mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-22 21:38:44 +08:00
services.postgresql: fix
This commit is contained in:
parent
8115d2a0c6
commit
f97fad608d
@ -139,9 +139,9 @@ inputs:
|
||||
redis = mkIf (misskey.instances != {}) { instances = listToAttrs (map
|
||||
(instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
|
||||
(attrsToList misskey.instances)); };
|
||||
postgresql = mkIf (misskey.instances != {}) { instances = listToAttrs (map
|
||||
postgresql.instances = listToAttrs (map
|
||||
(instance: { name = "misskey_${replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
|
||||
(attrsToList misskey.instances)); };
|
||||
(attrsToList misskey.instances));
|
||||
meilisearch =
|
||||
let instances = filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances);
|
||||
in mkIf (instances != []) { instances = listToAttrs (map
|
||||
|
@ -1,105 +1,96 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.postgresql = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
options.nixos.services.postgresql = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
enable = mkOption { type = types.bool; default = inputs.config.nixos.services.postgresql.instances != {}; };
|
||||
instances = mkOption
|
||||
{
|
||||
instances = mkOption
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
initializeFlags = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) postgresql;
|
||||
inherit (inputs.lib) mkAfter concatStringsSep mkIf;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (builtins) map listToAttrs filter;
|
||||
in mkIf (postgresql != null)
|
||||
{
|
||||
services =
|
||||
{
|
||||
postgresql =
|
||||
{
|
||||
enable = true;
|
||||
package = inputs.pkgs.postgresql_15;
|
||||
enableTCPIP = true;
|
||||
authentication = "host all all 0.0.0.0/0 md5";
|
||||
settings =
|
||||
{
|
||||
unix_socket_permissions = "0700";
|
||||
shared_buffers = "8192MB";
|
||||
work_mem = "512MB";
|
||||
autovacuum = "on";
|
||||
};
|
||||
# log_timezone = 'Asia/Shanghai'
|
||||
# datestyle = 'iso, mdy'
|
||||
# timezone = 'Asia/Shanghai'
|
||||
# lc_messages = 'en_US.utf8'
|
||||
# lc_monetary = 'en_US.utf8'
|
||||
# lc_numeric = 'en_US.utf8'
|
||||
# lc_time = 'en_US.utf8'
|
||||
# default_text_search_config = 'pg_catalog.english'
|
||||
# plperl.on_init = 'use utf8; use re; package utf8; require "utf8_heavy.pl";'
|
||||
# mv /path/to/dir /path/to/dir_old
|
||||
# mkdir /path/to/dir
|
||||
# chattr +C /path/to/dir
|
||||
# cp -a --reflink=never /path/to/dir_old/. /path/to/dir
|
||||
# rm -rf /path/to/dir_old
|
||||
ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances);
|
||||
};
|
||||
postgresqlBackup =
|
||||
{
|
||||
enable = true;
|
||||
pgdumpOptions = "-Fc";
|
||||
compression = "none";
|
||||
databases = map (db: db.value.database) (attrsToList postgresql.instances);
|
||||
};
|
||||
};
|
||||
systemd.services.postgresql.postStart = mkAfter (concatStringsSep "\n" (map
|
||||
(db:
|
||||
let
|
||||
passwordFile =
|
||||
if db.value.passwordFile or null != null then db.value.passwordFile
|
||||
else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
|
||||
initializeFlag =
|
||||
if db.value.initializeFlags != {} then
|
||||
" WITH "
|
||||
+ (concatStringsSep " " (map
|
||||
(flag: ''${flag.name} = "${flag.value}"'')
|
||||
(attrsToList db.value.initializeFlags)))
|
||||
else "";
|
||||
in
|
||||
# create database if not exist
|
||||
"$PSQL -tAc \"SELECT 1 FROM pg_database WHERE datname = '${db.value.database}'\" | grep -q 1"
|
||||
+ " || $PSQL -tAc 'CREATE DATABASE \"${db.value.database}\"${initializeFlag}'"
|
||||
# set user password
|
||||
+ "\n"
|
||||
+ "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
|
||||
# set db owner
|
||||
+ "\n"
|
||||
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
|
||||
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
|
||||
+ " | grep -E '^${db.value.user}$' -q"
|
||||
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
|
||||
(attrsToList postgresql.instances)));
|
||||
sops.secrets = listToAttrs (map
|
||||
(db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })
|
||||
(filter (db: db.value.passwordFile == null) (attrsToList postgresql.instances)));
|
||||
database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
initializeFlags = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) postgresql; in inputs.lib.mkIf postgresql.enable
|
||||
{
|
||||
services =
|
||||
{
|
||||
postgresql =
|
||||
{
|
||||
enable = true;
|
||||
package = inputs.pkgs.postgresql_15;
|
||||
enableTCPIP = true;
|
||||
authentication = "host all all 0.0.0.0/0 md5";
|
||||
settings =
|
||||
{
|
||||
unix_socket_permissions = "0700";
|
||||
shared_buffers = "8192MB";
|
||||
work_mem = "512MB";
|
||||
autovacuum = "on";
|
||||
};
|
||||
# log_timezone = 'Asia/Shanghai'
|
||||
# datestyle = 'iso, mdy'
|
||||
# timezone = 'Asia/Shanghai'
|
||||
# lc_messages = 'en_US.utf8'
|
||||
# lc_monetary = 'en_US.utf8'
|
||||
# lc_numeric = 'en_US.utf8'
|
||||
# lc_time = 'en_US.utf8'
|
||||
# default_text_search_config = 'pg_catalog.english'
|
||||
# plperl.on_init = 'use utf8; use re; package utf8; require "utf8_heavy.pl";'
|
||||
# mv /path/to/dir /path/to/dir_old
|
||||
# mkdir /path/to/dir
|
||||
# chattr +C /path/to/dir
|
||||
# cp -a --reflink=never /path/to/dir_old/. /path/to/dir
|
||||
# rm -rf /path/to/dir_old
|
||||
ensureUsers = builtins.map (db: { name = db.value.user; }) (builtins.attrsToList postgresql.instances);
|
||||
};
|
||||
postgresqlBackup =
|
||||
{
|
||||
enable = true;
|
||||
pgdumpOptions = "-Fc";
|
||||
compression = "none";
|
||||
databases = builtins.map (db: db.value.database) (builtins.attrsToList postgresql.instances);
|
||||
};
|
||||
};
|
||||
systemd.services.postgresql.postStart = inputs.lib.mkAfter (builtins.concatStringsSep "\n" (builtins.map
|
||||
(db:
|
||||
let
|
||||
passwordFile =
|
||||
if db.value.passwordFile or null != null then db.value.passwordFile
|
||||
else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
|
||||
initializeFlag =
|
||||
if db.value.initializeFlags != {} then
|
||||
" WITH "
|
||||
+ (builtins.concatStringsSep " " (map
|
||||
(flag: ''${flag.name} = "${flag.value}"'')
|
||||
(builtins.attrsToList db.value.initializeFlags)))
|
||||
else "";
|
||||
in
|
||||
# create database if not exist
|
||||
"$PSQL -tAc \"SELECT 1 FROM pg_database WHERE datname = '${db.value.database}'\" | grep -q 1"
|
||||
+ " || $PSQL -tAc 'CREATE DATABASE \"${db.value.database}\"${initializeFlag}'"
|
||||
# set user password
|
||||
+ "\n"
|
||||
+ "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
|
||||
# set db owner
|
||||
+ "\n"
|
||||
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
|
||||
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
|
||||
+ " | grep -E '^${db.value.user}$' -q"
|
||||
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
|
||||
(builtins.attrsToList postgresql.instances)));
|
||||
sops.secrets = inputs.localLib.listToAttrs (builtins.map
|
||||
(db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })
|
||||
(builtins.filter (db: db.value.passwordFile == null) (builtins.attrsToList postgresql.instances)));
|
||||
environment.persistence =
|
||||
let inherit (inputs.config.nixos.system) impermanence; in inputs.lib.mkIf impermanence.enable
|
||||
{
|
||||
"${impermanence.nodatacow}" = let user = inputs.config.users.users.postgres; in
|
||||
[{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }];
|
||||
};
|
||||
};
|
||||
}
|
||||
# sops.secrets.drone-agent = {
|
||||
# owner = config.systemd.services.drone-agent.serviceConfig.User;
|
||||
# key = "drone";
|
||||
# };
|
||||
# pg_dump -h 127.0.0.1 -U synapse -Fc -f synaps.dump synapse
|
||||
# pg_restore -h 127.0.0.1 -U misskey -d misskey --data-only --jobs=4 misskey.dump
|
@ -258,7 +258,7 @@ inputs:
|
||||
(attrsToList synapse.instances));
|
||||
nixos.services =
|
||||
{
|
||||
postgresql = mkIf (synapse.instances != {}) { instances = listToAttrs (concatLists (map
|
||||
postgresql.instances = listToAttrs (concatLists (map
|
||||
(instance:
|
||||
[
|
||||
{
|
||||
@ -270,7 +270,7 @@ inputs:
|
||||
value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
|
||||
}
|
||||
])
|
||||
(attrsToList synapse.instances)));};
|
||||
(attrsToList synapse.instances)));
|
||||
redis = mkIf (synapse.instances != {}) { instances = listToAttrs (map
|
||||
(instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
|
||||
(attrsToList synapse.instances));};
|
||||
|
@ -64,11 +64,6 @@ inputs:
|
||||
hideMounts = true;
|
||||
directories =
|
||||
[{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }]
|
||||
++ (
|
||||
if inputs.config.nixos.services.postgresql != null then let user = inputs.config.users.users.postgres; in
|
||||
[{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }]
|
||||
else []
|
||||
)
|
||||
++ (if inputs.config.nixos.services.meilisearch.instances != {} then [ "/var/lib/meilisearch" ] else [])
|
||||
++ (
|
||||
if inputs.config.nixos.virtualization.kvmHost.enable then
|
||||
|
2
setup.md
2
setup.md
@ -19,4 +19,6 @@ systemd-cryptsetup attach root /dev/vda2
|
||||
ssh-keygen -t rsa -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_rsa_key
|
||||
ssh-keygen -t ed25519 -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_ed25519_key
|
||||
systemd-machine-id-setup --root=/mnt/nix/persistent
|
||||
pg_dump -h 127.0.0.1 -U synapse -Fc -f synaps.dump synapse
|
||||
pg_restore -h 127.0.0.1 -U misskey -d misskey --data-only --jobs=4 misskey.dump
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user