+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-let
- cfg = config.services.myDatabases;
-in {
- options.services.myDatabases = {
- postgresql = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable postgresql database";
- type = lib.types.bool;
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- nixpkgs.overlays = [ (self: super: rec {
- postgresql = self.postgresql_11_custom;
- }) ];
-
- networking.firewall.allowedTCPPorts = [ 5432 ];
-
- security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
- user = "postgres";
- group = "postgres";
- plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
- domain = "db-1.immae.eu";
- postRun = ''
- systemctl reload postgresql.service
- '';
- };
-
- systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
- systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql";
- services.postgresql = rec {
- enable = cfg.postgresql.enable;
- package = pkgs.postgresql;
- enableTCPIP = true;
- extraConfig = ''
- max_connections = 100
- wal_level = logical
- shared_buffers = 512MB
- work_mem = 10MB
- max_wal_size = 1GB
- min_wal_size = 80MB
- log_timezone = 'Europe/Paris'
- datestyle = 'iso, mdy'
- timezone = 'Europe/Paris'
- lc_messages = 'en_US.UTF-8'
- lc_monetary = 'en_US.UTF-8'
- lc_numeric = 'en_US.UTF-8'
- lc_time = 'en_US.UTF-8'
- default_text_search_config = 'pg_catalog.english'
- ssl = on
- ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
- ssl_key_file = '/var/lib/acme/postgresql/key.pem'
- '';
- authentication = ''
- local all postgres ident
- local all all md5
- hostssl all all 188.165.209.148/32 md5
- hostssl all all 178.33.252.96/32 md5
- hostssl all all all pam
- hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
- hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
- '';
- };
-
- secrets.keys = [
- {
- dest = "postgresql/pam";
- permissions = "0400";
- group = "postgres";
- user = "postgres";
- text = with myconfig.env.databases.postgresql.pam; ''
- host ${myconfig.env.ldap.host}
- base ${myconfig.env.ldap.base}
- binddn ${dn}
- bindpw ${password}
- pam_filter ${filter}
- ssl start_tls
- '';
- }
- {
- dest = "postgresql/pam_replication";
- permissions = "0400";
- group = "postgres";
- user = "postgres";
- text = ''
- host ${myconfig.env.ldap.host}
- base ${myconfig.env.ldap.base}
- binddn ${myconfig.env.ldap.host_dn}
- bindpw ${myconfig.env.ldap.password}
- pam_login_attribute cn
- ssl start_tls
- '';
- }
- ];
-
- security.pam.services = let
- pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- in [
- {
- name = "postgresql";
- text = ''
- auth required ${pam_ldap} config=/var/secrets/postgresql/pam
- account required ${pam_ldap} config=/var/secrets/postgresql/pam
- '';
- }
- {
- name = "postgresql_replication";
- text = ''
- auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
- account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
- '';
- }
- ];
- };
-}
-