postgres ip allow

2026-05-06 02:54:12 +02:00
parent 83b921afcc
commit 9600f7a370
1 changed files with 29 additions and 32 deletions
--- a/modules/server/database/default.nix
+++ b/modules/server/database/default.nix
@@ -13,6 +13,14 @@ in {
  config = lib.mkIf ( builtins.length allApps > 0) {
    services.postgresql = {
      enable = true;
+      enableTCPIP = true; # Required to listen on network interfaces
+      authentication = pkgs.lib.mkOverride 10 ''
+        # TYPE  DATABASE        USER            ADDRESS                 METHOD
+        local   all             all                                     trust
+        host    all             all             127.0.0.1/32            trust
+        host    all             all             10.0.0.0/8              scram-sha-256
+        host    all             all             ::1/128                 trust
+      '';
      ensureDatabases = map (name: "${name}_db") allApps;
      ensureUsers = map (name: { name = "${name}_user"; }) allApps;
    };
@@ -23,35 +31,7 @@ in {
      backupAll = true; # Backs up all databases and roles
    };

-    # systemd.services.postgresql.postStart = lib.mkAfter ''
-    #   PSQL="${pkgs.postgresql}/bin/psql"
-    #   ${lib.concatMapStringsSep "\n" (name: ''
-    #     $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1 || \
-    #     $PSQL -tAc "CREATE ROLE ${name}_user WITH LOGIN;"
-
-    #     $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
-        
-    #     if [ -f "${config.sops.secrets."${name}_pass".path}" ]; then
-    #       PASS=$(cat "${config.sops.secrets."${name}_pass".path}")
-    #       $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
-    #     fi
-    #   '') allApps}
-    # '';
-    systemd.services.init-db-permissions = {
-      description = "Set DB passwords and ownership after Postgres is ready";
-      after = [ "postgresql.service" ];
-      requires = [ "postgresql.service" ];
-      partOf = [ "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-      
-      serviceConfig = {
-        Type = "oneshot";
-        User = "postgres"; # Runs as postgres user directly
-        RemainAfterExit = true;
-        ExecStartPre = "${pkgs.coreutils}/bin/sleep 2"; 
-      };
-
-      script = ''
+    systemd.services.postgresql.postStart = lib.mkAfter ''
        PSQL="${pkgs.postgresql}/bin/psql"
        ${lib.concatMapStringsSep "\n" (name: ''
          until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do
@@ -61,11 +41,28 @@ in {
          $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
          
          if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
-            PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2- | sed "s/^['\"]//; s/['\"]$//")
+            PASS=$(grep "^DB_PASSWORD=" ... | cut -d'=' -f2- | tr -d '"' | tr -d "'")
            $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
          fi
        '') allApps}
-      '';
-    };
+    '';
+    # systemd.services.init-db-permissions = {
+    #   description = "Set DB passwords and ownership after Postgres is ready";
+    #   after = [ "postgresql.service" ];
+    #   requires = [ "postgresql.service" ];
+    #   partOf = [ "postgresql.service" ];
+    #   wantedBy = [ "multi-user.target" ];
+      
+    #   serviceConfig = {
+    #     Type = "oneshot";
+    #     User = "postgres"; # Runs as postgres user directly
+    #     RemainAfterExit = true;
+    #     ExecStartPre = "${pkgs.coreutils}/bin/sleep 2"; 
+    #   };
+
+    #   script = ''
+
+    #   '';
+    # };
  };
 }