aboutsummaryrefslogtreecommitdiff
path: root/modules/private/databases/postgresql.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/private/databases/postgresql.nix')
-rw-r--r--modules/private/databases/postgresql.nix119
1 files changed, 99 insertions, 20 deletions
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index 8c36d84..911a6d1 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -1,4 +1,4 @@
1{ lib, pkgs, config, myconfig, ... }: 1{ lib, pkgs, config, ... }:
2let 2let
3 cfg = config.myServices.databases.postgresql; 3 cfg = config.myServices.databases.postgresql;
4in { 4in {
@@ -10,6 +10,78 @@ in {
10 description = "Whether to enable postgresql database"; 10 description = "Whether to enable postgresql database";
11 type = lib.types.bool; 11 type = lib.types.bool;
12 }; 12 };
13 package = lib.mkOption {
14 type = lib.types.package;
15 default = pkgs.postgresql;
16 description = ''
17 Postgresql package to use.
18 '';
19 };
20 ldapConfig = lib.mkOption {
21 description = "LDAP configuration to allow PAM identification via LDAP";
22 type = lib.types.submodule {
23 options = {
24 host = lib.mkOption { type = lib.types.str; };
25 base = lib.mkOption { type = lib.types.str; };
26 dn = lib.mkOption { type = lib.types.str; };
27 password = lib.mkOption { type = lib.types.str; };
28 filter = lib.mkOption { type = lib.types.str; };
29 };
30 };
31 };
32 replicationLdapConfig = lib.mkOption {
33 description = "LDAP configuration to allow replication";
34 type = lib.types.submodule {
35 options = {
36 host = lib.mkOption { type = lib.types.str; };
37 base = lib.mkOption { type = lib.types.str; };
38 dn = lib.mkOption { type = lib.types.str; };
39 password = lib.mkOption { type = lib.types.str; };
40 };
41 };
42 };
43 authorizedHosts = lib.mkOption {
44 default = {};
45 description = "Hosts to allow connections from";
46 type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
47 options = {
48 method = lib.mkOption {
49 default = "md5";
50 type = lib.types.str;
51 };
52 username = lib.mkOption {
53 default = "all";
54 type = lib.types.str;
55 };
56 database = lib.mkOption {
57 default = "all";
58 type = lib.types.str;
59 };
60 ip4 = lib.mkOption {
61 default = [];
62 type = lib.types.listOf lib.types.str;
63 };
64 ip6 = lib.mkOption {
65 default = [];
66 type = lib.types.listOf lib.types.str;
67 };
68 };
69 }));
70 };
71 replicationHosts = lib.mkOption {
72 default = {};
73 description = "Hosts to allow replication from";
74 type = lib.types.attrsOf (lib.types.submodule {
75 options = {
76 ip4 = lib.mkOption {
77 type = lib.types.listOf lib.types.str;
78 };
79 ip6 = lib.mkOption {
80 type = lib.types.listOf lib.types.str;
81 };
82 };
83 });
84 };
13 # Output variables 85 # Output variables
14 socketsDir = lib.mkOption { 86 socketsDir = lib.mkOption {
15 type = lib.types.path; 87 type = lib.types.path;
@@ -33,10 +105,6 @@ in {
33 }; 105 };
34 106
35 config = lib.mkIf cfg.enable { 107 config = lib.mkIf cfg.enable {
36 nixpkgs.overlays = [ (self: super: rec {
37 postgresql = self.postgresql_11_custom;
38 }) ];
39
40 networking.firewall.allowedTCPPorts = [ 5432 ]; 108 networking.firewall.allowedTCPPorts = [ 5432 ];
41 109
42 security.acme.certs."postgresql" = config.myServices.databasesCerts // { 110 security.acme.certs."postgresql" = config.myServices.databasesCerts // {
@@ -53,9 +121,9 @@ in {
53 SupplementaryGroups = "keys"; 121 SupplementaryGroups = "keys";
54 RuntimeDirectory = cfg.systemdRuntimeDirectory; 122 RuntimeDirectory = cfg.systemdRuntimeDirectory;
55 }; 123 };
56 services.postgresql = rec { 124 services.postgresql = {
57 enable = true; 125 enable = true;
58 package = pkgs.postgresql; 126 package = cfg.package;
59 enableTCPIP = true; 127 enableTCPIP = true;
60 extraConfig = '' 128 extraConfig = ''
61 max_connections = 100 129 max_connections = 100
@@ -76,14 +144,25 @@ in {
76 ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem' 144 ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
77 ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem' 145 ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
78 ''; 146 '';
79 authentication = '' 147 authentication = let
148 hosts = builtins.concatStringsSep "\n" (
149 lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
150 map (ip6: "hostssl ${v.database} ${v.username} ${ip6}/128 ${v.method}") v.ip6
151 ++ map (ip4: "hostssl ${v.database} ${v.username} ${ip4}/32 ${v.method}") v.ip4
152 ) vs) cfg.authorizedHosts
153 ));
154 replication = builtins.concatStringsSep "\n" (
155 lib.lists.flatten (lib.mapAttrsToList (k: v:
156 map (ip6: "hostssl replication ${k} ${ip6}/128 pam pamservice=postgresql_replication") v.ip6
157 ++ map (ip4: "hostssl replication ${k} ${ip4}/32 pam pamservice=postgresql_replication") v.ip4
158 ) cfg.replicationHosts
159 ));
160 in ''
80 local all postgres ident 161 local all postgres ident
81 local all all md5 162 local all all md5
82 hostssl all all 188.165.209.148/32 md5 163 ${hosts}
83 hostssl all all 178.33.252.96/32 md5
84 hostssl all all all pam 164 hostssl all all all pam
85 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication 165 ${replication}
86 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
87 ''; 166 '';
88 }; 167 };
89 168
@@ -93,9 +172,9 @@ in {
93 permissions = "0400"; 172 permissions = "0400";
94 group = "postgres"; 173 group = "postgres";
95 user = "postgres"; 174 user = "postgres";
96 text = with myconfig.env.databases.postgresql.pam; '' 175 text = with cfg.ldapConfig; ''
97 host ${myconfig.env.ldap.host} 176 host ${host}
98 base ${myconfig.env.ldap.base} 177 base ${base}
99 binddn ${dn} 178 binddn ${dn}
100 bindpw ${password} 179 bindpw ${password}
101 pam_filter ${filter} 180 pam_filter ${filter}
@@ -107,11 +186,11 @@ in {
107 permissions = "0400"; 186 permissions = "0400";
108 group = "postgres"; 187 group = "postgres";
109 user = "postgres"; 188 user = "postgres";
110 text = '' 189 text = with cfg.replicationLdapConfig; ''
111 host ${myconfig.env.ldap.host} 190 host ${host}
112 base ${myconfig.env.ldap.base} 191 base ${base}
113 binddn ${myconfig.env.ldap.host_dn} 192 binddn ${dn}
114 bindpw ${myconfig.env.ldap.password} 193 bindpw ${password}
115 pam_login_attribute cn 194 pam_login_attribute cn
116 ssl start_tls 195 ssl start_tls
117 ''; 196 '';