add db role

shared/db.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+    # Import dependencies
+    imports = [
+        ./db/postgres.nix
+    ];
+}

shared/db/postgres.nix

@@ -0,0 +1,81 @@
+{ config, lib, ... }:
+
+let
+    # Import nodes
+    nodes = import ./../../nodes.nix;
+    myName = config.hostName;
+    myNode = nodes."${myName}";
+
+    # And mapping
+    mapping = import ./../../mapping.nix;
+
+    cfg = config.services.postgresql;
+
+    masterNode = nodes.${mapping.db.master};
+    masterIP = "172.19.${toString masterNode.zone}.${toString masterNode.id}";
+in
+{
+    age.secrets."repli" = {
+        file = ./../../secrets/db/repli.age;
+        owner = "postgres";
+        group = "postgres";
+    };
+
+    systemd.services.postgresql.environment = mkIf builtins.elem myName mapping.db.slaves {
+        PGPASSFILE = "${config.age.secrets.repli.path}";
+    };
+    services.postgresql = {
+        enable = true;
+        # Force postgres package major version
+        # to avoid any unwanted upgrades
+        package = pkgs.postgresql_17;
+        identMap = ''
+            # ArbitraryMapName systemUser DBUser
+            superuser_map      root       postgres
+            superuser_map      postgres   postgres
+        '';
+        authentication = lib.mkOverride 10 builtins.concatStringsSep "\n  " [''
+            #type database    DBuser      auth-method optional_ident_map
+            local all         all         peer        map=superuser_map
+        ''] ++ lib.optionalAttrs myName == mapping.db.master [
+            map (slaveName: let slaveNode = nodes.${slaveName}; in
+                "host  replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5"
+            ) mapping.db.slaves
+        ] ++ lib.optionalAttrs builtins.elem myName mapping.db.slaves [''
+            host  replication replication ${masterIP}/32 md5
+        ''];
+        ensureUsers = [{
+            name = "replication";
+            ensureClauses.replication = true;
+        }];
+        settings = {
+            listen_addresses = "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
+            log_connections = true;
+            log_statement = "none";
+            logging_collector = true;
+            log_disconnections = true;
+        } // lib.optionalAttrs myName == mapping.db.master {
+            wal_level = "logical";
+            wal_sender_timeout = 10;
+            max_wal_senders = 16;
+            wal_keep_size = 1000; # In MB
+        } // lib.optionalAttrs builtins.elem myName mapping.db.slaves {
+            wal_level = "logical";
+            wal_receiver_timeout = 10;
+            primary_conninfo = "host=${masterIP} port=${cfg.settings.port} user=replication";
+            hot_standby = "on";
+        };
+    };
+    # The password looks like: "*:*:*:*:<password>"
+    # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html
+    systemd.services.postgresql.postStart = mkIf myName == mapping.db.master ''
+        $PSQL -tA <<'EOF'
+            DO $$
+            DECLARE password TEXT;
+            BEGIN
+            password := trim(both from split_part(replace(pg_read_file('${config.age.secrets.repli.path}'), E'\n', '''), ':', 5));
+            EXECUTE format('ALTER USER replication WITH PASSWORD '''%s''';', password);
+            END $$;
+        EOF
+    '';
+}