From f3d9c61e9becccc9ef25f64e5e639d45ea25650a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 11 Jan 2019 15:46:45 +0100 Subject: Improve postgresql: allow replication from backup-1, change root to /run/postgres --- virtual/eldiron.nix | 3 ++ virtual/modules/certificates.nix | 1 - virtual/modules/databases.nix | 61 ++++++++++++++++++++---- virtual/modules/postgresql_run_socket_path.patch | 12 +++++ virtual/packages/nextcloud.nix | 2 +- 5 files changed, 68 insertions(+), 11 deletions(-) create mode 100644 virtual/modules/postgresql_run_socket_path.patch diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index fa5cb51..2e4ae12 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -4,6 +4,9 @@ enableRollback = true; }; + # Full backup: + # The star after /var/lib/* avoids deleting all folders in case of problem + # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu: eldiron = { config, pkgs, mylibs, myconfig, ... }: with mylibs; let diff --git a/virtual/modules/certificates.nix b/virtual/modules/certificates.nix index a9d6d99..1a63035 100644 --- a/virtual/modules/certificates.nix +++ b/virtual/modules/certificates.nix @@ -23,7 +23,6 @@ # it in httpd "eldiron" = config.services.myCertificates.certConfig // { domain = "eldiron.immae.eu"; - allowKeysForGroup = true; }; }; }; diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix index 9f8e70d..de4ace6 100644 --- a/virtual/modules/databases.nix +++ b/virtual/modules/databases.nix @@ -42,6 +42,11 @@ in { url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; }; + configureFlags = old.configureFlags ++ [ "--with-pam" ]; + buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; + patches = old.patches ++ [ + ./postgresql_run_socket_path.patch + ]; }); mariadb = mariadbPAM; mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { @@ -62,9 +67,23 @@ in { package = pkgs.mariadb; }; + # Cannot use eldiron: psql complains too much rights on the key, and + # setfacl cannot work properly because of acme prestart script + security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { + user = "postgres"; + group = "postgres"; + plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; + domain = "db-1.immae.eu"; + postRun = '' + systemctl reload postgresql.service + ''; + }; + + system.activationScripts.postgresql = '' + install -m 0755 -o postgres -g postgres -d /run/postgresql + ''; + # FIXME: initial sync - # FIXME: backup - # FIXME: ssl services.postgresql = rec { enable = cfg.postgresql.enable; package = pkgs.postgresql; @@ -83,17 +102,19 @@ in { lc_numeric = 'en_US.UTF-8' lc_time = 'en_US.UTF-8' default_text_search_config = 'pg_catalog.english' - # ssl = on - # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' - # ssl_key_file = '/var/lib/acme/eldiron/key.pem' + ssl = on + ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' + ssl_key_file = '/var/lib/acme/postgresql/key.pem' ''; authentication = '' local all postgres ident local all all md5 - host all all samehost md5 - host all all 178.33.252.96/32 md5 - host all all 188.165.209.148/32 md5 - #host all all all pam + hostssl all all samehost md5 + hostssl all all 178.33.252.96/32 md5 + hostssl all all 188.165.209.148/32 md5 + hostssl all all all pam + hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication + hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication ''; }; @@ -107,6 +128,14 @@ in { bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu ''; + pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"; + pkgs.writeText "postgresql.conf" '' + host ldap.immae.eu + base dc=immae,dc=eu + binddn cn=eldiron,ou=hosts,dc=immae,dc=eu + bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"} + pam_login_attribute cn + ''; in [ { name = "mysql"; @@ -116,6 +145,20 @@ in { account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} ''; } + { + name = "postgresql"; + text = '' + auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + ''; + } + { + name = "postgresql_replication"; + text = '' + auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication} + ''; + } ]; # FIXME: backup diff --git a/virtual/modules/postgresql_run_socket_path.patch b/virtual/modules/postgresql_run_socket_path.patch new file mode 100644 index 0000000..b558c7b --- /dev/null +++ b/virtual/modules/postgresql_run_socket_path.patch @@ -0,0 +1,12 @@ +diff -Naur postgresql-9.2.0.sockets/src/include/pg_config_manual.h postgresql-9.2.0/src/include/pg_config_manual.h +--- postgresql-9.2.0.sockets/src/include/pg_config_manual.h 2012-09-06 17:26:17.000000000 -0400 ++++ postgresql-9.2.0/src/include/pg_config_manual.h 2012-09-06 18:13:18.183092471 -0400 +@@ -144,7 +144,7 @@ + * here's where to twiddle it. You can also override this at runtime + * with the postmaster's -k switch. + */ +-#define DEFAULT_PGSOCKET_DIR "/tmp" ++#define DEFAULT_PGSOCKET_DIR "/run/postgresql" + + /* + * The random() function is expected to yield values between 0 and diff --git a/virtual/packages/nextcloud.nix b/virtual/packages/nextcloud.nix index 5e9a927..3ac71e0 100644 --- a/virtual/packages/nextcloud.nix +++ b/virtual/packages/nextcloud.nix @@ -115,7 +115,7 @@ let 'dbtype' => 'pgsql', 'version' => '15.0.0.10', 'dbname' => 'webapps', - 'dbhost' => '/tmp', + 'dbhost' => '/run/postgresql', 'dbtableprefix' => 'oc_', 'dbuser' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_USER"}', 'dbpassword' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_PASSWORD"}', -- cgit v1.2.3