sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

postgres ip allow

Browse Source
This commit is contained in:
soraefir
2026-05-06 02:54:12 +02:00
parent 83b921afcc
commit 9600f7a370
1 changed files with 29 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
modules/server/database/default.nix
View File

@@ -13,6 +13,14 @@ in {
config = lib.mkIf ( builtins.length allApps > 0) { config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; # Required to listen on network interfaces
authentication = pkgs.lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all 10.0.0.0/8 scram-sha-256
host all all ::1/128 trust
'';
ensureDatabases = map (name: "${name}_db") allApps; ensureDatabases = map (name: "${name}_db") allApps;
ensureUsers = map (name: { name = "${name}_user"; }) allApps; ensureUsers = map (name: { name = "${name}_user"; }) allApps;
}; };
@@ -23,35 +31,7 @@ in {
backupAll = true; # Backs up all databases and roles backupAll = true; # Backs up all databases and roles
}; };
# systemd.services.postgresql.postStart = lib.mkAfter '' systemd.services.postgresql.postStart = lib.mkAfter ''
# PSQL="${pkgs.postgresql}/bin/psql"
# ${lib.concatMapStringsSep "\n" (name: ''
# $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1 || \
# $PSQL -tAc "CREATE ROLE ${name}_user WITH LOGIN;"
# $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
# if [ -f "${config.sops.secrets."${name}_pass".path}" ]; then
# PASS=$(cat "${config.sops.secrets."${name}_pass".path}")
# $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
# fi
# '') allApps}
# '';
systemd.services.init-db-permissions = {
description = "Set DB passwords and ownership after Postgres is ready";
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
partOf = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
User = "postgres"; # Runs as postgres user directly
RemainAfterExit = true;
ExecStartPre = "${pkgs.coreutils}/bin/sleep 2";
};
script = ''
PSQL="${pkgs.postgresql}/bin/psql" PSQL="${pkgs.postgresql}/bin/psql"
${lib.concatMapStringsSep "\n" (name: '' ${lib.concatMapStringsSep "\n" (name: ''
until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do until $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = '${name}_user'" | grep -q 1; do
@@ -61,11 +41,28 @@ in {
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2- | sed "s/^['\"]//; s/['\"]$//") PASS=$(grep "^DB_PASSWORD=" ... | cut -d'=' -f2- | tr -d '"' | tr -d "'")
$PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
fi fi
'') allApps} '') allApps}
''; '';
}; # systemd.services.init-db-permissions = {
# description = "Set DB passwords and ownership after Postgres is ready";
# after = [ "postgresql.service" ];
# requires = [ "postgresql.service" ];
# partOf = [ "postgresql.service" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# Type = "oneshot";
# User = "postgres"; # Runs as postgres user directly
# RemainAfterExit = true;
# ExecStartPre = "${pkgs.coreutils}/bin/sleep 2";
# };
# script = ''
# '';
# };
}; };
} }