diff --git a/shared/commons/nftables.nix b/shared/commons/nftables.nix index 52a0aa5..003a017 100644 --- a/shared/commons/nftables.nix +++ b/shared/commons/nftables.nix @@ -73,6 +73,11 @@ in tcp dport 587 accept '' else ""} + ${if lib.elem myName mapping.db.hosts then '' + # DNS Secondary + iifname mesh tcp dport 5432 accept + '' else ""} + # Log anything else ip protocol tcp counter log prefix "tcp.in.dropped: " ip protocol udp counter log prefix "udp.in.dropped: " diff --git a/shared/db/postgres.nix b/shared/db/postgres.nix index b5bf9a6..b89f25f 100644 --- a/shared/db/postgres.nix +++ b/shared/db/postgres.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, pkgs, lib, ... }: let # Import nodes @@ -21,7 +21,7 @@ in group = "postgres"; }; - systemd.services.postgresql.environment = mkIf builtins.elem myName mapping.db.slaves { + systemd.services.postgresql.environment = lib.mkIf (builtins.elem myName mapping.db.slaves) { PGPASSFILE = "${config.age.secrets.repli.path}"; }; services.postgresql = { @@ -34,41 +34,43 @@ in superuser_map root postgres superuser_map postgres postgres ''; - authentication = lib.mkOverride 10 builtins.concatStringsSep "\n " ['' + authentication = lib.mkOverride 10 (builtins.concatStringsSep "\n " (['' #type database DBuser auth-method optional_ident_map local all all peer map=superuser_map - ''] ++ lib.optionalAttrs myName == mapping.db.master [ - map (slaveName: let slaveNode = nodes.${slaveName}; in + ''] + ++ lib.optionals (myName == mapping.db.master) + (map (slaveName: let slaveNode = nodes.${slaveName}; in "host replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5" - ) mapping.db.slaves - ] ++ lib.optionalAttrs builtins.elem myName mapping.db.slaves ['' + ) mapping.db.slaves) + ++ lib.optionals (builtins.elem myName mapping.db.slaves) ['' host replication replication ${masterIP}/32 md5 - '']; + ''])); ensureUsers = [{ name = "replication"; ensureClauses.replication = true; }]; settings = { - listen_addresses = "localhost,172.19.${toString myNode.zone}.${toString myNode.id}"; + listen_addresses = lib.mkForce "localhost,172.19.${toString myNode.zone}.${toString myNode.id}"; + port = 5432; log_connections = true; log_statement = "none"; logging_collector = true; log_disconnections = true; - } // lib.optionalAttrs myName == mapping.db.master { + } // lib.optionalAttrs (myName == mapping.db.master) { wal_level = "logical"; wal_sender_timeout = 10; max_wal_senders = 16; wal_keep_size = 1000; # In MB - } // lib.optionalAttrs builtins.elem myName mapping.db.slaves { + } // lib.optionalAttrs (builtins.elem myName mapping.db.slaves) { wal_level = "logical"; wal_receiver_timeout = 10; - primary_conninfo = "host=${masterIP} port=${cfg.settings.port} user=replication"; + primary_conninfo = "host=${masterIP} port=5432 user=replication"; hot_standby = "on"; }; }; # The password looks like: "*:*:*:*:" # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html - systemd.services.postgresql.postStart = mkIf myName == mapping.db.master '' + systemd.services.postgresql.postStart = lib.mkIf (myName == mapping.db.master) '' $PSQL -tA <<'EOF' DO $$ DECLARE password TEXT;