mermet: pleroma

[sourcephile-nix.git] / hosts / mermet / postgresql.nix

{ pkgs, config, host, ... }:
let
  inherit (config.services) postgresql;
in
{
  /*
    networking.nftables.ruleset = ''
    table inet filter {
    chain input-net {
      tcp dport postgresql counter accept comment "PostgreSQL"
    }
    }
    '';
    users.groups.acme.members = [ users."postgres".name ];
    security.acme.certs."${domain}" = {
    postRun = "systemctl reload postgresql";
    };
    systemd.services.postgresql = {
    wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
    after = [ "acme-selfsigned-${domain}.service" ];
    };
  */
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_12;
    enableTCPIP = false;
    settings = {
      effective_cache_size = "1536MB";
      # ZFS is Copy on Write (CoW). As a result, it’s not possible
      # to have a torn page because a page can’t be partially written
      # without reverting to the previous copy.
      full_page_writes = false;
      log_connections = true;
      log_disconnections = true;
      log_hostname = false;
      maintenance_work_mem = "128MB";
      max_connections = 25;
      max_locks_per_transaction = 1024;
      max_parallel_workers = host.CPUs;
      max_parallel_workers_per_gather = 1;
      max_worker_processes = host.CPUs;
      password_encryption = "scram-sha-256"; # requires postfix >= 11
      shared_buffers = "512MB";
      unix_socket_permissions = "0770";
      work_mem = "26214kB";
    };
    # If one record is chosen and the auth fails,
    # subsequent records are not considered.
    authentication = ''
      # CONNECTION  DATABASE USER      AUTH  OPTIONS
      local         all      postgres  peer  map=admin
      local         samerole all       peer  map=user
      #local         all      backup    peer
    '';
    identMap = ''
      # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
      admin      postgres         postgres
      admin      root             postgres
      # Commented to prefer explicit auth
      # to handle revocation without droping the user yet
      #user       /^(.*)$          \1
    '';
  };
  fileSystems."/var/lib/postgresql" = {
    device = "rpool/var/postgresql";
    fsType = "zfs"; # with sync=always,
    # though loading OpenConcerto's initial SQL
    # takes 1m40s instead of 40s :\
  };
  services.sanoid.datasets = {
    "rpool/var/postgresql" = {
      use_template = [ "snap" ];
      daily = 31;
      hourly = 24;
    };
  };
  systemd.services.postgresql = {
    # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting
    postStart = ''
      set -eux
      # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting#Defining_shared_hosting
      $PSQL -d template1 --set ON_ERROR_STOP=1 -f - <<EOF
        -- Disallow access to the public schema
        -- of individual users' databases by other users
        REVOKE ALL ON DATABASE template0 FROM public;
        REVOKE ALL ON DATABASE template1 FROM public;
        REVOKE ALL ON SCHEMA public FROM public;
        GRANT  USAGE,CREATE ON SCHEMA public TO public;
        GRANT  ALL ON SCHEMA public TO "${postgresql.superUser}";
        REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public;
        GRANT  ALL ON ALL TABLES IN SCHEMA public TO "${postgresql.superUser}";

        -- Disallow access to database and user names for everyone
        REVOKE ALL ON pg_catalog.pg_user         FROM public;
        REVOKE ALL ON pg_catalog.pg_group        FROM public;
        REVOKE ALL ON pg_catalog.pg_authid       FROM public;
        REVOKE ALL ON pg_catalog.pg_auth_members FROM public;
        REVOKE ALL ON pg_catalog.pg_settings     FROM public;
        -- The following must have SELECT reallowed if pg_dump is allowed
        REVOKE ALL ON pg_catalog.pg_roles        FROM public;
        REVOKE ALL ON pg_catalog.pg_database     FROM public;
        REVOKE ALL ON pg_catalog.pg_tablespace   FROM public;
      EOF

      pg_createdb () {
        local db=$1
        local owner=''${owner:-$db}
        local template=''${template:-template1}
        $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '$db'" | grep -q 1 || {
          $PSQL -d "$template" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
            CREATE ROLE "$owner" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ''${pass:+PASSWORD '$pass'};
            CREATE DATABASE "$db" WITH OWNER="$owner"
             ''${encoding:+ENCODING='$encoding'}
             ''${lc_collate:+LC_COLLATE='$lc_collate'}
             ''${lc_ctype:+LC_CTYPE='$lc_ctype'}
             ''${tablespace:+TABLESPACE='$tablespace'}
             ''${connection_limit:+CONNECTION LIMIT=$connection_limit}
            ;
            REVOKE ALL ON DATABASE "$db" FROM public;
      EOF
          $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
            -- Grant all rights to the public schema in the new database to the main user
            GRANT ALL ON SCHEMA public TO "$owner" WITH GRANT OPTION;
      EOF
          $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f -
        }
      }

      pg_adduser () {
        local db=$1
        local user=$2
        $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname='$user'" | grep -q 1 ||
        $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
          CREATE ROLE "$user" NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ''${pass:+ENCRYPTED PASSWORD '$pass'};
          GRANT USAGE ON SCHEMA public TO "$user";
          GRANT CONNECT,TEMPORARY ON DATABASE "$db" TO "$user";
      EOF
      }
    '';
  };
}