diff options
Diffstat (limited to 'nixops/modules/databases/postgresql.nix')
-rw-r--r-- | nixops/modules/databases/postgresql.nix | 57 |
1 files changed, 36 insertions, 21 deletions
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index 673ced8..7e2f4e6 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix | |||
@@ -42,6 +42,7 @@ in { | |||
42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
43 | ''; | 43 | ''; |
44 | 44 | ||
45 | systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; | ||
45 | services.postgresql = rec { | 46 | services.postgresql = rec { |
46 | enable = cfg.postgresql.enable; | 47 | enable = cfg.postgresql.enable; |
47 | package = pkgs.postgresql; | 48 | package = pkgs.postgresql; |
@@ -76,38 +77,52 @@ in { | |||
76 | ''; | 77 | ''; |
77 | }; | 78 | }; |
78 | 79 | ||
79 | security.pam.services = let | 80 | deployment.keys = { |
80 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 81 | postgresql-pam = { |
81 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | 82 | destDir = "/run/keys/postgresql"; |
82 | pkgs.writeText "postgresql.conf" '' | 83 | permissions = "0400"; |
83 | host ${myconfig.env.ldap.host} | 84 | group = "postgres"; |
84 | base ${myconfig.env.ldap.base} | 85 | user = "postgres"; |
85 | binddn ${dn} | 86 | text = with myconfig.env.databases.postgresql.pam; '' |
86 | bindpw ${password} | 87 | host ${myconfig.env.ldap.host} |
87 | pam_filter ${filter} | 88 | base ${myconfig.env.ldap.base} |
88 | ssl start_tls | 89 | binddn ${dn} |
90 | bindpw ${password} | ||
91 | pam_filter ${filter} | ||
92 | ssl start_tls | ||
89 | ''; | 93 | ''; |
90 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | 94 | }; |
91 | host ${myconfig.env.ldap.host} | 95 | postgresql-pam_replication = { |
92 | base ${myconfig.env.ldap.base} | 96 | destDir = "/run/keys/postgresql"; |
93 | binddn ${myconfig.env.ldap.host_dn} | 97 | permissions = "0400"; |
94 | bindpw ${myconfig.env.ldap.password} | 98 | group = "postgres"; |
95 | pam_login_attribute cn | 99 | user = "postgres"; |
96 | ssl start_tls | 100 | text = '' |
101 | host ${myconfig.env.ldap.host} | ||
102 | base ${myconfig.env.ldap.base} | ||
103 | binddn ${myconfig.env.ldap.host_dn} | ||
104 | bindpw ${myconfig.env.ldap.password} | ||
105 | pam_login_attribute cn | ||
106 | ssl start_tls | ||
97 | ''; | 107 | ''; |
108 | }; | ||
109 | }; | ||
110 | |||
111 | security.pam.services = let | ||
112 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
98 | in [ | 113 | in [ |
99 | { | 114 | { |
100 | name = "postgresql"; | 115 | name = "postgresql"; |
101 | text = '' | 116 | text = '' |
102 | auth required ${pam_ldap} config=${pam_ldap_postgresql} | 117 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
103 | account required ${pam_ldap} config=${pam_ldap_postgresql} | 118 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
104 | ''; | 119 | ''; |
105 | } | 120 | } |
106 | { | 121 | { |
107 | name = "postgresql_replication"; | 122 | name = "postgresql_replication"; |
108 | text = '' | 123 | text = '' |
109 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 124 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
110 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 125 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
111 | ''; | 126 | ''; |
112 | } | 127 | } |
113 | ]; | 128 | ]; |