nix/shared/db/postgres.nix

{ config, pkgs, lib, ... }:

let
    # Import nodes
    nodes = import ./../../nodes.nix;
    myName = config.hostName;
    myNode = nodes."${myName}";

    # And mapping
    mapping = import ./../../mapping.nix;

    cfg = config.services.postgresql;

    masterNode = nodes.${mapping.db.master};
    masterIP = "172.19.${toString masterNode.zone}.${toString masterNode.id}";
in
{
    age.secrets."repli" = {
        file = ./../../secrets/db/repli.age;
        owner = "postgres";
        group = "postgres";
    };

    systemd.services.postgresql.environment = lib.mkIf (builtins.elem myName mapping.db.slaves) {
        PGPASSFILE = "${config.age.secrets.repli.path}";
    };
    services.postgresql = {
        enable = true;
        # Force postgres package major version
        # to avoid any unwanted upgrades
        package = pkgs.postgresql_17;
        identMap = ''
            # ArbitraryMapName systemUser DBUser
            superuser_map      root       postgres
            superuser_map      postgres   postgres
        '';
        authentication = lib.mkOverride 10 (builtins.concatStringsSep "\n  " ([''
            #type database    DBuser      auth-method optional_ident_map
            local all         all         peer        map=superuser_map
        '']
        ++ lib.optionals (myName == mapping.db.master)
            (map (slaveName: let slaveNode = nodes.${slaveName}; in
                "host  replication replication 172.19.${toString slaveNode.zone}.${toString slaveNode.id}/32 md5"
            ) mapping.db.slaves)
        ++ lib.optionals (builtins.elem myName mapping.db.slaves) [''
            host  replication replication ${masterIP}/32 md5
        '']));
        ensureUsers = [{
            name = "replication";
            ensureClauses.replication = true;
        }];
        settings = {
            listen_addresses = lib.mkForce "localhost,172.19.${toString myNode.zone}.${toString myNode.id}";
            port = 5432;
            log_connections = true;
            log_statement = "none";
            logging_collector = true;
            log_disconnections = true;
        } // lib.optionalAttrs (myName == mapping.db.master) {
            wal_level = "logical";
            wal_sender_timeout = 10;
            max_wal_senders = 16;
            wal_keep_size = 1000; # In MB
        } // lib.optionalAttrs (builtins.elem myName mapping.db.slaves) {
            wal_level = "logical";
            wal_receiver_timeout = 10;
            primary_conninfo = "host=${masterIP} port=5432 user=replication";
            hot_standby = "on";
        };
    };
    # The password looks like: "*:*:*:*:<password>"
    # Cf: https://www.postgresql.org/docs/current/libpq-pgpass.html
    systemd.services.postgresql.postStart = lib.mkIf (myName == mapping.db.master) ''
        $PSQL -tA <<'EOF'
            DO $$
            DECLARE password TEXT;
            BEGIN
            password := trim(both from split_part(replace(pg_read_file('${config.age.secrets.repli.path}'), E'\n', '''), ':', 5));
            EXECUTE format('ALTER USER replication WITH PASSWORD '''%s''';', password);
            END $$;
        EOF
    '';
}