries;
authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
};
};
systemd.services.postgresql.postStart = ''
${pkgs.postgresql}/bin/psql \
--dbname=postgres \
--no-password \
--file=${passwordScript}
'';
}
Reference in a new issue View git blame Copy permalink