nixops/modules/databases/postgresql.nix

   1 { lib, pkgs, pkgsNext, config, myconfig, mylibs, ... }:
   2 let
   3     pkgs = pkgsNext.appendOverlays config.nixpkgs.overlays;
   4     cfg = config.services.myDatabases;
   5 in {
   6   options.services.myDatabases = {
   7     postgresql = {
   8       enable = lib.mkOption {
   9         default = cfg.enable;
  10         example = true;
  11         description = "Whether to enable postgresql database";
  12         type = lib.types.bool;
  13       };
  14     };
  15   };
  16
  17   config = lib.mkIf cfg.enable {
  18     nixpkgs.overlays = [ (self: super: rec {
  19       postgresql = postgresql_11;
  20       postgresql_11 = if builtins.hasAttr "postgresql_11" super
  21         then super.postgresql_11.overrideAttrs(old: rec {
  22           passthru = old.passthru // { psqlSchema = "11.0"; };
  23           configureFlags = old.configureFlags ++ [ "--with-pam" ];
  24           buildInputs = (old.buildInputs or []) ++ [ self.pam ];
  25           patches = old.patches ++ [
  26             ./postgresql_run_socket_path.patch
  27           ];
  28         })
  29         else super.postgresql100.overrideAttrs(old: rec {
  30           passthru = old.passthru // { psqlSchema = "11.0"; };
  31           name = "postgresql-11.1";
  32           src = self.fetchurl {
  33             url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
  34             sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
  35           };
  36           configureFlags = old.configureFlags ++ [ "--with-pam" ];
  37           buildInputs = (old.buildInputs or []) ++ [ self.pam ];
  38           patches = old.patches ++ [
  39             ./postgresql_run_socket_path.patch
  40           ];
  41         });
  42     }) ];
  43
  44     networking.firewall.allowedTCPPorts = [ 5432 ];
  45
  46     security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
  47       user = "postgres";
  48       group = "postgres";
  49       plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
  50       domain = "db-1.immae.eu";
  51       postRun = ''
  52         systemctl reload postgresql.service
  53       '';
  54     };
  55
  56     system.activationScripts.postgresql = ''
  57       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
  58       '';
  59
  60     services.postgresql = rec {
  61       enable = cfg.postgresql.enable;
  62       package = pkgs.postgresql;
  63       enableTCPIP = true;
  64       extraConfig = ''
  65         max_connections = 100
  66         wal_level = logical
  67         shared_buffers = 512MB
  68         work_mem = 10MB
  69         max_wal_size = 1GB
  70         min_wal_size = 80MB
  71         log_timezone = 'Europe/Paris'
  72         datestyle = 'iso, mdy'
  73         timezone = 'Europe/Paris'
  74         lc_messages = 'en_US.UTF-8'
  75         lc_monetary = 'en_US.UTF-8'
  76         lc_numeric = 'en_US.UTF-8'
  77         lc_time = 'en_US.UTF-8'
  78         default_text_search_config = 'pg_catalog.english'
  79         ssl = on
  80         ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
  81         ssl_key_file = '/var/lib/acme/postgresql/key.pem'
  82         '';
  83       authentication = ''
  84         local   all     postgres                                ident
  85         local   all     all                                     md5
  86         hostssl all     all     188.165.209.148/32              md5
  87         hostssl all     all     178.33.252.96/32                md5
  88         hostssl all     all     all                             pam
  89         hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
  90         hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
  91       '';
  92     };
  93
  94     security.pam.services = let
  95       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
  96       pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
  97         pkgs.writeText "postgresql.conf" ''
  98         host ${myconfig.env.ldap.host}
  99         base ${myconfig.env.ldap.base}
 100         binddn ${dn}
 101         bindpw ${password}
 102         pam_filter ${filter}
 103         ssl start_tls
 104         '';
 105       pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
 106         host ${myconfig.env.ldap.host}
 107         base ${myconfig.env.ldap.base}
 108         binddn ${myconfig.env.ldap.host_dn}
 109         bindpw ${myconfig.env.ldap.password}
 110         pam_login_attribute cn
 111         ssl start_tls
 112         '';
 113     in [
 114       {
 115         name = "postgresql";
 116         text = ''
 117           auth    required ${pam_ldap} config=${pam_ldap_postgresql}
 118           account required ${pam_ldap} config=${pam_ldap_postgresql}
 119           '';
 120       }
 121       {
 122         name = "postgresql_replication";
 123         text = ''
 124           auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
 125           account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
 126           '';
 127       }
 128     ];
 129   };
 130 }
 131