Move secrets module outside of nixops

[perso/Immae/Config/Nix.git] / nixops / modules / databases / postgresql.nix

diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index f839d6338a10eadd73df4c3c921e13de5e111b8a..3a58c48c2716f9514a1fe1977f8fab06fecf46db 100644 (file)
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -15,20 +15,7 @@ in {
 
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [ (self: super: rec {
-      postgresql = postgresql111;
-      postgresql111 = super.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = self.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-        configureFlags = old.configureFlags ++ [ "--with-pam" ];
-        buildInputs = (old.buildInputs or []) ++ [ self.pam ];
-        patches = old.patches ++ [
-          ./postgresql_run_socket_path.patch
-        ];
-      });
+      postgresql = self.postgresql_11_custom;
     }) ];
 
     networking.firewall.allowedTCPPorts = [ 5432 ];
@@ -47,6 +34,7 @@ in {
       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
 
+    systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
     services.postgresql = rec {
       enable = cfg.postgresql.enable;
       package = pkgs.postgresql;
@@ -81,38 +69,52 @@ in {
       '';
     };
 
-    security.pam.services = let
-      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
-        pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
+    secrets.keys = [
+      {
+        dest = "postgresql/pam";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text =  with myconfig.env.databases.postgresql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
         '';
-      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${myconfig.env.ldap.host_dn}
-        bindpw ${myconfig.env.ldap.password}
-        pam_login_attribute cn
-        ssl start_tls
+      }
+      {
+        dest = "postgresql/pam_replication";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text = ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${myconfig.env.ldap.host_dn}
+          bindpw ${myconfig.env.ldap.password}
+          pam_login_attribute cn
+          ssl start_tls
         '';
+      }
+    ];
+
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
     in [
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
-          account required ${pam_ldap} config=${pam_ldap_postgresql}
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
           '';
       }
     ];