dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
nix-config/hosts/tram-borzoi/postgres.nix

79 lines
2.4 KiB
Nix
Raw Blame History

{ lib, pkgs, config, inputs, self, ... }: {
sops.secrets.postgres-borzoi-pw = {
owner = config.users.users.postgres.name;
group = config.users.groups.borzoi.name;
mode = "0440";
};
sops.secrets.postgres-borzoi-grafana-pw = {
owner = config.users.users.postgres.name;
};
services.postgresql = {
enable = true;
enableTCPIP = true;
port = 5432;
authentication =
let
senpai-ip = self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4;
# TODO: fixme
uranus-ip = "10.13.37.9";
in
pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host tlms grafana ${senpai-ip}/32 scram-sha-256
host borzoi grafana ${senpai-ip}/32 scram-sha-256
host borzoi grafana ${uranus-ip}/32 scram-sha-256
'';
package = pkgs.postgresql_14;
ensureDatabases = [ "borzoi" ];
ensureUsers = [
{
name = "grafana";
}
{
name = "borzoi";
ensurePermissions = {
"DATABASE borzoi" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL";
};
}
];
};
systemd.services.postgresql = {
unitConfig = {
TimeoutStartSec = 3000;
};
serviceConfig = {
TimeoutSec = lib.mkForce 3000;
};
postStart = lib.mkAfter ''
# set pw for the users
$PSQL -c "ALTER ROLE grafana WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-grafana-pw.path})';"
$PSQL -c "ALTER ROLE borzoi WITH PASSWORD '$(cat ${config.sops.secrets.postgres-borzoi-pw.path})';"
# fixup permissions
# tlms is practically root, we need to FIXME something about it
$PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;"
$PSQL -d borzoi -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO borzoi;"
$PSQL -d borzoi -c "GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO borzoi;"
# Get graphana to SELECT from tables that might be interesting for it
$PSQL -c "GRANT CONNECT ON DATABASE borzoi TO grafana;"
$PSQL -d borzoi -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana;"
unset DATABASE_URL
# borzoi setup
export DATABASE_URL=postgres:///borzoi
${inputs.borzoi.packages.x86_64-linux.run-migration-borzoi}/bin/run-migration
$PSQL -c "GRANT ALL ON DATABASE borzoi TO borzoi;"
unset DATABASE_URL
'';
};
}
Reference in New Issue View Git Blame Copy Permalink