[perso/Immae/Config/Nix.git] / modules / private / databases / postgresql.nix

{ lib, pkgs, config, ... }:
let
    cfg = config.myServices.databases.postgresql;
in {
  options.myServices.databases = {
    postgresql = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable postgresql database";
        type = lib.types.bool;
      };
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.postgresql;
        description = ''
          Postgresql package to use.
          '';
      };
      ldapConfig = lib.mkOption {
        description = "LDAP configuration to allow PAM identification via LDAP";
        type = lib.types.submodule {
          options = {
            host = lib.mkOption { type = lib.types.str; };
            base = lib.mkOption { type = lib.types.str; };
            dn = lib.mkOption { type = lib.types.str; };
            password = lib.mkOption { type = lib.types.str; };
            filter = lib.mkOption { type = lib.types.str; };
          };
        };
      };
      replicationLdapConfig = lib.mkOption {
        description = "LDAP configuration to allow replication";
        type = lib.types.submodule {
          options = {
            host = lib.mkOption { type = lib.types.str; };
            base = lib.mkOption { type = lib.types.str; };
            dn = lib.mkOption { type = lib.types.str; };
            password = lib.mkOption { type = lib.types.str; };
          };
        };
      };
      authorizedHosts = lib.mkOption {
        default = {};
        description = "Hosts to allow connections from";
        type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
          options = {
            method = lib.mkOption {
              default = "md5";
              type = lib.types.str;
            };
            username = lib.mkOption {
              default = "all";
              type = lib.types.str;
            };
            database = lib.mkOption {
              default = "all";
              type = lib.types.str;
            };
            ip4 = lib.mkOption {
              default = [];
              type = lib.types.listOf lib.types.str;
            };
            ip6 = lib.mkOption {
              default = [];
              type = lib.types.listOf lib.types.str;
            };
          };
        }));
      };
      replicationHosts = lib.mkOption {
        default = {};
        description = "Hosts to allow replication from";
        type = lib.types.attrsOf (lib.types.submodule {
          options = {
            ip4 = lib.mkOption {
              type = lib.types.listOf lib.types.str;
            };
            ip6 = lib.mkOption {
              type = lib.types.listOf lib.types.str;
            };
          };
        });
      };
      # Output variables
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/postgresql";
        description = ''
          The directory where Postgresql puts sockets.
          '';
        readOnly = true;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 5432 ];

    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
      '';
    };

    systemd.services.postgresql.serviceConfig = {
      SupplementaryGroups = "keys";
    };
    systemd.services.postgresql.postStart = lib.mkAfter ''
      # This line is already defined in 19.09
      PSQL="${pkgs.sudo}/bin/sudo -u postgres psql --port=5432"

      ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _: ''
        $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${role}'" \
            | grep -q 1 \
            || $PSQL -tAc 'CREATE USER "${role}" WITH REPLICATION'
        '') cfg.replicationHosts)}

      ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _:
        let
          sname = builtins.replaceStrings ["-"] ["_"] role;
        in
        ''
        $PSQL -tAc "SELECT 1 FROM pg_replication_slots WHERE slot_name='${sname}'" \
              | grep -q 1 \
              || $PSQL -tAc "SELECT * FROM pg_create_physical_replication_slot('${sname}')"
        '') cfg.replicationHosts)}
      '';

    services.postgresql = {
      enable = true;
      package = cfg.package;
      enableTCPIP = true;
      extraConfig = ''
        max_connections = 100
        wal_level = logical
        shared_buffers = 512MB
        work_mem = 10MB
        max_wal_size = 1GB
        min_wal_size = 80MB
        log_timezone = 'Europe/Paris'
        datestyle = 'iso, mdy'
        timezone = 'Europe/Paris'
        lc_messages = 'en_US.UTF-8'
        lc_monetary = 'en_US.UTF-8'
        lc_numeric = 'en_US.UTF-8'
        lc_time = 'en_US.UTF-8'
        default_text_search_config = 'pg_catalog.english'
        # this introduces a small delay before storing on disk, but
        # makes it order of magnitudes quicker
        synchronous_commit = off
        ssl = on
        ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem'
        ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem'
        '';
      authentication = let
        hosts = builtins.concatStringsSep "\n" (
          lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
            map (ip6: "hostssl	${v.database}	${v.username}	${ip6}/128	${v.method}") v.ip6
            ++ map (ip4: "hostssl	${v.database}	${v.username}	${ip4}/32		${v.method}") v.ip4
          ) vs) cfg.authorizedHosts
        ));
        replication = builtins.concatStringsSep "\n" (
          lib.lists.flatten (lib.mapAttrsToList (k: v:
          map (ip6: "hostssl	replication	${k}	${ip6}/128	pam pamservice=postgresql_replication") v.ip6
          ++ map (ip4: "hostssl	replication	${k}	${ip4}/32		pam pamservice=postgresql_replication") v.ip4
          ) cfg.replicationHosts
        ));
      in ''
        local	all	postgres				ident
        local	all	all					md5
        ${hosts}
        hostssl	all	all	all				pam
        ${replication}
      '';
    };

    secrets.keys = [
      {
        dest = "postgresql/pam";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text =  with cfg.ldapConfig; ''
          host ${host}
          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
        '';
      }
      {
        dest = "postgresql/pam_replication";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text = with cfg.replicationLdapConfig; ''
          host ${host}
          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_login_attribute cn
          ssl start_tls
        '';
      }
    ];

    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
    in {
      postgresql = {
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
          account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
          '';
      };
      postgresql_replication = {
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
          account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
          '';
      };
    };
  };
}
Commit	Line	Data
4aac110f	1	{ lib, pkgs, config, ... }:
4ff90563	2	let
182ae57f	3	cfg = config.myServices.databases.postgresql;
4ff90563	4	in {
182ae57f	5	options.myServices.databases = {
4ff90563 IB	6	postgresql = {
4ff90563 IB	7	enable = lib.mkOption {
8415083e	8	default = false;
4ff90563 IB	9	example = true;
	10	description = "Whether to enable postgresql database";
	11	type = lib.types.bool;
	12	};
4aac110f IB	13	package = lib.mkOption {
	14	type = lib.types.package;
	15	default = pkgs.postgresql;
	16	description = ''
	17	Postgresql package to use.
	18	'';
	19	};
	20	ldapConfig = lib.mkOption {
	21	description = "LDAP configuration to allow PAM identification via LDAP";
	22	type = lib.types.submodule {
	23	options = {
	24	host = lib.mkOption { type = lib.types.str; };
	25	base = lib.mkOption { type = lib.types.str; };
	26	dn = lib.mkOption { type = lib.types.str; };
	27	password = lib.mkOption { type = lib.types.str; };
	28	filter = lib.mkOption { type = lib.types.str; };
	29	};
	30	};
	31	};
	32	replicationLdapConfig = lib.mkOption {
	33	description = "LDAP configuration to allow replication";
	34	type = lib.types.submodule {
	35	options = {
	36	host = lib.mkOption { type = lib.types.str; };
	37	base = lib.mkOption { type = lib.types.str; };
	38	dn = lib.mkOption { type = lib.types.str; };
	39	password = lib.mkOption { type = lib.types.str; };
	40	};
	41	};
	42	};
	43	authorizedHosts = lib.mkOption {
	44	default = {};
	45	description = "Hosts to allow connections from";
	46	type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
	47	options = {
	48	method = lib.mkOption {
	49	default = "md5";
	50	type = lib.types.str;
	51	};
	52	username = lib.mkOption {
	53	default = "all";
	54	type = lib.types.str;
	55	};
	56	database = lib.mkOption {
	57	default = "all";
	58	type = lib.types.str;
	59	};
	60	ip4 = lib.mkOption {
	61	default = [];
	62	type = lib.types.listOf lib.types.str;
	63	};
	64	ip6 = lib.mkOption {
	65	default = [];
	66	type = lib.types.listOf lib.types.str;
	67	};
	68	};
	69	}));
	70	};
	71	replicationHosts = lib.mkOption {
	72	default = {};
	73	description = "Hosts to allow replication from";
	74	type = lib.types.attrsOf (lib.types.submodule {
	75	options = {
	76	ip4 = lib.mkOption {
77	type = lib.types.listOf lib.types.str;
78	};
79	ip6 = lib.mkOption {
80	type = lib.types.listOf lib.types.str;
81	};
82	};
83	});
84	};
182ae57f IB	85	# Output variables
	86	socketsDir = lib.mkOption {
	87	type = lib.types.path;
	88	default = "/run/postgresql";
	89	description = ''
	90	The directory where Postgresql puts sockets.
	91	'';
	92	readOnly = true;
	93	};
4ff90563 IB	94	};
	95	};
	96
	97	config = lib.mkIf cfg.enable {
4ff90563 IB	98	networking.firewall.allowedTCPPorts = [ 5432 ];
4ff90563 IB	99
5400b9b6	100	security.acme.certs."postgresql" = config.myServices.databasesCerts // {
4ff90563 IB	101	user = "postgres";
4ff90563 IB	102	group = "postgres";
4ff90563 IB	103	domain = "db-1.immae.eu";
	104	postRun = ''
	105	systemctl reload postgresql.service
	106	'';
	107	};
	108
182ae57f IB	109	systemd.services.postgresql.serviceConfig = {
182ae57f IB	110	SupplementaryGroups = "keys";
182ae57f	111	};
ec9b6564 IB	112	systemd.services.postgresql.postStart = lib.mkAfter ''
	113	# This line is already defined in 19.09
	114	PSQL="${pkgs.sudo}/bin/sudo -u postgres psql --port=5432"
	115
	116	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _: ''
	117	$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${role}'" \
	118	\| grep -q 1 \
	119	\|\| $PSQL -tAc 'CREATE USER "${role}" WITH REPLICATION'
	120	'') cfg.replicationHosts)}
	121
	122	${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _:
	123	let
	124	sname = builtins.replaceStrings ["-"] ["_"] role;
	125	in
	126	''
	127	$PSQL -tAc "SELECT 1 FROM pg_replication_slots WHERE slot_name='${sname}'" \
	128	\| grep -q 1 \
	129	\|\| $PSQL -tAc "SELECT * FROM pg_create_physical_replication_slot('${sname}')"
	130	'') cfg.replicationHosts)}
	131	'';
	132
4aac110f	133	services.postgresql = {
182ae57f	134	enable = true;
4aac110f	135	package = cfg.package;
4ff90563 IB	136	enableTCPIP = true;
	137	extraConfig = ''
	138	max_connections = 100
	139	wal_level = logical
	140	shared_buffers = 512MB
	141	work_mem = 10MB
	142	max_wal_size = 1GB
	143	min_wal_size = 80MB
	144	log_timezone = 'Europe/Paris'
	145	datestyle = 'iso, mdy'
	146	timezone = 'Europe/Paris'
	147	lc_messages = 'en_US.UTF-8'
	148	lc_monetary = 'en_US.UTF-8'
	149	lc_numeric = 'en_US.UTF-8'
	150	lc_time = 'en_US.UTF-8'
	151	default_text_search_config = 'pg_catalog.english'
0907cf1b IB	152	# this introduces a small delay before storing on disk, but
	153	# makes it order of magnitudes quicker
	154	synchronous_commit = off
4ff90563	155	ssl = on
5400b9b6 IB	156	ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem'
5400b9b6 IB	157	ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem'
4ff90563	158	'';
4aac110f IB	159	authentication = let
	160	hosts = builtins.concatStringsSep "\n" (
	161	lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
	162	map (ip6: "hostssl ${v.database} ${v.username} ${ip6}/128 ${v.method}") v.ip6
	163	++ map (ip4: "hostssl ${v.database} ${v.username} ${ip4}/32 ${v.method}") v.ip4
	164	) vs) cfg.authorizedHosts
	165	));
	166	replication = builtins.concatStringsSep "\n" (
	167	lib.lists.flatten (lib.mapAttrsToList (k: v:
	168	map (ip6: "hostssl replication ${k} ${ip6}/128 pam pamservice=postgresql_replication") v.ip6
	169	++ map (ip4: "hostssl replication ${k} ${ip4}/32 pam pamservice=postgresql_replication") v.ip4
	170	) cfg.replicationHosts
	171	));
	172	in ''
4ff90563 IB	173	local all postgres ident
4ff90563 IB	174	local all all md5
4aac110f	175	${hosts}
4ff90563	176	hostssl all all all pam
4aac110f	177	${replication}
4ff90563 IB	178	'';
	179	};
	180
1a718805	181	secrets.keys = [
7178c2b1 IB	182	{
7178c2b1 IB	183	dest = "postgresql/pam";
e1da84b0 IB	184	permissions = "0400";
	185	group = "postgres";
	186	user = "postgres";
4aac110f IB	187	text = with cfg.ldapConfig; ''
	188	host ${host}
	189	base ${base}
e1da84b0 IB	190	binddn ${dn}
	191	bindpw ${password}
	192	pam_filter ${filter}
	193	ssl start_tls
4ff90563	194	'';
7178c2b1 IB	195	}
	196	{
	197	dest = "postgresql/pam_replication";
e1da84b0 IB	198	permissions = "0400";
	199	group = "postgres";
	200	user = "postgres";
4aac110f IB	201	text = with cfg.replicationLdapConfig; ''
	202	host ${host}
	203	base ${base}
	204	binddn ${dn}
	205	bindpw ${password}
e1da84b0 IB	206	pam_login_attribute cn
e1da84b0 IB	207	ssl start_tls
4ff90563	208	'';
7178c2b1 IB	209	}
7178c2b1 IB	210	];
e1da84b0 IB	211
	212	security.pam.services = let
	213	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
258dd18b IB	214	in {
258dd18b IB	215	postgresql = {
4ff90563	216	text = ''
da30ae4f IB	217	auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
da30ae4f IB	218	account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
4ff90563	219	'';
258dd18b IB	220	};
258dd18b IB	221	postgresql_replication = {
4ff90563	222	text = ''
da30ae4f IB	223	auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
da30ae4f IB	224	account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
4ff90563	225	'';
258dd18b IB	226	};
258dd18b IB	227	};
4ff90563 IB	228	};
	229	}
	230