1
0
Fork 0
selfhostblocks/modules/blocks/postgresql.nix

121 lines
3.6 KiB
Nix
Raw Normal View History

2023-11-05 04:30:17 +01:00
{ config, lib, ... }:
let
cfg = config.shb.postgresql;
in
{
options.shb.postgresql = {
2023-11-14 09:16:29 +01:00
debug = lib.mkOption {
type = lib.types.bool;
description = lib.mdDocs ''
Enable debugging options.
Currently enables shared_preload_libraries = "auto_explain, pg_stat_statements"
See https://www.postgresql.org/docs/current/pgstatstatements.html'';
default = false;
};
enableTCPIP = lib.mkOption {
type = lib.types.bool;
2023-11-05 04:30:17 +01:00
description = "Enable TCP/IP connection on given port.";
default = false;
2023-11-05 04:30:17 +01:00
};
ensures = lib.mkOption {
2023-11-05 04:30:17 +01:00
type = lib.types.listOf (lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Postgres user name.";
};
database = lib.mkOption {
type = lib.types.str;
description = "Postgres database.";
};
passwordFile = lib.mkOption {
2023-11-05 04:59:55 +01:00
type = lib.types.nullOr lib.types.str;
description = "Optional password file for the postgres user. If not given, only peer auth is accepted for this user, otherwise password auth is allowed.";
2023-11-05 04:59:55 +01:00
default = null;
example = "/run/secrets/postgresql/password";
2023-11-05 04:30:17 +01:00
};
};
});
default = [];
};
};
config =
let
commonConfig = {
services.postgresql.settings = {
idle_in_transaction_session_timeout = "30s";
idle_session_timeout = "30s";
track_io_timing = "true";
};
};
tcpConfig = {
2023-11-05 04:30:17 +01:00
services.postgresql.enableTCPIP = true;
services.postgresql.authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all peer
2023-11-05 04:30:17 +01:00
# ipv4
host all all 127.0.0.1/32 password
2023-11-05 04:30:17 +01:00
# ipv6
host all all ::1/128 password
2023-11-05 04:30:17 +01:00
'';
};
dbConfig = ensureCfgs: {
services.postgresql.enable = lib.mkDefault ((builtins.length ensureCfgs) > 0);
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
2023-11-05 13:48:39 +01:00
services.postgresql.ensureUsers = map ({ username, database, ... }: {
2023-11-05 04:30:17 +01:00
name = username;
ensurePermissions = {
"DATABASE ${database}" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}) ensureCfgs;
2023-11-05 04:30:17 +01:00
};
pwdConfig = ensureCfgs: {
2023-11-05 04:30:17 +01:00
systemd.services.postgresql.postStart =
let
prefix = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
'';
suffix = ''
END $$;
EOF
'';
exec = { username, passwordFile, ... }: ''
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
'';
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) ensureCfgs;
2023-11-05 04:30:17 +01:00
in
if (builtins.length cfgsWithPasswords) == 0 then "" else
prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
2023-11-05 04:30:17 +01:00
};
2023-11-14 09:16:29 +01:00
debugConfig = enableDebug: lib.mkIf enableDebug {
services.postgresql.settings.shared_preload_libraries = "auto_explain, pg_stat_statements";
};
2023-11-05 04:30:17 +01:00
in
lib.mkMerge (
[
commonConfig
(dbConfig cfg.ensures)
(pwdConfig cfg.ensures)
(lib.mkIf cfg.enableTCPIP tcpConfig)
2023-11-14 09:16:29 +01:00
(debugConfig cfg.debug)
2023-11-05 04:30:17 +01:00
]
);
}