hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity
selfhostblocks/modules/blocks/postgresql.nix
ibizaman 845017103f automatically cleanup idle connections 
This is to fix a nextcloud bug that leaves idle connections open which eats into the available
postgres connection pool.
2023-11-24 02:16:49 -08:00

120 lines
3.6 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
cfg = config.shb.postgresql;
in
{
options.shb.postgresql = {
debug = lib.mkOption {
type = lib.types.bool;
description = lib.mdDocs ''
Enable debugging options.
Currently enables shared_preload_libraries = "auto_explain, pg_stat_statements"
See https://www.postgresql.org/docs/current/pgstatstatements.html'';
default = false;
};
enableTCPIP = lib.mkOption {
type = lib.types.bool;
description = "Enable TCP/IP connection on given port.";
default = false;
};
ensures = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Postgres user name.";
};
database = lib.mkOption {
type = lib.types.str;
description = "Postgres database.";
};
passwordFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Optional password file for the postgres user. If not given, only peer auth is accepted for this user, otherwise password auth is allowed.";
default = null;
example = "/run/secrets/postgresql/password";
};
};
});
default = [];
};
};
config =
let
commonConfig = {
services.postgresql.settings = {
idle_in_transaction_session_timeout = "30s";
idle_session_timeout = "30s";
track_io_timing = "true";
};
};
tcpConfig = {
services.postgresql.enableTCPIP = true;
services.postgresql.authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all peer
# ipv4
host all all 127.0.0.1/32 password
# ipv6
host all all ::1/128 password
'';
};
dbConfig = ensureCfgs: {
services.postgresql.enable = lib.mkDefault ((builtins.length ensureCfgs) > 0);
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
services.postgresql.ensureUsers = map ({ username, database, ... }: {
name = username;
ensurePermissions = {
"DATABASE ${database}" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}) ensureCfgs;
};
pwdConfig = ensureCfgs: {
systemd.services.postgresql.postStart =
let
prefix = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
'';
suffix = ''
END $$;
EOF
'';
exec = { username, passwordFile, ... }: ''
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
'';
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) ensureCfgs;
in
if (builtins.length cfgsWithPasswords) == 0 then "" else
prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
};
debugConfig = enableDebug: lib.mkIf enableDebug {
services.postgresql.settings.shared_preload_libraries = "auto_explain, pg_stat_statements";
};
in
lib.mkMerge (
[
commonConfig
(dbConfig cfg.ensures)
(pwdConfig cfg.ensures)
(lib.mkIf cfg.enableTCPIP tcpConfig)
(debugConfig cfg.debug)
]
);
}
View git blame Copy permalink