1 { lib, pkgs, config, myconfig, ... }:
3 cfg = config.myServices.databases.postgresql;
5 options.myServices.databases = {
7 enable = lib.mkOption {
10 description = "Whether to enable postgresql database";
11 type = lib.types.bool;
14 socketsDir = lib.mkOption {
15 type = lib.types.path;
16 default = "/run/postgresql";
18 The directory where Postgresql puts sockets.
22 systemdRuntimeDirectory = lib.mkOption {
24 # Use ReadWritePaths= instead if socketsDir is outside of /run
25 default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
26 lib.strings.removePrefix "/run/" cfg.socketsDir;
28 Adjusted Postgresql sockets directory for systemd
35 config = lib.mkIf cfg.enable {
36 nixpkgs.overlays = [ (self: super: rec {
37 postgresql = self.postgresql_11_custom;
40 networking.firewall.allowedTCPPorts = [ 5432 ];
42 security.acme.certs."postgresql" = config.myServices.databasesCerts // {
45 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
46 domain = "db-1.immae.eu";
48 systemctl reload postgresql.service
52 systemd.services.postgresql.serviceConfig = {
53 SupplementaryGroups = "keys";
54 RuntimeDirectory = cfg.systemdRuntimeDirectory;
56 services.postgresql = rec {
58 package = pkgs.postgresql;
63 shared_buffers = 512MB
67 log_timezone = 'Europe/Paris'
68 datestyle = 'iso, mdy'
69 timezone = 'Europe/Paris'
70 lc_messages = 'en_US.UTF-8'
71 lc_monetary = 'en_US.UTF-8'
72 lc_numeric = 'en_US.UTF-8'
73 lc_time = 'en_US.UTF-8'
74 default_text_search_config = 'pg_catalog.english'
76 ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
77 ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
80 local all postgres ident
82 hostssl all all 188.165.209.148/32 md5
83 hostssl all all 178.33.252.96/32 md5
84 hostssl all all all pam
85 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
86 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
92 dest = "postgresql/pam";
96 text = with myconfig.env.databases.postgresql.pam; ''
97 host ${myconfig.env.ldap.host}
98 base ${myconfig.env.ldap.base}
106 dest = "postgresql/pam_replication";
107 permissions = "0400";
111 host ${myconfig.env.ldap.host}
112 base ${myconfig.env.ldap.base}
113 binddn ${myconfig.env.ldap.host_dn}
114 bindpw ${myconfig.env.ldap.password}
115 pam_login_attribute cn
121 security.pam.services = let
122 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
127 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
128 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
132 name = "postgresql_replication";
134 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
135 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication