diff options
Diffstat (limited to 'nixops/modules/databases/postgresql.nix')
| -rw-r--r-- | nixops/modules/databases/postgresql.nix | 57 |
1 files changed, 36 insertions, 21 deletions
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index 673ced8..7e2f4e6 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix | |||
| @@ -42,6 +42,7 @@ in { | |||
| 42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
| 43 | ''; | 43 | ''; |
| 44 | 44 | ||
| 45 | systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; | ||
| 45 | services.postgresql = rec { | 46 | services.postgresql = rec { |
| 46 | enable = cfg.postgresql.enable; | 47 | enable = cfg.postgresql.enable; |
| 47 | package = pkgs.postgresql; | 48 | package = pkgs.postgresql; |
| @@ -76,38 +77,52 @@ in { | |||
| 76 | ''; | 77 | ''; |
| 77 | }; | 78 | }; |
| 78 | 79 | ||
| 79 | security.pam.services = let | 80 | deployment.keys = { |
| 80 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 81 | postgresql-pam = { |
| 81 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | 82 | destDir = "/run/keys/postgresql"; |
| 82 | pkgs.writeText "postgresql.conf" '' | 83 | permissions = "0400"; |
| 83 | host ${myconfig.env.ldap.host} | 84 | group = "postgres"; |
| 84 | base ${myconfig.env.ldap.base} | 85 | user = "postgres"; |
| 85 | binddn ${dn} | 86 | text = with myconfig.env.databases.postgresql.pam; '' |
| 86 | bindpw ${password} | 87 | host ${myconfig.env.ldap.host} |
| 87 | pam_filter ${filter} | 88 | base ${myconfig.env.ldap.base} |
| 88 | ssl start_tls | 89 | binddn ${dn} |
| 90 | bindpw ${password} | ||
| 91 | pam_filter ${filter} | ||
| 92 | ssl start_tls | ||
| 89 | ''; | 93 | ''; |
| 90 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | 94 | }; |
| 91 | host ${myconfig.env.ldap.host} | 95 | postgresql-pam_replication = { |
| 92 | base ${myconfig.env.ldap.base} | 96 | destDir = "/run/keys/postgresql"; |
| 93 | binddn ${myconfig.env.ldap.host_dn} | 97 | permissions = "0400"; |
| 94 | bindpw ${myconfig.env.ldap.password} | 98 | group = "postgres"; |
| 95 | pam_login_attribute cn | 99 | user = "postgres"; |
| 96 | ssl start_tls | 100 | text = '' |
| 101 | host ${myconfig.env.ldap.host} | ||
| 102 | base ${myconfig.env.ldap.base} | ||
| 103 | binddn ${myconfig.env.ldap.host_dn} | ||
| 104 | bindpw ${myconfig.env.ldap.password} | ||
| 105 | pam_login_attribute cn | ||
| 106 | ssl start_tls | ||
| 97 | ''; | 107 | ''; |
| 108 | }; | ||
| 109 | }; | ||
| 110 | |||
| 111 | security.pam.services = let | ||
| 112 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
| 98 | in [ | 113 | in [ |
| 99 | { | 114 | { |
| 100 | name = "postgresql"; | 115 | name = "postgresql"; |
| 101 | text = '' | 116 | text = '' |
| 102 | auth required ${pam_ldap} config=${pam_ldap_postgresql} | 117 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
| 103 | account required ${pam_ldap} config=${pam_ldap_postgresql} | 118 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
| 104 | ''; | 119 | ''; |
| 105 | } | 120 | } |
| 106 | { | 121 | { |
| 107 | name = "postgresql_replication"; | 122 | name = "postgresql_replication"; |
| 108 | text = '' | 123 | text = '' |
| 109 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 124 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
| 110 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 125 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
| 111 | ''; | 126 | ''; |
| 112 | } | 127 | } |
| 113 | ]; | 128 | ]; |