--- /dev/null
+{ lib, pkgs, config, myconfig, ... }:
+let
+ cfg = config.myServices.databases.postgresql;
+in {
+ options.myServices.databases = {
+ postgresql = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable postgresql database";
+ type = lib.types.bool;
+ };
+ # Output variables
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/postgresql";
+ description = ''
+ The directory where Postgresql puts sockets.
+ '';
+ readOnly = true;
+ };
+ systemdRuntimeDirectory = lib.mkOption {
+ type = lib.types.str;
+ # Use ReadWritePaths= instead if socketsDir is outside of /run
+ default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+ lib.strings.removePrefix "/run/" cfg.socketsDir;
+ description = ''
+ Adjusted Postgresql sockets directory for systemd
+ '';
+ readOnly = true;
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ nixpkgs.overlays = [ (self: super: rec {
+ postgresql = self.postgresql_11_custom;
+ }) ];
+
+ networking.firewall.allowedTCPPorts = [ 5432 ];
+
+ security.acme.certs."postgresql" = config.myServices.databasesCerts // {
+ user = "postgres";
+ group = "postgres";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl reload postgresql.service
+ '';
+ };
+
+ systemd.services.postgresql.serviceConfig = {
+ SupplementaryGroups = "keys";
+ RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ };
+ services.postgresql = rec {
+ enable = true;
+ package = pkgs.postgresql;
+ enableTCPIP = true;
+ extraConfig = ''
+ max_connections = 100
+ wal_level = logical
+ shared_buffers = 512MB
+ work_mem = 10MB
+ max_wal_size = 1GB
+ min_wal_size = 80MB
+ log_timezone = 'Europe/Paris'
+ datestyle = 'iso, mdy'
+ timezone = 'Europe/Paris'
+ lc_messages = 'en_US.UTF-8'
+ lc_monetary = 'en_US.UTF-8'
+ lc_numeric = 'en_US.UTF-8'
+ lc_time = 'en_US.UTF-8'
+ default_text_search_config = 'pg_catalog.english'
+ ssl = on
+ ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+ ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+ '';
+ authentication = ''
+ local all postgres ident
+ local all all md5
+ hostssl all all 188.165.209.148/32 md5
+ hostssl all all 178.33.252.96/32 md5
+ hostssl all all all pam
+ hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
+ hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
+ '';
+ };
+
+ secrets.keys = [
+ {
+ dest = "postgresql/pam";
+ permissions = "0400";
+ group = "postgres";
+ user = "postgres";
+ text = with myconfig.env.databases.postgresql.pam; ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ }
+ {
+ dest = "postgresql/pam_replication";
+ permissions = "0400";
+ group = "postgres";
+ user = "postgres";
+ text = ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${myconfig.env.ldap.host_dn}
+ bindpw ${myconfig.env.ldap.password}
+ pam_login_attribute cn
+ ssl start_tls
+ '';
+ }
+ ];
+
+ security.pam.services = let
+ pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+ in [
+ {
+ name = "postgresql";
+ text = ''
+ auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+ account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+ '';
+ }
+ {
+ name = "postgresql_replication";
+ text = ''
+ auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+ account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+ '';
+ }
+ ];
+ };
+}
+