[perso/Immae/Config/Nix.git] / nixops / modules / databases / postgresql.nix

{ lib, pkgs, config, myconfig,  ... }:
let
    cfg = config.services.myDatabases;
in {
  options.services.myDatabases = {
    postgresql = {
      enable = lib.mkOption {
        default = cfg.enable;
        example = true;
        description = "Whether to enable postgresql database";
        type = lib.types.bool;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [ (self: super: rec {
      postgresql = self.postgresql_11_custom;
    }) ];

    networking.firewall.allowedTCPPorts = [ 5432 ];

    security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
      user = "postgres";
      group = "postgres";
      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
      '';
    };

    systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
    systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql";
    services.postgresql = rec {
      enable = cfg.postgresql.enable;
      package = pkgs.postgresql;
      enableTCPIP = true;
      extraConfig = ''
        max_connections = 100
        wal_level = logical
        shared_buffers = 512MB
        work_mem = 10MB
        max_wal_size = 1GB
        min_wal_size = 80MB
        log_timezone = 'Europe/Paris'
        datestyle = 'iso, mdy'
        timezone = 'Europe/Paris'
        lc_messages = 'en_US.UTF-8'
        lc_monetary = 'en_US.UTF-8'
        lc_numeric = 'en_US.UTF-8'
        lc_time = 'en_US.UTF-8'
        default_text_search_config = 'pg_catalog.english'
        ssl = on
        ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
        ssl_key_file = '/var/lib/acme/postgresql/key.pem'
        '';
      authentication = ''
        local	all	postgres				ident
        local	all	all					md5
        hostssl	all	all	188.165.209.148/32		md5
        hostssl	all	all	178.33.252.96/32		md5
        hostssl	all	all	all				pam
        hostssl	replication	backup-1	2001:41d0:302:1100::9:e5a9/128	pam pamservice=postgresql_replication
        hostssl	replication	backup-1	54.37.151.137/32		pam pamservice=postgresql_replication
      '';
    };

    secrets.keys = [
      {
        dest = "postgresql/pam";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text =  with myconfig.env.databases.postgresql.pam; ''
          host ${myconfig.env.ldap.host}
          base ${myconfig.env.ldap.base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
        '';
      }
      {
        dest = "postgresql/pam_replication";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
        text = ''
          host ${myconfig.env.ldap.host}
          base ${myconfig.env.ldap.base}
          binddn ${myconfig.env.ldap.host_dn}
          bindpw ${myconfig.env.ldap.password}
          pam_login_attribute cn
          ssl start_tls
        '';
      }
    ];

    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
    in [
      {
        name = "postgresql";
        text = ''
          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
          account required ${pam_ldap} config=/var/secrets/postgresql/pam
          '';
      }
      {
        name = "postgresql_replication";
        text = ''
          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
          '';
      }
    ];
  };
}
Commit	Line	Data
8a964143	1	{ lib, pkgs, config, myconfig, ... }:
4ff90563 IB	2	let
	3	cfg = config.services.myDatabases;
	4	in {
	5	options.services.myDatabases = {
	6	postgresql = {
	7	enable = lib.mkOption {
	8	default = cfg.enable;
	9	example = true;
	10	description = "Whether to enable postgresql database";
	11	type = lib.types.bool;
	12	};
	13	};
	14	};
	15
	16	config = lib.mkIf cfg.enable {
851f2596 IB	17	nixpkgs.overlays = [ (self: super: rec {
	18	postgresql = self.postgresql_11_custom;
	19	}) ];
	20
4ff90563 IB	21	networking.firewall.allowedTCPPorts = [ 5432 ];
	22
	23	security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
	24	user = "postgres";
	25	group = "postgres";
	26	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
	27	domain = "db-1.immae.eu";
	28	postRun = ''
	29	systemctl reload postgresql.service
	30	'';
	31	};
	32
e1da84b0	33	systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
b9723c40	34	systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql";
4ff90563 IB	35	services.postgresql = rec {
	36	enable = cfg.postgresql.enable;
	37	package = pkgs.postgresql;
	38	enableTCPIP = true;
	39	extraConfig = ''
	40	max_connections = 100
	41	wal_level = logical
	42	shared_buffers = 512MB
	43	work_mem = 10MB
	44	max_wal_size = 1GB
	45	min_wal_size = 80MB
	46	log_timezone = 'Europe/Paris'
	47	datestyle = 'iso, mdy'
	48	timezone = 'Europe/Paris'
	49	lc_messages = 'en_US.UTF-8'
	50	lc_monetary = 'en_US.UTF-8'
	51	lc_numeric = 'en_US.UTF-8'
	52	lc_time = 'en_US.UTF-8'
	53	default_text_search_config = 'pg_catalog.english'
	54	ssl = on
	55	ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
	56	ssl_key_file = '/var/lib/acme/postgresql/key.pem'
	57	'';
	58	authentication = ''
	59	local all postgres ident
	60	local all all md5
	61	hostssl all all 188.165.209.148/32 md5
	62	hostssl all all 178.33.252.96/32 md5
	63	hostssl all all all pam
	64	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
	65	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
	66	'';
	67	};
	68
1a718805	69	secrets.keys = [
7178c2b1 IB	70	{
7178c2b1 IB	71	dest = "postgresql/pam";
e1da84b0 IB	72	permissions = "0400";
	73	group = "postgres";
	74	user = "postgres";
	75	text = with myconfig.env.databases.postgresql.pam; ''
	76	host ${myconfig.env.ldap.host}
	77	base ${myconfig.env.ldap.base}
	78	binddn ${dn}
	79	bindpw ${password}
	80	pam_filter ${filter}
	81	ssl start_tls
4ff90563	82	'';
7178c2b1 IB	83	}
	84	{
	85	dest = "postgresql/pam_replication";
e1da84b0 IB	86	permissions = "0400";
	87	group = "postgres";
	88	user = "postgres";
	89	text = ''
	90	host ${myconfig.env.ldap.host}
	91	base ${myconfig.env.ldap.base}
	92	binddn ${myconfig.env.ldap.host_dn}
	93	bindpw ${myconfig.env.ldap.password}
	94	pam_login_attribute cn
	95	ssl start_tls
4ff90563	96	'';
7178c2b1 IB	97	}
7178c2b1 IB	98	];
e1da84b0 IB	99
	100	security.pam.services = let
	101	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
4ff90563 IB	102	in [
	103	{
	104	name = "postgresql";
	105	text = ''
7178c2b1 IB	106	auth required ${pam_ldap} config=/var/secrets/postgresql/pam
7178c2b1 IB	107	account required ${pam_ldap} config=/var/secrets/postgresql/pam
4ff90563 IB	108	'';
	109	}
	110	{
	111	name = "postgresql_replication";
	112	text = ''
7178c2b1 IB	113	auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
7178c2b1 IB	114	account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
4ff90563 IB	115	'';
	116	}
	117	];
	118	};
	119	}
	120