open nftables & fixes

shared/commons/nftables.nix

@@ -73,6 +73,11 @@ in
                                 tcp dport 587 accept
                             '' else ""}
 
+                            ${if lib.elem myName mapping.db.hosts then ''
+                                # DNS Secondary
+                                iifname mesh tcp dport 5432 accept
+                            '' else ""}
+
                             # Log anything else
                             ip protocol tcp counter log prefix "tcp.in.dropped: "
                             ip protocol udp counter log prefix "udp.in.dropped: "

shared/db/postgres.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
     # Import nodes
@@ -21,7 +21,7 @@ in
         group = "postgres";
     };
 
-    systemd.services.postgresql.environment = mkIf builtins.elem myName mapping.db.slaves {
+    systemd.services.postgresql.environment = lib.mkIf (builtins.elem myName mapping.db.slaves) {
         PGPASSFILE = "${config.age.secrets.repli.path}";
     };
     services.postgresql = {
@@ -34,41 +34,43 @@ in
             superuser_map      root       postgres
             superuser_map      postgres   postgres
         '';
-        authentication = lib.mkOverride 10 builtins.concatStringsSep "\n  " [''
+        authentication = lib.mkOverride 10 (builtins.concatStringsSep "\n  " ([''
             #type database    DBuser      auth-method optional_ident_map
             local all         all         peer        map=superuser_map
-        ''] ++ lib.optionalAttrs myName == mapping.db.master [
+        '']
-            map (slaveName: let slaveNode = nodes.${slaveName}; in
+        ++ lib.optionals (myName == mapping.db.master)
+            (map (slaveName: let slaveNode = nodes.${slaveName}; in
                 "host  replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5"
-            ) mapping.db.slaves
+            ) mapping.db.slaves)
-        ] ++ lib.optionalAttrs builtins.elem myName mapping.db.slaves [''
+        ++ lib.optionals (builtins.elem myName mapping.db.slaves) [''
             host  replication replication ${masterIP}/32 md5
-        ''];
+        '']));
         ensureUsers = [{
             name = "replication";
             ensureClauses.replication = true;
         }];
         settings = {
-            listen_addresses = "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
+            listen_addresses = lib.mkForce "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
+            port = 5432;
             log_connections = true;
             log_statement = "none";
             logging_collector = true;
             log_disconnections = true;
-        } // lib.optionalAttrs myName == mapping.db.master {
+        } // lib.optionalAttrs (myName == mapping.db.master) {
             wal_level = "logical";
             wal_sender_timeout = 10;
             max_wal_senders = 16;
             wal_keep_size = 1000; # In MB
-        } // lib.optionalAttrs builtins.elem myName mapping.db.slaves {
+        } // lib.optionalAttrs (builtins.elem myName mapping.db.slaves) {
             wal_level = "logical";
             wal_receiver_timeout = 10;
-            primary_conninfo = "host=${masterIP} port=${cfg.settings.port} user=replication";
+            primary_conninfo = "host=${masterIP} port=5432 user=replication";
             hot_standby = "on";
         };
     };
     # The password looks like: "*:*:*:*:<password>"
     # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html
-    systemd.services.postgresql.postStart = mkIf myName == mapping.db.master ''
+    systemd.services.postgresql.postStart = lib.mkIf (myName == mapping.db.master) ''
         $PSQL -tA <<'EOF'
             DO $$
             DECLARE password TEXT;