Start migration to NixOS for storage1

2025-12-25 13:46:59 +01:00 · 2021-11-29 02:04:29 +01:00 · 2021-11-29 02:04:29 +01:00 · 86124dcd4a
commit 86124dcd4a
parent 09d2ac3f05
19 changed files with 589 additions and 173 deletions
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 {
+
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_12;
-    initialScript = "/var/keys/postgres-init.sql";
+    initialScript = pkgs.writeText "postgres-init.sql" ''
+      CREATE ROLE "synapse";
+      CREATE ROLE "nextcloud";
+    '';
    enableTCPIP = true;
    identMap = ''
      root_as_others         root                  postgres
@ -16,5 +20,47 @@
      host   all     all     10.0.1.0/24    md5
    '';
  };
-  users.users.postgres.extraGroups = [ "keys" ];
+
+  sops.secrets = {
+    synapseDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "synapse/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
+    nextcloudDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "nextcloud/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
+  };
+
+  systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in
+    {
+      after = [ "postgresql.service" ];
+      bindsTo = [ "postgresql.service" ];
+      wantedBy = [ "postgresql.service" ];
+      path = [
+        pgsql.package
+        pkgs.util-linux
+      ];
+      script = ''
+        set -eu
+        PSQL() {
+            psql --port=${toString pgsql.port} "$@"
+        }
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
+
+        synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
+        nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
+      '';
+
+      serviceConfig = {
+        User = pgsql.superUser;
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+    };
 }