add postgresql

2026-01-12 04:39:23 +08:00 · 2023-08-20 12:15:02 +08:00
parent b93c3736bb
commit b670b6bf4f
2 changed files with 86 additions and 33 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,5 +1,9 @@
 inputs:
 {
+	imports = mkModules
+	[
+		./postgresql.nix
+	];
 	options.nixos.services = let inherit (inputs.lib) mkOption types; in
 	{
 		impermanence =
@@ -116,7 +120,6 @@ inputs:
 			};
 		};
 		fileshelter.enable = mkOption { type = types.bool; default = false; };
-		postgresql.enable = mkOption { type = types.bool; default = false; };
 		rsshub.enable = mkOption { type = types.bool; default = false; };
 		wallabag.enable = mkOption { type = types.bool; default = false; };
 		docker = mkOption
@@ -1139,38 +1142,6 @@ inputs:
 					)
 				])
 			)
-			(
-				mkIf services.postgresql.enable
-				{
-					services.postgresql =
-					{
-						enable = true;
-						package = inputs.pkgs.postgresql_15;
-						enableTCPIP = true;
-						authentication = "host all all 0.0.0.0/0 md5";
-						settings =
-						{
-							unix_socket_permissions = "0700";
-							shared_buffers = "2048MB";
-							work_mem = "128MB";
-						};
-						# log_timezone = 'Asia/Shanghai'
-						# datestyle = 'iso, mdy'
-						# timezone = 'Asia/Shanghai'
-						# lc_messages = 'en_US.utf8'
-						# lc_monetary = 'en_US.utf8'
-						# lc_numeric = 'en_US.utf8'
-						# lc_time = 'en_US.utf8'
-						# default_text_search_config = 'pg_catalog.english'
-						# plperl.on_init = 'use utf8; use re; package utf8; require "utf8_heavy.pl";'
-						# mv /path/to/dir /path/to/dir_old
-						# mkdir /path/to/dir
-						# chattr +C /path/to/dir
-						# cp -a --reflink=never /path/to/dir_old/. /path/to/dir
-						# rm -rf /path/to/dir_old
-					};
-				}
-			)
 			(
 				mkIf services.rsshub.enable
 				{
--- a/modules/services/postgresql.nix
+++ b/modules/services/postgresql.nix
@@ -0,0 +1,82 @@
+inputs:
+{
+	options.nixos.services.postgresql = let inherit (inputs.lib) mkOption types; in
+	{
+		enable = mkOption { type = types.bool; default = false; };
+		instances = mkOption
+		{
+			type = types.listOf (types.oneOf
+			[
+				types.nonEmptyStr
+				(types.submodule (submoduleInputs: { options =
+				{
+					database = mkOption { type = types.nonEmptyStr; };
+					user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config.database; };
+					passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+				};}))
+			]);
+			default = [];
+		};
+	};
+	config =
+		let
+			inherit (inputs.config.nixos.services) postgresql;
+			inherit (inputs.lib) mkMerge mkAfter concatStringsSep;
+			inherit (inputs.localLib) stripeTabs;
+			inherit (builtins) map listToAttrs;
+		in mkIf postgresql.enable
+		{
+			services.postgresql =
+			{
+				enable = true;
+				package = inputs.pkgs.postgresql_15;
+				enableTCPIP = true;
+				authentication = "host all all 0.0.0.0/0 md5";
+				settings =
+				{
+					unix_socket_permissions = "0700";
+					shared_buffers = "2048MB";
+					work_mem = "128MB";
+				};
+				# log_timezone = 'Asia/Shanghai'
+				# datestyle = 'iso, mdy'
+				# timezone = 'Asia/Shanghai'
+				# lc_messages = 'en_US.utf8'
+				# lc_monetary = 'en_US.utf8'
+				# lc_numeric = 'en_US.utf8'
+				# lc_time = 'en_US.utf8'
+				# default_text_search_config = 'pg_catalog.english'
+				# plperl.on_init = 'use utf8; use re; package utf8; require "utf8_heavy.pl";'
+				# mv /path/to/dir /path/to/dir_old
+				# mkdir /path/to/dir
+				# chattr +C /path/to/dir
+				# cp -a --reflink=never /path/to/dir_old/. /path/to/dir
+				# rm -rf /path/to/dir_old
+				ensureDatabases = map (db: db.database or db) postgresql;
+				ensureUsers = map (db: { name = db.user or db; }) postgresql;
+			};
+			systemd.services.postgresql.postStart = mkAfter (concatStringsSep "\n" (map
+				(db:
+					let
+						passwordFile =
+							if db.passwordFile or null != null then db.passwordFile
+							else inputs.config.sops.secrets."postgresql/${db.user or db}".path;
+						in
+						# set user password
+						''$PSQL -tAc "ALTER USER '${db.user or db}' with encrypted password '$(cat ${passwordFile})'"''
+						# set db owner
+							+ "\n"
+							+ ''$PSQL -tAc "select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d''
+							+ '' WHERE d.datname = '${db.database ? db}' ORDER BY 1"''
+							+ '' | grep -E '^${db.user or db}$' -q''
+							+ '' || $PSQL -tAc "ALTER DATABASE '${db.database or db}' OWNER TO '${db.user or db}'"'')
+				postgresql));
+			sops.secrets = listToAttrs (map
+				(db: { name = "postgresql/${db.user or db}"; value.owner = inputs.config.users.users.postgres.name; })
+				(filter (db: db.passwordFile or null == null) postgresql));
+		};
+}
+  # sops.secrets.drone-agent = {
+  #   owner = config.systemd.services.drone-agent.serviceConfig.User;
+  #   key = "drone";
+  # };