Fix pgsql init script

2025-01-28 11:22:37 +01:00 · 2025-01-28 11:22:37 +01:00 · e1ac22b278
commit e1ac22b278
parent 8a593936de
8 changed files with 54 additions and 315 deletions
--- a/flake.lock
+++ b/flake.lock
@ -46,48 +46,6 @@
        "type": "github"
      }
    },
-    "authentik-nix": {
-      "inputs": {
-        "authentik-src": "authentik-src",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils_2",
-        "napalm": "napalm",
-        "nixpkgs": "nixpkgs_2",
-        "poetry2nix": "poetry2nix",
-        "systems": "systems_3"
-      },
-      "locked": {
-        "lastModified": 1737810234,
-        "narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=",
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "type": "github"
-      }
-    },
-    "authentik-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1736440980,
-        "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=",
-        "owner": "goauthentik",
-        "repo": "authentik",
-        "rev": "9d81f0598c7735e2b4616ee865ab896056a67408",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2024.12.2",
-        "repo": "authentik",
-        "type": "github"
-      }
-    },
    "crane": {
      "locked": {
        "lastModified": 1725409566,
@ -126,40 +84,6 @@
        "type": "github"
      }
    },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1736143030,
-        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@ -180,28 +104,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": [
-          "authentik-nix",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_3": {
-      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -262,7 +165,7 @@
    },
    "microvm": {
      "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -282,54 +185,6 @@
        "type": "github"
      }
    },
-    "napalm": {
-      "inputs": {
-        "flake-utils": [
-          "authentik-nix",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1725806412,
-        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
-        "owner": "willibutz",
-        "repo": "napalm",
-        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "willibutz",
-        "ref": "avoid-foldl-stack-overflow",
-        "repo": "napalm",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1725634671,
@ -346,38 +201,10 @@
        "type": "github"
      }
    },
-    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1735774519,
-        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
-      }
-    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1737632463,
-        "narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1737885640,
-        "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=",
+        "lastModified": 1736200483,
+        "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7",
@ -390,44 +217,12 @@
        "type": "github"
      }
    },
-    "poetry2nix": {
-      "inputs": {
-        "flake-utils": [
-          "authentik-nix",
-          "flake-utils"
-        ],
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "systems": [
-          "authentik-nix",
-          "systems"
-        ],
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1736884309,
-        "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=",
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "poetry2nix",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "authentik-nix": "authentik-nix",
        "home-manager": "home-manager_2",
        "microvm": "microvm",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "rust-overlay": {
@ -498,21 +293,6 @@
      }
    },
    "systems_3": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -526,28 +306,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "poetry2nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730120726,
-        "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -7,9 +7,10 @@
      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    microvm.url = "github:astro/microvm.nix";
-    microvm.inputs.nixpkgs.follows = "nixpkgs";
-    authentik-nix.url = "github:nix-community/authentik-nix";
+    microvm = {
+      url = "github:astro/microvm.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    agenix.url = "github:yaxitech/ragenix";
  };

@ -73,6 +74,21 @@
          }
        ];
      };
+      pgsql = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [
+          agenix.nixosModules.default
+          "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+          "${inputs.self}/systems/minimalLXCConfig.nix"
+          "${inputs.self}/services"
+          {
+            networking.hostName = "pgsql";
+            services.vm_postgresql = {
+              enable = true;
+            };
+          }
+        ];
+      };
      onlyoffice = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
@ -170,48 +186,6 @@
          }
        ];
      };
-      authentik = nixpkgs.lib.nixosSystem {
-        inherit system;
-        modules = [
-          agenix.nixosModules.default
-          inputs.authentik-nix.nixosModules.default
-          {
-            services.authentik = {
-              enable = true;
-              environmentFile = "/run/secrets/authentik/authentik-env";
-              settings = {
-                disable_startup_analytics = true;
-                avatars = "initials";
-              };
-            };
-            services.vm_authentik = {
-              enable = true;
-            };
-          }
-          microvm.nixosModules.microvm
-          "${inputs.self}/systems/minimalMicrovmConfig.nix"
-          "${inputs.self}/services"
-          {
-            microvm = {
-              volumes = [
-                {
-                  mountPoint = "/media";
-                  image = "/var/lib/microvms/authentik/media.img";
-                  size = 2048;
-                }
-              ];
-            };
-            services.micro_vm = {
-              enable = true;
-              hostname = "authentik";
-              vm_ip = "192.168.1.25";
-              vm_cpu = 2;
-              vm_mem = 2048;
-              macAddr = "02:00:00:00:00:25";
-            };
-          }
-        ];
-      };
    };
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -5,6 +5,7 @@ let
  forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
  grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
  onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice";
+  postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+Ol11EWgsAMB3OmwTWdBbhPBgtgWHR5h0lCAJDCgCX root@pgsql";

  systems = [forgejo grafana];
 in {
@ -14,4 +15,8 @@ in {
  "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana];
  "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice];
  "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice];
+  "services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ];
+  "services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ];
+  "services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ];
+  "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ];
 }
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -10,41 +10,43 @@ in {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      nextcloudDBPass.file = ./secrets/nextcloudDBPass.age;
+      giteaDBPass.file = ./secrets/giteaDBPass.age;
+      authentikDBPass.file = ./secrets/authentikDBPass.age;
+      grafanaDBPass.file = ./secrets/grafanaDBPass.age;
+    };
    services.postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
      enableTCPIP = true;
      settings.port = 5432;
-      ensureDatabases = [
-        "gitea"
-        "nextcloud"
-        "netbox"
-        "authentik"
-        "grafana"
-      ];
-      ensureUsers = [
-        {
-          name = "gitea";
-          ensureDBOwnership = true;
-        }
-        {
-          name = "nextcloud";
-          ensureDBOwnership = true;
-        }
-      ];
      authentication = "
        host  nextcloud  nextcloud  192.168.1.44/32   md5
        host  gitea      gitea      192.168.1.14/32   md5
-        host  netbox     netbox     192.168.1.45/32   md5
        host  authentik  authentik  192.168.1.125/32  md5
        host  grafana    grafana    192.168.1.27/32   md5
        ";
-      # Not great, not in prod, cleartext pass
-      # waiting for ensureUsers.*.passwordFile option
-      # https://github.com/NixOS/nixpkgs/pull/326306
      initialScript = pkgs.writeText "init-sql-script" ''
-        alter user gitea with password 'password';
-        alter user nextcloud with password 'password';
+        nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path})
+        CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
+        CREATE DATABASE nextcloud;
+        GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
+
+        giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path})
+        CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
+        CREATE DATABASE gitea;
+        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+
+        authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path})
+        CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
+        CREATE DATABASE authentik;
+        GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
+
+        grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path})
+        CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
+        CREATE DATABASE grafana;
+        GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
      '';
    };
    networking.firewall.allowedTCPPorts = [5432];
--- a/services/postgresql/secrets/authentikDBPass.age
+++ b/services/postgresql/secrets/authentikDBPass.age
--- a/services/postgresql/secrets/giteaDBPass.age
+++ b/services/postgresql/secrets/giteaDBPass.age
--- a/services/postgresql/secrets/grafanaDBPass.age
+++ b/services/postgresql/secrets/grafanaDBPass.age
--- a/services/postgresql/secrets/nextcloudDBPass.age
+++ b/services/postgresql/secrets/nextcloudDBPass.age