X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fpostgresql.nix;h=0afce70ceb8aa22b9311b69f53b36975ab15d721;hb=c1b6f97a72e0b4897ce11414df28259d4ea3c5ab;hp=7046b4566c2b37dcfd4c6c5fe1e63b7d13f7ccab;hpb=caa08508100ce2307a4c64ff047241572ff85b45;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 7046b45..0afce70 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -1,6 +1,5 @@
-{ lib, pkgs, pkgsNext, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, myconfig, mylibs, ... }:
 let
-    pkgs = pkgsNext.appendOverlays config.nixpkgs.overlays;
     cfg = config.services.myDatabases;
 in {
   options.services.myDatabases = {
@@ -15,32 +14,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    nixpkgs.overlays = [ (self: super: rec {
-      postgresql = postgresql_11;
-      postgresql_11 = if builtins.hasAttr "postgresql_11" super
-        then super.postgresql_11.overrideAttrs(old: rec {
-          passthru = old.passthru // { psqlSchema = "11.0"; };
-          configureFlags = old.configureFlags ++ [ "--with-pam" ];
-          buildInputs = (old.buildInputs or []) ++ [ self.pam ];
-          patches = old.patches ++ [
-            ./postgresql_run_socket_path.patch
-          ];
-        })
-        else super.postgresql100.overrideAttrs(old: rec {
-          passthru = old.passthru // { psqlSchema = "11.0"; };
-          name = "postgresql-11.1";
-          src = self.fetchurl {
-            url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-            sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-          };
-          configureFlags = old.configureFlags ++ [ "--with-pam" ];
-          buildInputs = (old.buildInputs or []) ++ [ self.pam ];
-          patches = old.patches ++ [
-            ./postgresql_run_socket_path.patch
-          ];
-        });
-    }) ];
-
     networking.firewall.allowedTCPPorts = [ 5432 ];
 
     security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
@@ -57,6 +30,7 @@ in {
       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
 
+    systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
     services.postgresql = rec {
       enable = cfg.postgresql.enable;
       package = pkgs.postgresql;
@@ -91,38 +65,52 @@ in {
       '';
     };
 
-    security.pam.services = let
-      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
-        pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
+    mySecrets.keys = [
+      {
+        dest = "postgresql/pam";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text =  with myconfig.env.databases.postgresql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
         '';
-      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${myconfig.env.ldap.host_dn}
-        bindpw ${myconfig.env.ldap.password}
-        pam_login_attribute cn
-        ssl start_tls
+      }
+      {
+        dest = "postgresql/pam_replication";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text = ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${myconfig.env.ldap.host_dn}
+          bindpw ${myconfig.env.ldap.password}
+          pam_login_attribute cn
+          ssl start_tls
         '';
+      }
+    ];
+
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
     in [
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
-          account required ${pam_ldap} config=${pam_ldap_postgresql}
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
           '';
       }
     ];