open nftables & fixes

2025-08-02 01:05:50 +02:00 · 2025-08-02 01:05:50 +02:00 · 41a6ed984a
commit 41a6ed984a
parent f05ce3bca5
2 changed files with 20 additions and 13 deletions
--- a/shared/commons/nftables.nix
+++ b/shared/commons/nftables.nix
@ -73,6 +73,11 @@ in
                                tcp dport 587 accept
                            '' else ""}

+                            ${if lib.elem myName mapping.db.hosts then ''
+                                # DNS Secondary
+                                iifname mesh tcp dport 5432 accept
+                            '' else ""}
+
                            # Log anything else
                            ip protocol tcp counter log prefix "tcp.in.dropped: "
                            ip protocol udp counter log prefix "udp.in.dropped: "
--- a/shared/db/postgres.nix
+++ b/shared/db/postgres.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 let
    # Import nodes
@ -21,7 +21,7 @@ in
        group = "postgres";
    };

-    systemd.services.postgresql.environment = mkIf builtins.elem myName mapping.db.slaves {
+    systemd.services.postgresql.environment = lib.mkIf (builtins.elem myName mapping.db.slaves) {
        PGPASSFILE = "${config.age.secrets.repli.path}";
    };
    services.postgresql = {
@ -34,41 +34,43 @@ in
            superuser_map      root       postgres
            superuser_map      postgres   postgres
        '';
-        authentication = lib.mkOverride 10 builtins.concatStringsSep "\n  " [''
+        authentication = lib.mkOverride 10 (builtins.concatStringsSep "\n  " ([''
            #type database    DBuser      auth-method optional_ident_map
            local all         all         peer        map=superuser_map
-        ''] ++ lib.optionalAttrs myName == mapping.db.master [
-            map (slaveName: let slaveNode = nodes.${slaveName}; in
+        '']
+        ++ lib.optionals (myName == mapping.db.master)
+            (map (slaveName: let slaveNode = nodes.${slaveName}; in
                "host  replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5"
-            ) mapping.db.slaves
-        ] ++ lib.optionalAttrs builtins.elem myName mapping.db.slaves [''
+            ) mapping.db.slaves)
+        ++ lib.optionals (builtins.elem myName mapping.db.slaves) [''
            host  replication replication ${masterIP}/32 md5
-        ''];
+        '']));
        ensureUsers = [{
            name = "replication";
            ensureClauses.replication = true;
        }];
        settings = {
-            listen_addresses = "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
+            listen_addresses = lib.mkForce "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
+            port = 5432;
            log_connections = true;
            log_statement = "none";
            logging_collector = true;
            log_disconnections = true;
-        } // lib.optionalAttrs myName == mapping.db.master {
+        } // lib.optionalAttrs (myName == mapping.db.master) {
            wal_level = "logical";
            wal_sender_timeout = 10;
            max_wal_senders = 16;
            wal_keep_size = 1000; # In MB
-        } // lib.optionalAttrs builtins.elem myName mapping.db.slaves {
+        } // lib.optionalAttrs (builtins.elem myName mapping.db.slaves) {
            wal_level = "logical";
            wal_receiver_timeout = 10;
-            primary_conninfo = "host=${masterIP} port=${cfg.settings.port} user=replication";
+            primary_conninfo = "host=${masterIP} port=5432 user=replication";
            hot_standby = "on";
        };
    };
    # The password looks like: "*:*:*:*:<password>"
    # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html
-    systemd.services.postgresql.postStart = mkIf myName == mapping.db.master ''
+    systemd.services.postgresql.postStart = lib.mkIf (myName == mapping.db.master) ''
        $PSQL -tA <<'EOF'
            DO $$
            DECLARE password TEXT;