]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/postgresql.nix
sourcehut: use mkEnableOption
[sourcephile-nix.git] / hosts / losurdo / postgresql.nix
1 { pkgs, lib, config, hostName, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.services) postgresql;
5 inherit (config.users) users;
6 in
7 {
8 imports =
9 [];
10 /*
11 map (eta: (import postgresql/openconcerto.nix) eta) [
12 {db = "openconcerto1";}
13 {db = "openconcerto2";}
14 {db = "lbec";}
15 {db = "lbm";}
16 ];
17 */
18 /*
19 networking.nftables.ruleset = ''
20 add rule inet filter net2fw tcp dport 5432 counter accept comment "PostgreSQL"
21 '';
22 */
23 users.groups.acme.members = [ users."postgres".name ];
24 security.acme.certs."${domain}" = {
25 postRun = "systemctl reload postgresql";
26 };
27 systemd.services.postgresql = {
28 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
29 after = [ "acme-selfsigned-${domain}.service" ];
30 };
31 services.postgresql = {
32 enable = true;
33 package = pkgs.postgresql_12;
34 #enableTCPIP = true;
35 settings = {
36 # ZFS is Copy on Write (CoW). As a result, it’s not possible
37 # to have a torn page because a page can’t be partially written
38 # without reverting to the previous copy.
39 full_page_writes = false;
40 log_connections = true;
41 log_disconnections = true;
42 log_hostname = false;
43 max_connections = 25;
44 max_locks_per_transaction = 1024;
45 password_encryption = "scram-sha-256"; # requires postfix >= 11
46 ssl = false;
47 ssl_cert_file = "/var/lib/acme/${domain}/fullchain.pem";
48 ssl_key_file = "/var/lib/acme/${domain}/key.pem";
49 unix_socket_permissions = "0770";
50 };
51 # If one record is chosen and the auth fails,
52 # subsequent records are not considered.
53 authentication = ''
54 # CONNECTION DATABASE USER AUTH OPTIONS
55 local all postgres peer map=admin
56 local samerole all peer map=user
57 #local all backup peer
58 '';
59 identMap = ''
60 # MAPNAME SYSTEM-USERNAME PG-USERNAME
61 admin postgres postgres
62 admin root postgres
63 # Commented to prefer explicit auth
64 # to handle revocation without droping the user yet
65 #user /^(.*)$ \1
66 '';
67 };
68 fileSystems."/var/lib/postgresql" = {
69 device = "${hostName}/var/postgresql";
70 fsType = "zfs"; # with sync=always,
71 # though loading OpenConcerto's initial SQL
72 # takes 1m40s instead of 40s :\
73 };
74 /*
75 services.syncoid.commands = {
76 "${hostName}/var/postgresql" = {
77 sendOptions = "raw";
78 target = "backup@mermet.${domain}:rpool/backup/${hostName}/var/postgresql";
79 };
80 };
81 */
82 services.sanoid.datasets = {
83 "${hostName}/var/postgresql" = {
84 use_template = [ "snap" ];
85 daily = 31;
86 };
87 };
88 systemd.services.postgresql = {
89 # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting
90 postStart = ''
91 set -eux
92 # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting#Defining_shared_hosting
93 $PSQL -d template1 --set ON_ERROR_STOP=1 -f - <<EOF
94 -- Disallow access to the public schema
95 -- of individual users' databases by other users
96 REVOKE ALL ON DATABASE template0 FROM public;
97 REVOKE ALL ON DATABASE template1 FROM public;
98 REVOKE ALL ON SCHEMA public FROM public;
99 GRANT ALL ON SCHEMA public TO "${postgresql.superUser}";
100 REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public;
101 GRANT ALL ON ALL TABLES IN SCHEMA public TO "${postgresql.superUser}";
102
103 -- Disallow access to database and user names for everyone
104 REVOKE ALL ON pg_catalog.pg_user FROM public;
105 REVOKE ALL ON pg_catalog.pg_group FROM public;
106 REVOKE ALL ON pg_catalog.pg_authid FROM public;
107 REVOKE ALL ON pg_catalog.pg_auth_members FROM public;
108 REVOKE ALL ON pg_catalog.pg_settings FROM public;
109 -- The following must have SELECT reallowed if pg_dump is allowed
110 REVOKE ALL ON pg_catalog.pg_roles FROM public;
111 REVOKE ALL ON pg_catalog.pg_database FROM public;
112 REVOKE ALL ON pg_catalog.pg_tablespace FROM public;
113 EOF
114
115 pg_createdb () {
116 local db=$1
117 local owner=''${owner:-$db}
118 local template=''${template:-template1}
119 $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '$db'" | grep -q 1 || {
120 $PSQL -d "$template" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
121 CREATE ROLE "$owner" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT ''${pass:+LOGIN PASSWORD '$pass'};
122 CREATE DATABASE "$db" WITH OWNER="$owner"
123 ''${encoding:+ENCODING='$encoding'}
124 ''${lc_collate:+LC_COLLATE='$lc_collate'}
125 ''${lc_ctype:+LC_CTYPE='$lc_ctype'}
126 ''${tablespace:+TABLESPACE='$tablespace'}
127 ''${connection_limit:+CONNECTION LIMIT=$connection_limit}
128 ;
129 REVOKE ALL ON DATABASE "$db" FROM public;
130 EOF
131 $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
132 -- Grant all rights to the public schema in the new database to the main user
133 GRANT ALL ON SCHEMA public TO "$owner" WITH GRANT OPTION;
134 EOF
135 $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f -
136 }
137 }
138
139 pg_adduser () {
140 local db=$1
141 local user=$2
142 $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname='$user'" | grep -q 1 ||
143 $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
144 CREATE ROLE "$user" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT ''${pass:+LOGIN ENCRYPTED PASSWORD '$pass'};
145 GRANT USAGE ON SCHEMA public TO "$user";
146 GRANT CONNECT,TEMPORARY ON DATABASE "$db" TO "$user";
147 EOF
148 }
149 '';
150 };
151 }