servers/losurdo/postgresql.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) postgresql;
   5   inherit (config.users) users;
   6 in
   7 {
   8 imports =
   9   map (eta: (import postgresql/openconcerto.nix) eta) [
  10     {db = "openconcerto1";}
  11     {db = "lbec";}
  12     {db = "lbm";}
  13   ];
  14 networking.nftables.ruleset = ''
  15   add rule inet filter net2fw tcp dport 5432 counter accept comment "PostgreSQL"
  16 '';
  17 users.groups.acme.members = [ users."postgres".name ];
  18 security.acme.certs."${networking.domain}" = {
  19   postRun = "systemctl try-reload postgresql";
  20 };
  21 systemd.services.postgresql = {
  22   wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
  23   after = [ "acme-selfsigned-${networking.domain}.service" ];
  24 };
  25 services.postgresql = {
  26   enable = true;
  27   package = pkgs.postgresql_9_6;
  28   enableTCPIP = true;
  29   extraConfig = ''
  30     log_connections = true
  31     log_disconnections = true
  32     log_hostname = false
  33     max_connections = 25
  34     max_locks_per_transaction = 256
  35     password_encryption = on # FIXME: replace md5 by scram-sha-256, which requires postfix >= 11
  36     ssl = on
  37     ssl_cert_file = '/var/lib/acme/${networking.domain}/fullchain.pem'
  38     ssl_key_file = '/var/lib/acme/${networking.domain}/key.pem'
  39     unix_socket_permissions = 0770
  40   '';
  41   authentication = lib.mkForce ''
  42     # CONNECTION  DATABASE USER      AUTH  OPTIONS
  43     local         all      postgres  peer  map=admin
  44     local         samerole all       peer  map=user
  45     #local         all      backup    peer
  46   '';
  47   identMap = ''
  48     # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
  49     admin      postgres         postgres
  50     admin      root             postgres
  51     user       /^(.*)$          \1
  52   '';
  53 };
  54 systemd.services.postgresql = {
  55   # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting
  56   postStart = ''
  57     set -eux
  58     # DOC: https://wiki.postgresql.org/wiki/Shared_Database_Hosting#Defining_shared_hosting
  59     $PSQL -d template1 --set ON_ERROR_STOP=1 -f - <<EOF
  60       -- Disallow access to the public schema
  61       -- of individual users' databases by other users
  62       REVOKE ALL ON DATABASE template0 FROM public;
  63       REVOKE ALL ON DATABASE template1 FROM public;
  64       REVOKE ALL ON SCHEMA public FROM public;
  65       GRANT  ALL ON SCHEMA public TO ${postgresql.superUser};
  66       REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public;
  67       GRANT  ALL ON ALL TABLES IN SCHEMA public TO ${postgresql.superUser};
  68
  69       -- Disallow access to database and user names for everyone
  70       REVOKE ALL ON pg_catalog.pg_user         FROM public;
  71       REVOKE ALL ON pg_catalog.pg_roles        FROM public;
  72       REVOKE ALL ON pg_catalog.pg_group        FROM public;
  73       REVOKE ALL ON pg_catalog.pg_authid       FROM public;
  74       REVOKE ALL ON pg_catalog.pg_auth_members FROM public;
  75       REVOKE ALL ON pg_catalog.pg_database     FROM public;
  76       REVOKE ALL ON pg_catalog.pg_tablespace   FROM public;
  77       REVOKE ALL ON pg_catalog.pg_settings     FROM public;
  78     EOF
  79
  80     pg_createdb () {
  81       local db=$1
  82       local owner=''${owner:-$db}
  83       local template=''${template:-template1}
  84       $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '$db'" | grep -q 1 || {
  85         $PSQL -d "$template" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
  86           CREATE ROLE $owner NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN PASSWORD '$pass';
  87           CREATE DATABASE $db WITH OWNER=$owner
  88            ''${encoding:+ENCODING='$encoding'}
  89            ''${lc_collate:+LC_COLLATE='$lc_collate'}
  90            ''${lc_ctype:+LC_CTYPE='$lc_ctype'}
  91            ''${tablespace:+TABLESPACE='$tablespace'}
  92            ''${connection_limit:+CONNECTION LIMIT=$connection_limit}
  93           ;
  94           REVOKE ALL ON DATABASE $db FROM public;
  95     EOF
  96         $PSQL -d $db -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
  97           -- Grant all rights to the public schema in the new database to the main user
  98           GRANT ALL ON SCHEMA public TO $owner WITH GRANT OPTION;
  99     EOF
 100         $PSQL -d "$db" -AqtX --set ON_ERROR_STOP=1 -f -
 101       }
 102     }
 103
 104     pg_adduser () {
 105       local db=$1
 106       local user=$2
 107       $PSQL -tAc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname='$user'" | grep -q 1 ||
 108       $PSQL -d $db -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
 109         CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED PASSWORD '$pass';
 110         GRANT USAGE ON SCHEMA public TO $user;
 111         GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
 112     EOF
 113     }
 114   '';
 115 };
 116 }