X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fpostgresql.nix;h=85112208a92e57cf9f0b90f4857d768742e6a68c;hb=e34b30796934686fedc660fe8aef2990622b7cf5;hp=fdab2f0bd6427c99b4a6e02d93630ba2b5c7b586;hpb=bd0cb07b13aecd16a0782492655843a1b699611d;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index fdab2f0..8511220 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -98,7 +98,6 @@ in { networking.firewall.allowedTCPPorts = [ 5432 ]; security.acme.certs."postgresql" = config.myServices.databasesCerts // { - user = "postgres"; group = "postgres"; domain = "db-1.immae.eu"; postRun = '' @@ -108,10 +107,18 @@ in { systemd.services.postgresql.serviceConfig = { SupplementaryGroups = "keys"; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "postgresql-fix-cert" '' + # postgresql complains: + # private key file "${config.security.acme.certs.postgresql.directory}/key.pem" must be owned by the database user or root + cp -f + "${config.security.acme.certs.postgresql.directory}/key.pem" "${config.services.postgresql.dataDir}/key.pem" + chown postgres:postgres "${config.services.postgresql.dataDir}/key.pem" + chmod go-r "${config.services.postgresql.dataDir}/key.pem" + '')) ]; }; systemd.services.postgresql.postStart = lib.mkAfter '' # This line is already defined in 19.09 - PSQL="${pkgs.sudo}/bin/sudo -u postgres psql --port=5432" + PSQL="psql --port=5432" ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _: '' $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${role}'" \ @@ -134,28 +141,29 @@ in { enable = true; package = cfg.package; enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 512MB - work_mem = 10MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' + checkConfig = false; + settings = { + max_connections = 100; + wal_level = "logical"; + shared_buffers = "512MB"; + work_mem = "10MB"; + max_wal_size = "1GB"; + min_wal_size = "80MB"; + log_timezone = "Europe/Paris"; + datestyle = "iso, mdy"; + timezone = "Europe/Paris"; + lc_messages = "en_US.UTF-8"; + lc_monetary = "en_US.UTF-8"; + lc_numeric = "en_US.UTF-8"; + lc_time = "en_US.UTF-8"; + default_text_search_config = "pg_catalog.english"; # this introduces a small delay before storing on disk, but # makes it order of magnitudes quicker - synchronous_commit = off - ssl = on - ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' - ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' - ''; + synchronous_commit = "off"; + ssl = "on"; + ssl_cert_file = "${config.security.acme.certs.postgresql.directory}/fullchain.pem"; + ssl_key_file = "${config.services.postgresql.dataDir}/key.pem"; + }; authentication = let hosts = builtins.concatStringsSep "\n" ( lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v: