apparmor: remove references to Subdomain

[sourcephile-nix.git] / servers / losurdo / postgresql / openconcerto.nix
diff --git a/servers/losurdo/postgresql/openconcerto.nix b/servers/losurdo/postgresql/openconcerto.nix

index d4a9e041c880a0628c6535250cfb8958e30483e6..1da4bea099f4d8988c16c9b48241c6e32e780566 100644 (file)
--- a/servers/losurdo/postgresql/openconcerto.nix
+++ b/servers/losurdo/postgresql/openconcerto.nix
@@ -5,6 +5,8 @@ let
      url = "https://www.openconcerto.org/fr/telechargement/1.6/OpenConcerto-1.6.3.sql.zip";
      sha256 = "02h35ni9xknzrjsra56c3zhlhs0ji9qc61kcgi7vgcpylqjw0s6n";
    };
+  inherit (config.security) pass;
+  inherit (config.users) users groups;
    inherit (config) networking;
    # Example of ~/.config/OpenConcerto/main.properties
    # DOC: https://code.openconcerto.org/filedetails.php?repname=OpenConcerto&path=%2Ftrunk%2FOpenConcerto%2Fsrc%2Forg%2Fopenconcerto%2Fsql%2FPropsConfiguration.java
@@ -30,7 +32,22 @@ let
    '';
  in
  {
+services.postgresql = {
+  authentication = lib.mkForce ''
+    # CONNECTION  DATABASE USER      AUTH  OPTIONS
+    # FIXME: using scram-sha-256 instead of md5 requires postfix >= 11
+    hostssl       ${db}    ${owner}  all   md5
+  '';
+  identMap = ''
+    # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+    user       root             ${owner}
+    user       ${owner}         ${db}
+  '';
+};
+security.pass.secrets."postgresql/pass/${owner}" = {};
  systemd.services.postgresql = {
+  after = [ pass.secrets."postgresql/pass/${owner}".service ];
+  wants = [ pass.secrets."postgresql/pass/${owner}".service ];
    postStart = lib.mkAfter ''
      sed -e 's/ \(TO\|FROM\) \+openconcerto/ \1 ${owner}/g' \
       ${sql}/OpenConcerto-1.6.3.sql |
@@ -39,7 +56,7 @@ systemd.services.postgresql = {
      lc_collate=fr_FR.UTF-8 \
      lc_type=fr_FR.UTF-8 \
      owner=${owner} \
-    pass=$(cat /run/keys/postgresql_pass_${owner}) \
+    pass=$(cat ${pass.secrets."postgresql/pass/${owner}".path}) \
      pg_createdb ${db} >/dev/null
      
      $PSQL -d "${db}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
@@ -48,26 +65,16 @@ systemd.services.postgresql = {
        -- when testing the connexion to the database
        -- in OpenConcerto-Configuration.sh
        GRANT SELECT ON pg_catalog.pg_settings TO ${owner};
+      -- Reallow this to allow pg_dump
+      GRANT SELECT ON pg_catalog.pg_database   TO ${owner};
+      GRANT SELECT ON pg_catalog.pg_roles      TO ${owner};
+      GRANT SELECT ON pg_catalog.pg_tablespace TO ${owner};
+      -- Reallow this to allow pgadmin3
+      GRANT SELECT ON pg_catalog.pg_user       TO ${owner};
        
        -- Enable PL/PGSQL
        CREATE OR REPLACE LANGUAGE plpgsql;
      EOF
    '';
  };
-services.postgresql = {
-  authentication = lib.mkForce ''
-    # CONNECTION  DATABASE USER      AUTH  OPTIONS
-    # FIXME: using scram-sha-256 instead of md5 requires postfix >= 11
-    hostssl       ${db}    ${owner}  all   md5
-  '';
-  identMap = ''
-    # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
-    user       root             ${owner}
-  '';
-};
-security.install.shellHook = ''
-  pass "servers/losurdo/postgresql/pass/${owner}" |
-  ssh "$target" install -D -m 0400 -o root -g root /dev/stdin \
-   /run/keys/postgresql_pass_${owner}
-'';
  }