diff --git a/modules/postgresql.nix b/modules/postgresql.nix index f268a67..eb06fc2 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -1,6 +1,13 @@ -{ config, lib, pkgs, ... }: -let cfg = config.custom.services.postgresql; -in { +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.services.postgresql; +in +{ options.custom.services.postgresql = { enable = lib.mkEnableOption "postgresql"; }; @@ -16,6 +23,7 @@ in { root_as_others root nextcloud root_as_others root roundcube root_as_others root mastodon + root_as_others root dolibarr ''; authentication = '' local all postgres peer @@ -45,50 +53,66 @@ in { key = "mastodon/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; - }; - - systemd.services.postgresql-setup = let pgsql = config.services.postgresql; - in { - after = [ "postgresql.service" ]; - bindsTo = [ "postgresql.service" ]; - wantedBy = [ "postgresql.service" ]; - path = [ pgsql.package pkgs.util-linux ]; - script = '' - set -u - PSQL() { - psql --port=${toString pgsql.settings.port} "$@" - } - - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' - PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"' - - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' - PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"' - - PSQL -tAc "ALTER ROLE synapse LOGIN" - PSQL -tAc "ALTER ROLE nextcloud LOGIN" - PSQL -tAc "ALTER ROLE roundcube LOGIN" - PSQL -tAc "ALTER ROLE mastodon LOGIN" - - synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" - PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" - nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')" - PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" - roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')" - PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" - mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')" - PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'" - ''; - - serviceConfig = { - User = pgsql.superUser; - Type = "oneshot"; - RemainAfterExit = true; + dolibarrDbPassword = { + owner = config.services.postgresql.superUser; + key = "dolibarr/db_password"; + restartUnits = [ "postgresql-setup.service" ]; }; }; + + systemd.services.postgresql-setup = + let + pgsql = config.services.postgresql; + in + { + after = [ "postgresql.service" ]; + bindsTo = [ "postgresql.service" ]; + wantedBy = [ "postgresql.service" ]; + path = [ + pgsql.package + pkgs.util-linux + ]; + script = '' + set -u + PSQL() { + psql --port=${toString pgsql.settings.port} "$@" + } + + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "dolibarr"' + + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'dolibarr'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "dolibarr" OWNER "dolibarr"' + + PSQL -tAc "ALTER ROLE synapse LOGIN" + PSQL -tAc "ALTER ROLE nextcloud LOGIN" + PSQL -tAc "ALTER ROLE roundcube LOGIN" + PSQL -tAc "ALTER ROLE mastodon LOGIN" + PSQL -tAc "ALTER ROLE dolibarr LOGIN" + + synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" + PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" + nextcloud_password="$(<'${config.sops.secrets.nextcloudDbPassword.path}')" + PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" + roundcube_password="$(<'${config.sops.secrets.roundcubeDbPassword.path}')" + PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" + mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')" + PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'" + dolibarr_password="$(<'${config.sops.secrets.dolibarrDbPassword.path}')" + PSQL -tAc "ALTER ROLE dolibarr WITH PASSWORD '$dolibarr_password'" + ''; + + serviceConfig = { + User = pgsql.superUser; + Type = "oneshot"; + RemainAfterExit = true; + }; + }; }; } diff --git a/profiles/backend.nix b/profiles/backend.nix index 6f8b785..e55151c 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -16,6 +16,11 @@ owner = config.services.borgbackup.jobs.data.user; key = "borg/client_keys/backend1/private"; }; + dolibarrDbPassword = { + owner = config.users.users.dolibarr.name; + key = "dolibarr/db_password"; + restartUnits = [ "phpfpm-dolibarr.service" ]; + }; }; custom = { @@ -124,6 +129,24 @@ }; }; + services.dolibarr = { + enable = true; + domain = "dolibarr.froidmont.solutions"; + stateDir = "/nix/var/data/dolibarr"; + database = { + createLocally = false; + host = "10.0.1.11"; + port = 5432; + name = "dolibarr"; + user = "dolibarr"; + passwordFile = config.sops.secrets.dolibarrDbPassword.path; + }; + settings = { + dolibarr_main_db_type = lib.mkForce "pgsql"; + }; + nginx = { }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/profiles/db.nix b/profiles/db.nix index b27d8c3..6d97a1a 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -1,5 +1,15 @@ -{ config, lib, pkgs, ... }: { - imports = [ ../environment.nix ../hardware/hcloud.nix ../modules ]; +{ + config, + lib, + pkgs, + ... +}: +{ + imports = [ + ../environment.nix + ../hardware/hcloud.nix + ../modules + ]; networking.firewall.interfaces."eth1".allowedTCPPorts = [ config.services.prometheus.exporters.node.port @@ -17,12 +27,16 @@ services.backup-job = { enable = true; repoName = "db1"; - readWritePaths = [ "/nix/var/data/postgresql" "/nix/var/data/backup/" ]; + readWritePaths = [ + "/nix/var/data/postgresql" + "/nix/var/data/backup/" + ]; preHook = '' ${config.services.postgresql.package}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp ${config.services.postgresql.package}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp ${config.services.postgresql.package}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp ${config.services.postgresql.package}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp + ${config.services.postgresql.package}/bin/pg_dump -U dolibarr dolibarr > /nix/var/data/postgresql/dolibarr.dmp ''; startAt = "03:00"; sshKey = config.sops.secrets.borgSshKey.path; diff --git a/secrets.enc.yml b/secrets.enc.yml index 712c4b0..c66a48e 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -6,7 +6,7 @@ grafana: nix: cache_secret_key: ENC[AES256_GCM,data:Q2mRU+EuTyqjYNvbuyGLqoDSqa/7EPlzNuCJU7QUBRSozf1D4dDzAPNU47xZ2rKcjz6Eg4OhAZLlGeFw9le8SzHOSJ65UYHoMMc6Rpvv/fPhgg2s2UMArrqyO3ultj1pVe3eIIRzBQcdoFqVDg==,iv:jhMTWEO6ahcZl+Dq6mA+mWIie8T0Dq1ZYe/HHYAD5ss=,tag:2GRmd2z96+TGI7MdvOBEdA==,type:str] gitlab: - password: ENC[AES256_GCM,data:+DptcLNXBmI7c8TrlF2U3+4FAeg=,iv:POtL7Cu6KvgEs9SFokR1G9yviqvqUcy8KNlB42FU9PQ=,tag:yWgsuDou+R05EEe7j8r7WA==,type:str] + password: ENC[AES256_GCM,data:ellmwJv7zasbAD3hzAkSSJ4Z9qHqmlernG0=,iv:czXgy9wnDHLSrzefL+nKfbPm6DhZwpNARkUxNsBDHzM=,tag:NYXTjgaUAvOOeJlGe5fchQ==,type:str] runner_registration_config: ENC[AES256_GCM,data:R+9UIDgrTx8xiz4DRRjB4ocyib43lIfQyxWTW+d8/UzkA87GFIraSLIjhnoDFhk57s3jQGUtmudl709z410V8+EXbLB81gl1mJqaXQ==,iv:qckhsamd24VVTB7glMcVyMsLJo9jON3Nc9JfeGOM0xI=,tag:/DOmtSrQOoIzpMHH/oBnFQ==,type:str] synapse: db_password: ENC[AES256_GCM,data:hy2BgTsRaZDQZULTW/csmnRy5ZjDEuPqxyuINv0ov5pFzDkozJVL1wut3HgBXjYZ8bqNjS5pCPQtkznw,iv:i41zKGwvPGIEZP0ZjhRaY4UMeOXBovQmLr1e1ewZhV4=,tag:3kKKYouH+lOrNxPJE5ul/Q==,type:str] @@ -18,6 +18,8 @@ nextcloud: mastodon: db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str] smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str] +dolibarr: + db_password: ENC[AES256_GCM,data:1aDUyV+JLklbbP5dJBmviPWKKxQF7xAuQ/lKIZ5M4TtHbeH9PDuEoyxJJ08k7RtJyLrBRCwBd2pgLyYs,iv:rn6aGEPG9i3Uu4xlMIDIdK8T8bPt8t1pRl4SUsgK8nI=,tag:qacpyDDsj0pYWO1Kur9Ugw==,type:str] roundcube: db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] @@ -69,8 +71,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-07-08T16:25:47Z" - mac: ENC[AES256_GCM,data:xQS7zypupl05ohpgmLycHFMAH46fStNk9cAV0bW7RBTdpXyO+/Crit9D+/mbMdRxbMXy1xywi65YKq8BJpg2o2ReH0tIHdN1IZIyqHtPSyUJ5IM6D9dWZBBiSLuYM8eU0jloORqTkRLUUqIHM6nuOoDdfE+SaNFhDhIQd+j+6ZI=,iv:j3ezzOn03fS4NaAUkngQnwFzDvrg4BwUAVdkYXnwIAI=,tag:FA6LeG6PfkufRtJCdl3iTg==,type:str] + lastmodified: "2024-09-11T18:58:46Z" + mac: ENC[AES256_GCM,data:NeD6/1DBlvW9vyReJJVBb8YY8qnMPZE0pobvNNdq/0dJKQfnAEndEokqWrRCuzd8oFuMbSmb4CDMX3N6r6nypGi4MMeeBAxPqlHO8aHAZ+XSrAh0XPNmcUnTYUP/zhJA9mp2fyWWgQT4gMEQslKVHDiCd68yOrj2wOr9Nx4CW8Y=,iv:eUyv6w/hXdxGg/1y2CU/WjEivzctCKO3Yw66ToEolH0=,tag:nFh240Xx1+dtLpz9P4U6gA==,type:str] pgp: - created_at: "2023-10-17T21:02:13Z" enc: | diff --git a/terraform/dns.tf b/terraform/dns.tf index 624b182..955a178 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -8,6 +8,10 @@ data "hetznerdns_zone" "banditlair_zone" { name = "banditlair.com" } +data "hetznerdns_zone" "froidmont_solutions_zone" { + name = "froidmont.solutions" +} + resource "hetznerdns_record" "banditlair_hcloud_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "@" @@ -88,6 +92,14 @@ resource "hetznerdns_record" "status_banditlair_a" { ttl = 600 } +resource "hetznerdns_record" "dolibarr_a" { + zone_id = data.hetznerdns_zone.froidmont_solutions_zone.id + name = "dolibarr" + value = hcloud_server.backend1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "jitsi_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "jitsi"