From 9600f7a37087df3b68b0461ef2d19e4621eab04e Mon Sep 17 00:00:00 2001 From: soraefir Date: Wed, 6 May 2026 02:54:12 +0200 Subject: [PATCH] postgres ip allow --- modules/server/database/default.nix | 61 ++++++++++++++--------------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/modules/server/database/default.nix b/modules/server/database/default.nix index 4c22053..2337aa0 100644 --- a/modules/server/database/default.nix +++ b/modules/server/database/default.nix @@ -13,6 +13,14 @@ in { config = lib.mkIf ( builtins.length allApps > 0) { services.postgresql = { enable = true; + enableTCPIP = true; # Required to listen on network interfaces + authentication = pkgs.lib.mkOverride 10 '' + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all 10.0.0.0/8 scram-sha-256 + host all all ::1/128 trust + ''; ensureDatabases = map (name: "${name}_db") allApps; ensureUsers = map (name: { name = "${name}_user"; }) allApps; }; @@ -23,35 +31,7 @@ in { backupAll = true; # Backs up all databases and roles }; - # systemd.services.postgresql.postStart = lib.mkAfter '' - # PSQL="${pkgs.postgresql}/bin/psql" - # ${lib.concatMapStringsSep "\n" (name: '' - # $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1 || \ - # $PSQL -tAc "CREATE ROLE ${name}_user WITH LOGIN;" - - # $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" - - # if [ -f "${config.sops.secrets."${name}_pass".path}" ]; then - # PASS=$(cat "${config.sops.secrets."${name}_pass".path}") - # $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" - # fi - # '') allApps} - # ''; - systemd.services.init-db-permissions = { - description = "Set DB passwords and ownership after Postgres is ready"; - after = [ "postgresql.service" ]; - requires = [ "postgresql.service" ]; - partOf = [ "postgresql.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "oneshot"; - User = "postgres"; # Runs as postgres user directly - RemainAfterExit = true; - ExecStartPre = "${pkgs.coreutils}/bin/sleep 2"; - }; - - script = '' + systemd.services.postgresql.postStart = lib.mkAfter '' PSQL="${pkgs.postgresql}/bin/psql" ${lib.concatMapStringsSep "\n" (name: '' until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do @@ -61,11 +41,28 @@ in { $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then - PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2- | sed "s/^['\"]//; s/['\"]$//") + PASS=$(grep "^DB_PASSWORD=" ... | cut -d'=' -f2- | tr -d '"' | tr -d "'") $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" fi '') allApps} - ''; - }; + ''; + # systemd.services.init-db-permissions = { + # description = "Set DB passwords and ownership after Postgres is ready"; + # after = [ "postgresql.service" ]; + # requires = [ "postgresql.service" ]; + # partOf = [ "postgresql.service" ]; + # wantedBy = [ "multi-user.target" ]; + + # serviceConfig = { + # Type = "oneshot"; + # User = "postgres"; # Runs as postgres user directly + # RemainAfterExit = true; + # ExecStartPre = "${pkgs.coreutils}/bin/sleep 2"; + # }; + + # script = '' + + # ''; + # }; }; } \ No newline at end of file