diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-11 15:46:45 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-11 16:04:29 +0100 |
commit | f3d9c61e9becccc9ef25f64e5e639d45ea25650a (patch) | |
tree | 4a54120e685e222d6a70c6c4c0ee4bc1d980aac3 /virtual/modules/databases.nix | |
parent | 54307da49e9975ca3cce0d45fd12ade016cf90d9 (diff) | |
download | Nix-f3d9c61e9becccc9ef25f64e5e639d45ea25650a.tar.gz Nix-f3d9c61e9becccc9ef25f64e5e639d45ea25650a.tar.zst Nix-f3d9c61e9becccc9ef25f64e5e639d45ea25650a.zip |
Improve postgresql: allow replication from backup-1, change root to
/run/postgres
Diffstat (limited to 'virtual/modules/databases.nix')
-rw-r--r-- | virtual/modules/databases.nix | 61 |
1 files changed, 52 insertions, 9 deletions
diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix index 9f8e70d..de4ace6 100644 --- a/virtual/modules/databases.nix +++ b/virtual/modules/databases.nix | |||
@@ -42,6 +42,11 @@ in { | |||
42 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | 42 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; |
43 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | 43 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; |
44 | }; | 44 | }; |
45 | configureFlags = old.configureFlags ++ [ "--with-pam" ]; | ||
46 | buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; | ||
47 | patches = old.patches ++ [ | ||
48 | ./postgresql_run_socket_path.patch | ||
49 | ]; | ||
45 | }); | 50 | }); |
46 | mariadb = mariadbPAM; | 51 | mariadb = mariadbPAM; |
47 | mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { | 52 | mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { |
@@ -62,9 +67,23 @@ in { | |||
62 | package = pkgs.mariadb; | 67 | package = pkgs.mariadb; |
63 | }; | 68 | }; |
64 | 69 | ||
70 | # Cannot use eldiron: psql complains too much rights on the key, and | ||
71 | # setfacl cannot work properly because of acme prestart script | ||
72 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { | ||
73 | user = "postgres"; | ||
74 | group = "postgres"; | ||
75 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
76 | domain = "db-1.immae.eu"; | ||
77 | postRun = '' | ||
78 | systemctl reload postgresql.service | ||
79 | ''; | ||
80 | }; | ||
81 | |||
82 | system.activationScripts.postgresql = '' | ||
83 | install -m 0755 -o postgres -g postgres -d /run/postgresql | ||
84 | ''; | ||
85 | |||
65 | # FIXME: initial sync | 86 | # FIXME: initial sync |
66 | # FIXME: backup | ||
67 | # FIXME: ssl | ||
68 | services.postgresql = rec { | 87 | services.postgresql = rec { |
69 | enable = cfg.postgresql.enable; | 88 | enable = cfg.postgresql.enable; |
70 | package = pkgs.postgresql; | 89 | package = pkgs.postgresql; |
@@ -83,17 +102,19 @@ in { | |||
83 | lc_numeric = 'en_US.UTF-8' | 102 | lc_numeric = 'en_US.UTF-8' |
84 | lc_time = 'en_US.UTF-8' | 103 | lc_time = 'en_US.UTF-8' |
85 | default_text_search_config = 'pg_catalog.english' | 104 | default_text_search_config = 'pg_catalog.english' |
86 | # ssl = on | 105 | ssl = on |
87 | # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' | 106 | ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' |
88 | # ssl_key_file = '/var/lib/acme/eldiron/key.pem' | 107 | ssl_key_file = '/var/lib/acme/postgresql/key.pem' |
89 | ''; | 108 | ''; |
90 | authentication = '' | 109 | authentication = '' |
91 | local all postgres ident | 110 | local all postgres ident |
92 | local all all md5 | 111 | local all all md5 |
93 | host all all samehost md5 | 112 | hostssl all all samehost md5 |
94 | host all all 178.33.252.96/32 md5 | 113 | hostssl all all 178.33.252.96/32 md5 |
95 | host all all 188.165.209.148/32 md5 | 114 | hostssl all all 188.165.209.148/32 md5 |
96 | #host all all all pam | 115 | hostssl all all all pam |
116 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication | ||
117 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication | ||
97 | ''; | 118 | ''; |
98 | }; | 119 | }; |
99 | 120 | ||
@@ -107,6 +128,14 @@ in { | |||
107 | bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} | 128 | bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} |
108 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | 129 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu |
109 | ''; | 130 | ''; |
131 | pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"; | ||
132 | pkgs.writeText "postgresql.conf" '' | ||
133 | host ldap.immae.eu | ||
134 | base dc=immae,dc=eu | ||
135 | binddn cn=eldiron,ou=hosts,dc=immae,dc=eu | ||
136 | bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"} | ||
137 | pam_login_attribute cn | ||
138 | ''; | ||
110 | in [ | 139 | in [ |
111 | { | 140 | { |
112 | name = "mysql"; | 141 | name = "mysql"; |
@@ -116,6 +145,20 @@ in { | |||
116 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | 145 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} |
117 | ''; | 146 | ''; |
118 | } | 147 | } |
148 | { | ||
149 | name = "postgresql"; | ||
150 | text = '' | ||
151 | auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} | ||
152 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} | ||
153 | ''; | ||
154 | } | ||
155 | { | ||
156 | name = "postgresql_replication"; | ||
157 | text = '' | ||
158 | auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} | ||
159 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} | ||
160 | ''; | ||
161 | } | ||
119 | ]; | 162 | ]; |
120 | 163 | ||
121 | # FIXME: backup | 164 | # FIXME: backup |