[perso/Immae/Config/Nix.git] / modules / private / databases / postgresql.nix

{ lib, pkgs, config, myconfig,  ... }:
let
    cfg = config.myServices.databases.postgresql;
in {
  options.myServices.databases = {
    postgresql = {
      enable = lib.mkOption {
        default = cfg.enable;
        example = true;
        description = "Whether to enable postgresql database";
        type = lib.types.bool;
      };
      # Output variables
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/postgresql";
        description = ''
          The directory where Postgresql puts sockets.
          '';
        readOnly = true;
      };
      systemdRuntimeDirectory = lib.mkOption {
        type = lib.types.str;
        # Use ReadWritePaths= instead if socketsDir is outside of /run
        default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
          lib.strings.removePrefix "/run/" cfg.socketsDir;
        description = ''
        Adjusted Postgresql sockets directory for systemd
        '';
        readOnly = true;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [ (self: super: rec {
      postgresql = self.postgresql_11_custom;
    }) ];

    networking.firewall.allowedTCPPorts = [ 5432 ];

    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
      '';
    };

    systemd.services.postgresql.serviceConfig = {
      SupplementaryGroups = "keys";
      RuntimeDirectory = cfg.systemdRuntimeDirectory;
    };
    services.postgresql = rec {
      enable = true;
      package = pkgs.postgresql;
      enableTCPIP = true;
      extraConfig = ''
        max_connections = 100
        wal_level = logical
        shared_buffers = 512MB
        work_mem = 10MB
        max_wal_size = 1GB
        min_wal_size = 80MB
        log_timezone = 'Europe/Paris'
        datestyle = 'iso, mdy'
        timezone = 'Europe/Paris'
        lc_messages = 'en_US.UTF-8'
        lc_monetary = 'en_US.UTF-8'
        lc_numeric = 'en_US.UTF-8'
        lc_time = 'en_US.UTF-8'
        default_text_search_config = 'pg_catalog.english'
        ssl = on
        ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
        ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
        '';
      authentication = ''
        local	all	postgres				ident
        local	all	all					md5
        hostssl	all	all	188.165.209.148/32		md5
        hostssl	all	all	178.33.252.96/32		md5
        hostssl	all	all	all				pam
        hostssl	replication	backup-1	2001:41d0:302:1100::9:e5a9/128	pam pamservice=postgresql_replication
        hostssl	replication	backup-1	54.37.151.137/32		pam pamservice=postgresql_replication
      '';
    };

    secrets.keys = [
      {
        dest = "postgresql/pam";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text =  with myconfig.env.databases.postgresql.pam; ''
          host ${myconfig.env.ldap.host}
          base ${myconfig.env.ldap.base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
        '';
      }
      {
        dest = "postgresql/pam_replication";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text = ''
          host ${myconfig.env.ldap.host}
          base ${myconfig.env.ldap.base}
          binddn ${myconfig.env.ldap.host_dn}
          bindpw ${myconfig.env.ldap.password}
          pam_login_attribute cn
          ssl start_tls
        '';
      }
    ];

    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
    in [
      {
        name = "postgresql";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          '';
      }
      {
        name = "postgresql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          '';
      }
    ];
  };
}
Commit	Line	Data
8a964143	1	{ lib, pkgs, config, myconfig, ... }:
4ff90563	2	let
182ae57f	3	cfg = config.myServices.databases.postgresql;
4ff90563	4	in {
182ae57f	5	options.myServices.databases = {
4ff90563 IB	6	postgresql = {
	7	enable = lib.mkOption {
	8	default = cfg.enable;
	9	example = true;
	10	description = "Whether to enable postgresql database";
	11	type = lib.types.bool;
	12	};
182ae57f IB	13	# Output variables
	14	socketsDir = lib.mkOption {
	15	type = lib.types.path;
	16	default = "/run/postgresql";
	17	description = ''
	18	The directory where Postgresql puts sockets.
	19	'';
	20	readOnly = true;
	21	};
	22	systemdRuntimeDirectory = lib.mkOption {
	23	type = lib.types.str;
	24	# Use ReadWritePaths= instead if socketsDir is outside of /run
	25	default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
	26	lib.strings.removePrefix "/run/" cfg.socketsDir;
	27	description = ''
	28	Adjusted Postgresql sockets directory for systemd
	29	'';
	30	readOnly = true;
	31	};
4ff90563 IB	32	};
	33	};
	34
	35	config = lib.mkIf cfg.enable {
851f2596 IB	36	nixpkgs.overlays = [ (self: super: rec {
	37	postgresql = self.postgresql_11_custom;
	38	}) ];
	39
4ff90563 IB	40	networking.firewall.allowedTCPPorts = [ 5432 ];
4ff90563 IB	41
182ae57f	42	security.acme.certs."postgresql" = config.myServices.databasesCerts // {
4ff90563 IB	43	user = "postgres";
	44	group = "postgres";
	45	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
	46	domain = "db-1.immae.eu";
	47	postRun = ''
	48	systemctl reload postgresql.service
	49	'';
	50	};
	51
182ae57f IB	52	systemd.services.postgresql.serviceConfig = {
	53	SupplementaryGroups = "keys";
	54	RuntimeDirectory = cfg.systemdRuntimeDirectory;
	55	};
4ff90563	56	services.postgresql = rec {
182ae57f	57	enable = true;
4ff90563 IB	58	package = pkgs.postgresql;
	59	enableTCPIP = true;
	60	extraConfig = ''
	61	max_connections = 100
	62	wal_level = logical
	63	shared_buffers = 512MB
	64	work_mem = 10MB
	65	max_wal_size = 1GB
	66	min_wal_size = 80MB
	67	log_timezone = 'Europe/Paris'
	68	datestyle = 'iso, mdy'
	69	timezone = 'Europe/Paris'
	70	lc_messages = 'en_US.UTF-8'
	71	lc_monetary = 'en_US.UTF-8'
	72	lc_numeric = 'en_US.UTF-8'
	73	lc_time = 'en_US.UTF-8'
	74	default_text_search_config = 'pg_catalog.english'
	75	ssl = on
9ade8f6e IB	76	ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
9ade8f6e IB	77	ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
4ff90563 IB	78	'';
	79	authentication = ''
	80	local all postgres ident
	81	local all all md5
	82	hostssl all all 188.165.209.148/32 md5
	83	hostssl all all 178.33.252.96/32 md5
	84	hostssl all all all pam
	85	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
	86	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
	87	'';
	88	};
	89
1a718805	90	secrets.keys = [
7178c2b1 IB	91	{
7178c2b1 IB	92	dest = "postgresql/pam";
e1da84b0 IB	93	permissions = "0400";
	94	group = "postgres";
	95	user = "postgres";
	96	text = with myconfig.env.databases.postgresql.pam; ''
	97	host ${myconfig.env.ldap.host}
	98	base ${myconfig.env.ldap.base}
	99	binddn ${dn}
	100	bindpw ${password}
	101	pam_filter ${filter}
	102	ssl start_tls
4ff90563	103	'';
7178c2b1 IB	104	}
	105	{
	106	dest = "postgresql/pam_replication";
e1da84b0 IB	107	permissions = "0400";
	108	group = "postgres";
	109	user = "postgres";
	110	text = ''
	111	host ${myconfig.env.ldap.host}
	112	base ${myconfig.env.ldap.base}
	113	binddn ${myconfig.env.ldap.host_dn}
	114	bindpw ${myconfig.env.ldap.password}
	115	pam_login_attribute cn
	116	ssl start_tls
4ff90563	117	'';
7178c2b1 IB	118	}
7178c2b1 IB	119	];
e1da84b0 IB	120
	121	security.pam.services = let
	122	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
4ff90563 IB	123	in [
	124	{
	125	name = "postgresql";
	126	text = ''
182ae57f IB	127	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
182ae57f IB	128	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
4ff90563 IB	129	'';
	130	}
	131	{
	132	name = "postgresql_replication";
	133	text = ''
182ae57f IB	134	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
182ae57f IB	135	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
4ff90563 IB	136	'';
	137	}
	138	];
	139	};
	140	}
	141