]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/databases/postgresql.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


62e9e34889eddcec1b62150262a80a32f49a154b
[perso/Immae/Config/Nix.git] / nixops / modules / databases / postgresql.nix
1 { lib, pkgs, config, myconfig, mylibs, ... }:
2 let
3 cfg = config.services.myDatabases;
4 in {
5 options.services.myDatabases = {
6 postgresql = {
7 enable = lib.mkOption {
8 default = cfg.enable;
9 example = true;
10 description = "Whether to enable postgresql database";
11 type = lib.types.bool;
12 };
13 };
14 };
15
16 config = lib.mkIf cfg.enable {
17 nixpkgs.overlays = [ (self: super: rec {
18 postgresql = postgresql_11;
19 postgresql_11 = super.postgresql_11.overrideAttrs(old: rec {
20 passthru = old.passthru // { psqlSchema = "11.0"; };
21 configureFlags = old.configureFlags ++ [ "--with-pam" ];
22 buildInputs = (old.buildInputs or []) ++ [ self.pam ];
23 patches = old.patches ++ [
24 ./postgresql_run_socket_path.patch
25 ];
26 });
27 }) ];
28
29 networking.firewall.allowedTCPPorts = [ 5432 ];
30
31 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
32 user = "postgres";
33 group = "postgres";
34 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
35 domain = "db-1.immae.eu";
36 postRun = ''
37 systemctl reload postgresql.service
38 '';
39 };
40
41 system.activationScripts.postgresql = ''
42 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
43 '';
44
45 systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
46 services.postgresql = rec {
47 enable = cfg.postgresql.enable;
48 package = pkgs.postgresql;
49 enableTCPIP = true;
50 extraConfig = ''
51 max_connections = 100
52 wal_level = logical
53 shared_buffers = 512MB
54 work_mem = 10MB
55 max_wal_size = 1GB
56 min_wal_size = 80MB
57 log_timezone = 'Europe/Paris'
58 datestyle = 'iso, mdy'
59 timezone = 'Europe/Paris'
60 lc_messages = 'en_US.UTF-8'
61 lc_monetary = 'en_US.UTF-8'
62 lc_numeric = 'en_US.UTF-8'
63 lc_time = 'en_US.UTF-8'
64 default_text_search_config = 'pg_catalog.english'
65 ssl = on
66 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
67 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
68 '';
69 authentication = ''
70 local all postgres ident
71 local all all md5
72 hostssl all all 188.165.209.148/32 md5
73 hostssl all all 178.33.252.96/32 md5
74 hostssl all all all pam
75 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
76 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
77 '';
78 };
79
80 mySecrets.keys = [
81 {
82 dest = "postgresql/pam";
83 permissions = "0400";
84 group = "postgres";
85 user = "postgres";
86 text = with myconfig.env.databases.postgresql.pam; ''
87 host ${myconfig.env.ldap.host}
88 base ${myconfig.env.ldap.base}
89 binddn ${dn}
90 bindpw ${password}
91 pam_filter ${filter}
92 ssl start_tls
93 '';
94 }
95 {
96 dest = "postgresql/pam_replication";
97 permissions = "0400";
98 group = "postgres";
99 user = "postgres";
100 text = ''
101 host ${myconfig.env.ldap.host}
102 base ${myconfig.env.ldap.base}
103 binddn ${myconfig.env.ldap.host_dn}
104 bindpw ${myconfig.env.ldap.password}
105 pam_login_attribute cn
106 ssl start_tls
107 '';
108 }
109 ];
110
111 security.pam.services = let
112 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
113 in [
114 {
115 name = "postgresql";
116 text = ''
117 auth required ${pam_ldap} config=/var/secrets/postgresql/pam
118 account required ${pam_ldap} config=/var/secrets/postgresql/pam
119 '';
120 }
121 {
122 name = "postgresql_replication";
123 text = ''
124 auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
125 account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
126 '';
127 }
128 ];
129 };
130 }
131
My infrastructure configuration