sourcehut: WIP

[sourcephile-nix.git] / hosts / losurdo / postgresql.nix

{ pkgs, lib, config, hostName, ... }:
let
  inherit (config.networking) domain;
  inherit (config.services) postgresql;
  inherit (config.users) users;
in
{
imports =
  [];
  /*
  map (eta: (import postgresql/openconcerto.nix) eta) [
    {db = "openconcerto1";}
    {db = "openconcerto2";}
    {db = "lbec";}
    {db = "lbm";}
  ];
  */
/*
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport 5432 counter accept comment "PostgreSQL"
'';
*/
users.groups.acme.members = [ users."postgres".name ];
security.acme.certs."${domain}" = {
  postRun = "systemctl reload postgresql";
};
systemd.services.postgresql = {
  wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
  after = [ "acme-selfsigned-${domain}.service" ];
};
services.postgresql = {
  enable = true;
  package = pkgs.postgresql_12;
  #enableTCPIP = true;
  settings = {
    # ZFS is Copy on Write (CoW). As a result, it’s not possible
    # to have a torn page because a page can’t be partially written
    # without reverting to the previous copy.
    full_page_writes = false;
    log_connections = true;
    log_disconnections = true;
    log_hostname = false;
    max_connections = 25;
    max_locks_per_transaction = 1024;
    password_encryption = "scram-sha-256"; # requires postfix >= 11
    ssl = false;
    ssl_cert_file = "/var/lib/acme/${domain}/fullchain.pem";
    ssl_key_file = "/var/lib/acme/${domain}/key.pem";
    unix_socket_permissions = "0770";
  };
  # If one record is chosen and the auth fails,
  # subsequent records are not considered.
  authentication = ''
    # CONNECTION  DATABASE USER      AUTH  OPTIONS
    local         all      postgres  peer  map=admin
    local         samerole all       peer  map=user
    #local         all      backup    peer
  '';
  identMap = ''
    # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
    admin      postgres         postgres
    admin      root             postgres
    # Commented to prefer explicit auth
    # to handle revocation without droping the user yet
    #user       /^(.*)$          \1
  '';
};
fileSystems."/var/lib/postgresql" = {
  device = "${hostName}/var/postgresql";
  fsType = "zfs"; # with sync=always,
  # though loading OpenConcerto's initial SQL
  # takes 1m40s instead of 40s :\
};
/*
services.syncoid.commands = {
  "${hostName}/var/postgresql" = {
    sendOptions = "raw";
    target = "backup@mermet.${domain}:rpool/backup/${hostName}/var/postgresql";
  };
};
*/
services.sanoid.datasets = {
  "${hostName}/var/postgresql" = {
    use_template = [ "snap" ];
    daily = 31;
  };
};
systemd.services.postgresql = {
  # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting
  postStart = ''
    set -eux
    # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting#Defining_shared_hosting
    $PSQL -d template1 --set ON_ERROR_STOP=1 -f - <<EOF
      -- Disallow access to the public schema
      -- of individual users' databases by other users
      REVOKE ALL ON DATABASE template0 FROM public;
      REVOKE ALL ON DATABASE template1 FROM public;
      REVOKE ALL ON SCHEMA public FROM public;
      GRANT  USAGE,CREATE ON SCHEMA public TO public;
      GRANT  ALL ON SCHEMA public TO "${postgresql.superUser}";
      REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public;
      GRANT  ALL ON ALL TABLES IN SCHEMA public TO "${postgresql.superUser}";

      -- Disallow access to database and user names for everyone
      REVOKE ALL ON pg_catalog.pg_user         FROM public;
      REVOKE ALL ON pg_catalog.pg_group        FROM public;
      REVOKE ALL ON pg_catalog.pg_authid       FROM public;
      REVOKE ALL ON pg_catalog.pg_auth_members FROM public;
      REVOKE ALL ON pg_catalog.pg_settings     FROM public;
      -- The following must have SELECT reallowed if pg_dump is allowed
      REVOKE ALL ON pg_catalog.pg_roles        FROM public;
      REVOKE ALL ON pg_catalog.pg_database     FROM public;
      REVOKE ALL ON pg_catalog.pg_tablespace   FROM public;
    EOF

    pg_createdb () {
      local db=$1
      local owner=''${owner:-$db}
      local template=''${template:-template1}
      $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '$db'" | grep -q 1 || {
        $PSQL -d "$template" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
          CREATE ROLE "$owner" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT ''${pass:+LOGIN PASSWORD '$pass'};
          CREATE DATABASE "$db" WITH OWNER="$owner"
           ''${encoding:+ENCODING='$encoding'}
           ''${lc_collate:+LC_COLLATE='$lc_collate'}
           ''${lc_ctype:+LC_CTYPE='$lc_ctype'}
           ''${tablespace:+TABLESPACE='$tablespace'}
           ''${connection_limit:+CONNECTION LIMIT=$connection_limit}
          ;
          REVOKE ALL ON DATABASE "$db" FROM public;
    EOF
        $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
          -- Grant all rights to the public schema in the new database to the main user
          GRANT ALL ON SCHEMA public TO "$owner" WITH GRANT OPTION;
    EOF
        $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f -
      }
    }

    pg_adduser () {
      local db=$1
      local user=$2
      $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname='$user'" | grep -q 1 ||
      $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
        CREATE ROLE "$user" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT ''${pass:+LOGIN ENCRYPTED PASSWORD '$pass'};
        GRANT USAGE ON SCHEMA public TO "$user";
        GRANT CONNECT,TEMPORARY ON DATABASE "$db" TO "$user";
    EOF
    }
  '';
};
}