X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fpostgresql.nix;h=b113e9fd8a6967e986bc8e4337ec201ac7f649d1;hb=598aaa373c359046ee08ab5e7576ebaa4f0331e0;hp=7e2f4e665fc861a3570b15b9e38f95e4b3c095c7;hpb=e1da84b06c408ea5d4d093de39efdda71ad6dc95;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 7e2f4e6..b113e9f 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -15,15 +15,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [ (self: super: rec {
-      postgresql = postgresql_11;
-      postgresql_11 = super.postgresql_11.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        configureFlags = old.configureFlags ++ [ "--with-pam" ];
-        buildInputs = (old.buildInputs or []) ++ [ self.pam ];
-        patches = old.patches ++ [
-          ./postgresql_run_socket_path.patch
-        ];
-      });
+      postgresql = self.postgresql_11_custom;
     }) ];
 
     networking.firewall.allowedTCPPorts = [ 5432 ];
@@ -77,9 +69,9 @@ in {
       '';
     };
 
-    deployment.keys = {
-      postgresql-pam = {
-        destDir = "/run/keys/postgresql";
+    mySecrets.keys = [
+      {
+        dest = "postgresql/pam";
         permissions = "0400";
         group = "postgres";
         user = "postgres";
@@ -91,9 +83,9 @@ in {
           pam_filter ${filter}
           ssl start_tls
         '';
-      };
-      postgresql-pam_replication = {
-        destDir = "/run/keys/postgresql";
+      }
+      {
+        dest = "postgresql/pam_replication";
         permissions = "0400";
         group = "postgres";
         user = "postgres";
@@ -105,8 +97,8 @@ in {
           pam_login_attribute cn
           ssl start_tls
         '';
-      };
-    };
+      }
+    ];
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
@@ -114,15 +106,15 @@ in {
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
           '';
       }
     ];