1 { lib, pkgs, pkgsNext, config, myconfig, mylibs, ... }:
3 pkgs = pkgsNext.appendOverlays config.nixpkgs.overlays;
4 cfg = config.services.myDatabases;
6 options.services.myDatabases = {
8 enable = lib.mkOption {
11 description = "Whether to enable postgresql database";
12 type = lib.types.bool;
17 config = lib.mkIf cfg.enable {
18 nixpkgs.overlays = [ (self: super: rec {
19 postgresql = postgresql_11;
20 postgresql_11 = if builtins.hasAttr "postgresql_11" super
21 then super.postgresql_11.overrideAttrs(old: rec {
22 passthru = old.passthru // { psqlSchema = "11.0"; };
23 configureFlags = old.configureFlags ++ [ "--with-pam" ];
24 buildInputs = (old.buildInputs or []) ++ [ self.pam ];
25 patches = old.patches ++ [
26 ./postgresql_run_socket_path.patch
29 else super.postgresql100.overrideAttrs(old: rec {
30 passthru = old.passthru // { psqlSchema = "11.0"; };
31 name = "postgresql-11.1";
33 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
34 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
36 configureFlags = old.configureFlags ++ [ "--with-pam" ];
37 buildInputs = (old.buildInputs or []) ++ [ self.pam ];
38 patches = old.patches ++ [
39 ./postgresql_run_socket_path.patch
44 networking.firewall.allowedTCPPorts = [ 5432 ];
46 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
49 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
50 domain = "db-1.immae.eu";
52 systemctl reload postgresql.service
56 system.activationScripts.postgresql = ''
57 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
60 services.postgresql = rec {
61 enable = cfg.postgresql.enable;
62 package = pkgs.postgresql;
67 shared_buffers = 512MB
71 log_timezone = 'Europe/Paris'
72 datestyle = 'iso, mdy'
73 timezone = 'Europe/Paris'
74 lc_messages = 'en_US.UTF-8'
75 lc_monetary = 'en_US.UTF-8'
76 lc_numeric = 'en_US.UTF-8'
77 lc_time = 'en_US.UTF-8'
78 default_text_search_config = 'pg_catalog.english'
80 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
81 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
84 local all postgres ident
86 hostssl all all 188.165.209.148/32 md5
87 hostssl all all 178.33.252.96/32 md5
88 hostssl all all all pam
89 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
90 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
94 security.pam.services = let
95 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
96 pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
97 pkgs.writeText "postgresql.conf" ''
98 host ${myconfig.env.ldap.host}
99 base ${myconfig.env.ldap.base}
105 pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
106 host ${myconfig.env.ldap.host}
107 base ${myconfig.env.ldap.base}
108 binddn ${myconfig.env.ldap.host_dn}
109 bindpw ${myconfig.env.ldap.password}
110 pam_login_attribute cn
117 auth required ${pam_ldap} config=${pam_ldap_postgresql}
118 account required ${pam_ldap} config=${pam_ldap_postgresql}
122 name = "postgresql_replication";
124 auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
125 account required ${pam_ldap} config=${pam_ldap_postgresql_replication}