aboutsummaryrefslogtreecommitdiff
path: root/virtual
diff options
context:
space:
mode:
Diffstat (limited to 'virtual')
-rw-r--r--virtual/eldiron.nix3
-rw-r--r--virtual/modules/certificates.nix1
-rw-r--r--virtual/modules/databases.nix61
-rw-r--r--virtual/modules/postgresql_run_socket_path.patch12
-rw-r--r--virtual/packages/nextcloud.nix2
5 files changed, 68 insertions, 11 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index fa5cb51..2e4ae12 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -4,6 +4,9 @@
4 enableRollback = true; 4 enableRollback = true;
5 }; 5 };
6 6
7 # Full backup:
8 # The star after /var/lib/* avoids deleting all folders in case of problem
9 # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu:
7 eldiron = { config, pkgs, mylibs, myconfig, ... }: 10 eldiron = { config, pkgs, mylibs, myconfig, ... }:
8 with mylibs; 11 with mylibs;
9 let 12 let
diff --git a/virtual/modules/certificates.nix b/virtual/modules/certificates.nix
index a9d6d99..1a63035 100644
--- a/virtual/modules/certificates.nix
+++ b/virtual/modules/certificates.nix
@@ -23,7 +23,6 @@
23 # it in httpd 23 # it in httpd
24 "eldiron" = config.services.myCertificates.certConfig // { 24 "eldiron" = config.services.myCertificates.certConfig // {
25 domain = "eldiron.immae.eu"; 25 domain = "eldiron.immae.eu";
26 allowKeysForGroup = true;
27 }; 26 };
28 }; 27 };
29 }; 28 };
diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix
index 9f8e70d..de4ace6 100644
--- a/virtual/modules/databases.nix
+++ b/virtual/modules/databases.nix
@@ -42,6 +42,11 @@ in {
42 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; 42 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
43 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; 43 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
44 }; 44 };
45 configureFlags = old.configureFlags ++ [ "--with-pam" ];
46 buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
47 patches = old.patches ++ [
48 ./postgresql_run_socket_path.patch
49 ];
45 }); 50 });
46 mariadb = mariadbPAM; 51 mariadb = mariadbPAM;
47 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { 52 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
@@ -62,9 +67,23 @@ in {
62 package = pkgs.mariadb; 67 package = pkgs.mariadb;
63 }; 68 };
64 69
70 # Cannot use eldiron: psql complains too much rights on the key, and
71 # setfacl cannot work properly because of acme prestart script
72 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
73 user = "postgres";
74 group = "postgres";
75 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
76 domain = "db-1.immae.eu";
77 postRun = ''
78 systemctl reload postgresql.service
79 '';
80 };
81
82 system.activationScripts.postgresql = ''
83 install -m 0755 -o postgres -g postgres -d /run/postgresql
84 '';
85
65 # FIXME: initial sync 86 # FIXME: initial sync
66 # FIXME: backup
67 # FIXME: ssl
68 services.postgresql = rec { 87 services.postgresql = rec {
69 enable = cfg.postgresql.enable; 88 enable = cfg.postgresql.enable;
70 package = pkgs.postgresql; 89 package = pkgs.postgresql;
@@ -83,17 +102,19 @@ in {
83 lc_numeric = 'en_US.UTF-8' 102 lc_numeric = 'en_US.UTF-8'
84 lc_time = 'en_US.UTF-8' 103 lc_time = 'en_US.UTF-8'
85 default_text_search_config = 'pg_catalog.english' 104 default_text_search_config = 'pg_catalog.english'
86 # ssl = on 105 ssl = on
87 # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' 106 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
88 # ssl_key_file = '/var/lib/acme/eldiron/key.pem' 107 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
89 ''; 108 '';
90 authentication = '' 109 authentication = ''
91 local all postgres ident 110 local all postgres ident
92 local all all md5 111 local all all md5
93 host all all samehost md5 112 hostssl all all samehost md5
94 host all all 178.33.252.96/32 md5 113 hostssl all all 178.33.252.96/32 md5
95 host all all 188.165.209.148/32 md5 114 hostssl all all 188.165.209.148/32 md5
96 #host all all all pam 115 hostssl all all all pam
116 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
117 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
97 ''; 118 '';
98 }; 119 };
99 120
@@ -107,6 +128,14 @@ in {
107 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} 128 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
108 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu 129 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
109 ''; 130 '';
131 pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD";
132 pkgs.writeText "postgresql.conf" ''
133 host ldap.immae.eu
134 base dc=immae,dc=eu
135 binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
136 bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"}
137 pam_login_attribute cn
138 '';
110 in [ 139 in [
111 { 140 {
112 name = "mysql"; 141 name = "mysql";
@@ -116,6 +145,20 @@ in {
116 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} 145 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
117 ''; 146 '';
118 } 147 }
148 {
149 name = "postgresql";
150 text = ''
151 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
152 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
153 '';
154 }
155 {
156 name = "postgresql_replication";
157 text = ''
158 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
159 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
160 '';
161 }
119 ]; 162 ];
120 163
121 # FIXME: backup 164 # FIXME: backup
diff --git a/virtual/modules/postgresql_run_socket_path.patch b/virtual/modules/postgresql_run_socket_path.patch
new file mode 100644
index 0000000..b558c7b
--- /dev/null
+++ b/virtual/modules/postgresql_run_socket_path.patch
@@ -0,0 +1,12 @@
1diff -Naur postgresql-9.2.0.sockets/src/include/pg_config_manual.h postgresql-9.2.0/src/include/pg_config_manual.h
2--- postgresql-9.2.0.sockets/src/include/pg_config_manual.h 2012-09-06 17:26:17.000000000 -0400
3+++ postgresql-9.2.0/src/include/pg_config_manual.h 2012-09-06 18:13:18.183092471 -0400
4@@ -144,7 +144,7 @@
5 * here's where to twiddle it. You can also override this at runtime
6 * with the postmaster's -k switch.
7 */
8-#define DEFAULT_PGSOCKET_DIR "/tmp"
9+#define DEFAULT_PGSOCKET_DIR "/run/postgresql"
10
11 /*
12 * The random() function is expected to yield values between 0 and
diff --git a/virtual/packages/nextcloud.nix b/virtual/packages/nextcloud.nix
index 5e9a927..3ac71e0 100644
--- a/virtual/packages/nextcloud.nix
+++ b/virtual/packages/nextcloud.nix
@@ -115,7 +115,7 @@ let
115 'dbtype' => 'pgsql', 115 'dbtype' => 'pgsql',
116 'version' => '15.0.0.10', 116 'version' => '15.0.0.10',
117 'dbname' => 'webapps', 117 'dbname' => 'webapps',
118 'dbhost' => '/tmp', 118 'dbhost' => '/run/postgresql',
119 'dbtableprefix' => 'oc_', 119 'dbtableprefix' => 'oc_',
120 'dbuser' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_USER"}', 120 'dbuser' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_USER"}',
121 'dbpassword' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_PASSWORD"}', 121 'dbpassword' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_PASSWORD"}',
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 05:06:05 +0000