'';
readOnly = true;
};
- systemdRuntimeDirectory = lib.mkOption {
- type = lib.types.str;
- # Use ReadWritePaths= instead if socketsDir is outside of /run
- default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
- lib.strings.removePrefix "/run/" cfg.socketsDir;
- description = ''
- Adjusted Postgresql sockets directory for systemd
- '';
- readOnly = true;
- };
};
};
security.acme.certs."postgresql" = config.myServices.databasesCerts // {
user = "postgres";
group = "postgres";
- plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl reload postgresql.service
systemd.services.postgresql.serviceConfig = {
SupplementaryGroups = "keys";
- RuntimeDirectory = cfg.systemdRuntimeDirectory;
};
systemd.services.postgresql.postStart = lib.mkAfter ''
# This line is already defined in 19.09
lc_numeric = 'en_US.UTF-8'
lc_time = 'en_US.UTF-8'
default_text_search_config = 'pg_catalog.english'
+ # this introduces a small delay before storing on disk, but
+ # makes it order of magnitudes quicker
+ synchronous_commit = off
ssl = on
- ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
- ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
+ ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem'
+ ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem'
'';
authentication = let
hosts = builtins.concatStringsSep "\n" (
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- in [
- {
- name = "postgresql";
+ in {
+ postgresql = {
text = ''
auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
'';
- }
- {
- name = "postgresql_replication";
+ };
+ postgresql_replication = {
text = ''
auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
'';
- }
- ];
+ };
+ };
};
}