tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix pgsql init script

Browse source
This commit is contained in:
Théo Barnouin 2025-01-28 11:22:37 +01:00
parent 8a593936de
commit e1ac22b278
8 changed files with 54 additions and 315 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

252
flake.lock generated
View file

@ -46,48 +46,6 @@
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"napalm": "napalm",
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix",
"systems": "systems_3"
},
"locked": {
"lastModified": 1737810234,
"narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1736440980,
"narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.12.2",
"repo": "authentik",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1725409566,
@ -126,40 +84,6 @@
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
@ -180,28 +104,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -262,7 +165,7 @@
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
@ -282,54 +185,6 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1725634671,
@ -346,38 +201,10 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1737632463,
"narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1737885640,
"narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
"lastModified": 1736200483,
"narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
@ -390,44 +217,12 @@
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1736884309,
"narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"authentik-nix": "authentik-nix",
"home-manager": "home-manager_2",
"microvm": "microvm",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_2"
}
},
"rust-overlay": {
@ -498,21 +293,6 @@
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -526,28 +306,6 @@
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

64
flake.nix
View file

@ -7,9 +7,10 @@
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm.url = "github:astro/microvm.nix";
microvm.inputs.nixpkgs.follows = "nixpkgs";
authentik-nix.url = "github:nix-community/authentik-nix";
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:yaxitech/ragenix";
};
@ -73,6 +74,21 @@
}
];
};
pgsql = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
"${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
"${inputs.self}/systems/minimalLXCConfig.nix"
"${inputs.self}/services"
{
networking.hostName = "pgsql";
services.vm_postgresql = {
enable = true;
};
}
];
};
onlyoffice = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
@ -170,48 +186,6 @@
}
];
};
authentik = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
inputs.authentik-nix.nixosModules.default
{
services.authentik = {
enable = true;
environmentFile = "/run/secrets/authentik/authentik-env";
settings = {
disable_startup_analytics = true;
avatars = "initials";
};
};
services.vm_authentik = {
enable = true;
};
}
microvm.nixosModules.microvm
"${inputs.self}/systems/minimalMicrovmConfig.nix"
"${inputs.self}/services"
{
microvm = {
volumes = [
{
mountPoint = "/media";
image = "/var/lib/microvms/authentik/media.img";
size = 2048;
}
];
};
services.micro_vm = {
enable = true;
hostname = "authentik";
vm_ip = "192.168.1.25";
vm_cpu = 2;
vm_mem = 2048;
macAddr = "02:00:00:00:00:25";
};
}
];
};
};
};
}

5
secrets.nix
View file

@ -5,6 +5,7 @@ let
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice";
postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+Ol11EWgsAMB3OmwTWdBbhPBgtgWHR5h0lCAJDCgCX root@pgsql";
systems = [forgejo grafana];
in {
@ -14,4 +15,8 @@ in {
"services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana];
"services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice];
"services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice];
"services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ];
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ];
}

48
services/postgresql/default.nix
View file

@ -10,41 +10,43 @@ in {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudDBPass.file = ./secrets/nextcloudDBPass.age;
giteaDBPass.file = ./secrets/giteaDBPass.age;
authentikDBPass.file = ./secrets/authentikDBPass.age;
grafanaDBPass.file = ./secrets/grafanaDBPass.age;
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
settings.port = 5432;
ensureDatabases = [
"gitea"
"nextcloud"
"netbox"
"authentik"
"grafana"
];
ensureUsers = [
{
name = "gitea";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
authentication = "
host nextcloud nextcloud 192.168.1.44/32 md5
host gitea gitea 192.168.1.14/32 md5
host netbox netbox 192.168.1.45/32 md5
host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5
";
# Not great, not in prod, cleartext pass
# waiting for ensureUsers.*.passwordFile option
# https://github.com/NixOS/nixpkgs/pull/326306
initialScript = pkgs.writeText "init-sql-script" ''
alter user gitea with password 'password';
alter user nextcloud with password 'password';
nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path})
CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path})
CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path})
CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
CREATE DATABASE authentik;
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path})
CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
CREATE DATABASE grafana;
GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
'';
};
networking.firewall.allowedTCPPorts = [5432];

0
services/postgresql/secrets/authentikDBPass.age Normal file
View file

0
services/postgresql/secrets/giteaDBPass.age Normal file
View file

0
services/postgresql/secrets/grafanaDBPass.age Normal file
View file

0
services/postgresql/secrets/nextcloudDBPass.age Normal file
View file