]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/databases/postgresql.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


0afce70ceb8aa22b9311b69f53b36975ab15d721
[perso/Immae/Config/Nix.git] / nixops / modules / databases / postgresql.nix
1 { lib, pkgs, config, myconfig, mylibs, ... }:
2 let
3 cfg = config.services.myDatabases;
4 in {
5 options.services.myDatabases = {
6 postgresql = {
7 enable = lib.mkOption {
8 default = cfg.enable;
9 example = true;
10 description = "Whether to enable postgresql database";
11 type = lib.types.bool;
12 };
13 };
14 };
15
16 config = lib.mkIf cfg.enable {
17 networking.firewall.allowedTCPPorts = [ 5432 ];
18
19 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
20 user = "postgres";
21 group = "postgres";
22 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
23 domain = "db-1.immae.eu";
24 postRun = ''
25 systemctl reload postgresql.service
26 '';
27 };
28
29 system.activationScripts.postgresql = ''
30 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
31 '';
32
33 systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
34 services.postgresql = rec {
35 enable = cfg.postgresql.enable;
36 package = pkgs.postgresql;
37 enableTCPIP = true;
38 extraConfig = ''
39 max_connections = 100
40 wal_level = logical
41 shared_buffers = 512MB
42 work_mem = 10MB
43 max_wal_size = 1GB
44 min_wal_size = 80MB
45 log_timezone = 'Europe/Paris'
46 datestyle = 'iso, mdy'
47 timezone = 'Europe/Paris'
48 lc_messages = 'en_US.UTF-8'
49 lc_monetary = 'en_US.UTF-8'
50 lc_numeric = 'en_US.UTF-8'
51 lc_time = 'en_US.UTF-8'
52 default_text_search_config = 'pg_catalog.english'
53 ssl = on
54 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
55 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
56 '';
57 authentication = ''
58 local all postgres ident
59 local all all md5
60 hostssl all all 188.165.209.148/32 md5
61 hostssl all all 178.33.252.96/32 md5
62 hostssl all all all pam
63 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
64 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
65 '';
66 };
67
68 mySecrets.keys = [
69 {
70 dest = "postgresql/pam";
71 permissions = "0400";
72 group = "postgres";
73 user = "postgres";
74 text = with myconfig.env.databases.postgresql.pam; ''
75 host ${myconfig.env.ldap.host}
76 base ${myconfig.env.ldap.base}
77 binddn ${dn}
78 bindpw ${password}
79 pam_filter ${filter}
80 ssl start_tls
81 '';
82 }
83 {
84 dest = "postgresql/pam_replication";
85 permissions = "0400";
86 group = "postgres";
87 user = "postgres";
88 text = ''
89 host ${myconfig.env.ldap.host}
90 base ${myconfig.env.ldap.base}
91 binddn ${myconfig.env.ldap.host_dn}
92 bindpw ${myconfig.env.ldap.password}
93 pam_login_attribute cn
94 ssl start_tls
95 '';
96 }
97 ];
98
99 security.pam.services = let
100 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
101 in [
102 {
103 name = "postgresql";
104 text = ''
105 auth required ${pam_ldap} config=/var/secrets/postgresql/pam
106 account required ${pam_ldap} config=/var/secrets/postgresql/pam
107 '';
108 }
109 {
110 name = "postgresql_replication";
111 text = ''
112 auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
113 account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
114 '';
115 }
116 ];
117 };
118 }
119
My infrastructure configuration