-{ lib, pkgs, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, myconfig, ... }:
let
cfg = config.services.myDatabases;
in {
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [ (self: super: rec {
- postgresql = postgresql_11;
- postgresql_11 = super.postgresql_11.overrideAttrs(old: rec {
- passthru = old.passthru // { psqlSchema = "11.0"; };
- configureFlags = old.configureFlags ++ [ "--with-pam" ];
- buildInputs = (old.buildInputs or []) ++ [ self.pam ];
- patches = old.patches ++ [
- ./postgresql_run_socket_path.patch
- ];
- });
+ postgresql = self.postgresql_11_custom;
}) ];
networking.firewall.allowedTCPPorts = [ 5432 ];
'';
};
- deployment.keys = {
- postgresql-pam = {
- destDir = "/run/keys/postgresql";
+ secrets.keys = [
+ {
+ dest = "postgresql/pam";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_filter ${filter}
ssl start_tls
'';
- };
- postgresql-pam_replication = {
- destDir = "/run/keys/postgresql";
+ }
+ {
+ dest = "postgresql/pam_replication";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_login_attribute cn
ssl start_tls
'';
- };
- };
+ }
+ ];
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
'';
}
];