url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
};
+ configureFlags = old.configureFlags ++ [ "--with-pam" ];
+ buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
+ patches = old.patches ++ [
+ ./postgresql_run_socket_path.patch
+ ];
});
mariadb = mariadbPAM;
mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
package = pkgs.mariadb;
};
+ # Cannot use eldiron: psql complains too much rights on the key, and
+ # setfacl cannot work properly because of acme prestart script
+ security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
+ user = "postgres";
+ group = "postgres";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl reload postgresql.service
+ '';
+ };
+
+ system.activationScripts.postgresql = ''
+ install -m 0755 -o postgres -g postgres -d /run/postgresql
+ '';
+
# FIXME: initial sync
- # FIXME: backup
- # FIXME: ssl
services.postgresql = rec {
enable = cfg.postgresql.enable;
package = pkgs.postgresql;
lc_numeric = 'en_US.UTF-8'
lc_time = 'en_US.UTF-8'
default_text_search_config = 'pg_catalog.english'
- # ssl = on
- # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
- # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
+ ssl = on
+ ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+ ssl_key_file = '/var/lib/acme/postgresql/key.pem'
'';
authentication = ''
local all postgres ident
local all all md5
- host all all samehost md5
- host all all 178.33.252.96/32 md5
- host all all 188.165.209.148/32 md5
- #host all all all pam
+ hostssl all all samehost md5
+ hostssl all all 178.33.252.96/32 md5
+ hostssl all all 188.165.209.148/32 md5
+ hostssl all all all pam
+ hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
+ hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
'';
};
bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
+ pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD";
+ pkgs.writeText "postgresql.conf" ''
+ host ldap.immae.eu
+ base dc=immae,dc=eu
+ binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
+ bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"}
+ pam_login_attribute cn
+ '';
in [
{
name = "mysql";
account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
'';
}
+ {
+ name = "postgresql";
+ text = ''
+ auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ '';
+ }
+ {
+ name = "postgresql_replication";
+ text = ''
+ auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ '';
+ }
];
# FIXME: backup