tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix pgsql init script
Some checks failed
/ Build Nix targets (push) Has been cancelled
Details

Browse source
This commit is contained in:
Théo Barnouin 2025-01-28 11:18:06 +01:00
parent e29eca289e
commit 51affbb4a3
1 changed files with 30 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
services/postgresql/default.nix
View file

@ -40,27 +40,49 @@ in {
host grafana grafana 192.168.1.27/32 md5
";
initialScript = pkgs.writeText "init-sql-script" ''
nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path})
CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path})
CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
CREATE ROLE gitea WITH LOGIN CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path})
CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
CREATE ROLE authentik WITH LOGIN CREATEDB;
CREATE DATABASE authentik;
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path})
CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
CREATE ROLE grafana WITH LOGIN CREATEDB;
CREATE DATABASE grafana;
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
'';
};
# Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
# This is an awful situation
systemd.services.postgresql.postStart = let
nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
giteaDBPass = config.age.secrets.giteaDBPass.path;
authentikDBPass = config.age.secrets.authentikDBPass.path;
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
networking.firewall.allowedTCPPorts = [5432];
};
}