X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Fmodules%2Fdatabases.nix;h=de4ace64f228b22439b178cb8a7669c58f82956c;hb=f3d9c61e9becccc9ef25f64e5e639d45ea25650a;hp=9f8e70da0b2958a17eb88873d73374f195df7976;hpb=54307da49e9975ca3cce0d45fd12ade016cf90d9;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix index 9f8e70d..de4ace6 100644 --- a/virtual/modules/databases.nix +++ b/virtual/modules/databases.nix @@ -42,6 +42,11 @@ in { url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; }; + configureFlags = old.configureFlags ++ [ "--with-pam" ]; + buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; + patches = old.patches ++ [ + ./postgresql_run_socket_path.patch + ]; }); mariadb = mariadbPAM; mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { @@ -62,9 +67,23 @@ in { package = pkgs.mariadb; }; + # Cannot use eldiron: psql complains too much rights on the key, and + # setfacl cannot work properly because of acme prestart script + security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { + user = "postgres"; + group = "postgres"; + plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; + domain = "db-1.immae.eu"; + postRun = '' + systemctl reload postgresql.service + ''; + }; + + system.activationScripts.postgresql = '' + install -m 0755 -o postgres -g postgres -d /run/postgresql + ''; + # FIXME: initial sync - # FIXME: backup - # FIXME: ssl services.postgresql = rec { enable = cfg.postgresql.enable; package = pkgs.postgresql; @@ -83,17 +102,19 @@ in { lc_numeric = 'en_US.UTF-8' lc_time = 'en_US.UTF-8' default_text_search_config = 'pg_catalog.english' - # ssl = on - # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' - # ssl_key_file = '/var/lib/acme/eldiron/key.pem' + ssl = on + ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' + ssl_key_file = '/var/lib/acme/postgresql/key.pem' ''; authentication = '' local all postgres ident local all all md5 - host all all samehost md5 - host all all 178.33.252.96/32 md5 - host all all 188.165.209.148/32 md5 - #host all all all pam + hostssl all all samehost md5 + hostssl all all 178.33.252.96/32 md5 + hostssl all all 188.165.209.148/32 md5 + hostssl all all all pam + hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication + hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication ''; }; @@ -107,6 +128,14 @@ in { bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu ''; + pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"; + pkgs.writeText "postgresql.conf" '' + host ldap.immae.eu + base dc=immae,dc=eu + binddn cn=eldiron,ou=hosts,dc=immae,dc=eu + bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"} + pam_login_attribute cn + ''; in [ { name = "mysql"; @@ -116,6 +145,20 @@ in { account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} ''; } + { + name = "postgresql"; + text = '' + auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + ''; + } + { + name = "postgresql_replication"; + text = '' + auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + ''; + } ]; # FIXME: backup