Skip to content

Commit ab5a5f8

Browse files
Merge pull request #199 from NuschtOS/configurePostgres
Add more configurePostgres options
2 parents 94fb5e3 + 6e0b3be commit ab5a5f8

File tree

4 files changed

+100
-20
lines changed

4 files changed

+100
-20
lines changed

modules/grafana.nix

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,13 @@ in
1212
description = "Whether to configure Nginx.";
1313
};
1414

15+
configurePostgres = lib.mkOption {
16+
type = lib.types.bool;
17+
default = false;
18+
example = true;
19+
description = "Whether to configure and create a local PostgreSQL database.";
20+
};
21+
1522
oauth = {
1623
enable = lib.mkEnableOption "login only via OAuth2";
1724
enableViewerRole = lib.mkOption {
@@ -79,6 +86,14 @@ in
7986
};
8087
})
8188

89+
(lib.mkIf (cfg.enable && cfg.configurePostgres) {
90+
database = {
91+
host = "/run/postgresql";
92+
type = "postgres";
93+
user = "grafana";
94+
};
95+
})
96+
8297
(lib.mkIf (cfg.enable && cfg.oauth.enable) {
8398
"auth.generic_oauth" = let
8499
inherit (config.services.dex.settings) issuer;
@@ -138,6 +153,14 @@ in
138153
};
139154
};
140155

156+
config.services.postgresql = lib.mkIf cfg.configurePostgres {
157+
ensureDatabases = [ "grafana" ];
158+
ensureUsers = [ {
159+
name = "grafana";
160+
ensureDBOwnership = true;
161+
} ];
162+
};
163+
141164
config.users.users = lib.mkIf (cfg.enable && cfg.configureNginx) {
142165
grafana.extraGroups = [ "nginx" ];
143166
};

modules/home-assistant.nix

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,13 @@ in
77
{
88
options = {
99
services.home-assistant = {
10+
configurePostgres = lib.mkOption {
11+
type = lib.types.bool;
12+
default = false;
13+
example = true;
14+
description = "Whether to configure and create a local PostgreSQL database.";
15+
};
16+
1017
ldap = {
1118
enable = lib.mkEnableOption ''login only via LDAP
1219
@@ -147,6 +154,10 @@ in
147154
meta = true;
148155
}];
149156
})
157+
158+
(lib.mkIf cfg.configurePostgres {
159+
config.recorder.db_url = "postgresql://@/hass";
160+
})
150161
];
151162

152163
config.services.portunus.seedSettings.groups = lib.optional (cfg.ldap.userGroup != null) {
@@ -159,6 +170,14 @@ in
159170
permissions = { };
160171
};
161172

173+
config.services.postgresql = lib.mkIf cfg.configurePostgres {
174+
ensureDatabases = [ "hass" ];
175+
ensureUsers = [ {
176+
name = "hass";
177+
ensureDBOwnership = true;
178+
} ];
179+
};
180+
162181
config.systemd.tmpfiles.rules = lib.mkIf (cfg.enable && cfg.recommendedDefaults) [
163182
"f ${cfg.configDir}/automations.yaml 0444 hass hass"
164183
"f ${cfg.configDir}/scenes.yaml 0444 hass hass"

modules/hydra.nix

Lines changed: 39 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,41 @@
11
{ config, lib, libS, ... }:
22

33
let
4-
cfg = config.services.hydra.ldap;
4+
cfg = config.services.hydra;
5+
cfgl = cfg.ldap;
56
inherit (config.security) ldap;
67
in
78
{
89
options = {
9-
services.hydra.ldap = {
10-
enable = lib.mkEnableOption ''
11-
login only via LDAP.
12-
The bind user password must be placed at `/var/lib/hydra/ldap-password.conf` in the format `bindpw = "PASSWORD"
13-
It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters `#` must be escape with backslash
14-
'';
15-
16-
roleMappings = lib.mkOption {
17-
type = with lib.types; listOf (attrsOf str);
18-
example = [{ hydra-admins = "admins"; }];
19-
default = [ ];
20-
description = "Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping.";
10+
services.hydra = {
11+
configurePostgres = lib.mkOption {
12+
type = lib.types.bool;
13+
default = false;
14+
example = true;
15+
description = "Whether to configure and create a local PostgreSQL database.";
2116
};
2217

23-
userGroup = libS.ldap.mkUserGroupOption;
18+
ldap = {
19+
enable = lib.mkEnableOption ''
20+
login only via LDAP.
21+
The bind user password must be placed at `/var/lib/hydra/ldap-password.conf` in the format `bindpw = "PASSWORD"
22+
It is recommended to use a password without special characters because the perl config parser has weird escaping rule
23+
like that comment characters `#` must be escape with backslash
24+
'';
25+
26+
roleMappings = lib.mkOption {
27+
type = with lib.types; listOf (attrsOf str);
28+
example = [{ hydra-admins = "admins"; }];
29+
default = [ ];
30+
description = "Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping.";
31+
};
32+
33+
userGroup = libS.ldap.mkUserGroupOption;
34+
};
2435
};
2536
};
2637

27-
config.services.hydra.extraConfig = lib.mkIf cfg.enable /* xml */ ''
38+
config.services.hydra.extraConfig = lib.mkIf cfgl.enable /* xml */ ''
2839
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
2940
<ldap>
3041
<config>
@@ -48,7 +59,7 @@ in
4859
sslversion = tlsv1_3
4960
</start_tls_options>
5061
user_basedn = "${ldap.userBaseDN}"
51-
user_filter = "${ldap.searchFilterWithGroupFilter cfg.userGroup (ldap.userFilter "%s")}"
62+
user_filter = "${ldap.searchFilterWithGroupFilter cfgl.userGroup (ldap.userFilter "%s")}"
5263
user_scope = one
5364
user_field = ${ldap.userField}
5465
<user_search_options>
@@ -72,15 +83,15 @@ in
7283
# Allow all users in the dev group to restart jobs and cancel builds
7384
# dev = restart-jobs
7485
# dev = cancel-build
75-
${lib.concatStringsSep "\n" (lib.concatMap (lib.mapAttrsToList (name: value: "${name} = ${value}")) cfg.roleMappings)}
86+
${lib.concatStringsSep "\n" (lib.concatMap (lib.mapAttrsToList (name: value: "${name} = ${value}")) cfgl.roleMappings)}
7687
</role_mapping>
7788
</ldap>
7889
'';
7990

8091
config.services.portunus.seedSettings.groups = [
81-
(lib.mkIf (cfg.userGroup != null) {
92+
(lib.mkIf (cfgl.userGroup != null) {
8293
long_name = "Hydra Users";
83-
name = cfg.userGroup;
94+
name = cfgl.userGroup;
8495
permissions = { };
8596
})
8697
] ++ lib.flatten (map lib.attrValues (map
@@ -89,5 +100,13 @@ in
89100
name = ldapGroup;
90101
permissions = { };
91102
}))
92-
cfg.roleMappings));
103+
cfgl.roleMappings));
104+
105+
config.services.postgresql = lib.mkIf cfg.configurePostgres {
106+
ensureDatabases = [ "hydra" ];
107+
ensureUsers = [ {
108+
name = "hydra";
109+
ensureDBOwnership = true;
110+
} ];
111+
};
93112
}

modules/matrix.nix

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,13 @@ in
1111
services.matrix-synapse = {
1212
addAdditionalOembedProvider = libS.mkOpinionatedOption "add additional oembed providers from oembed.com";
1313

14+
configurePostgres = lib.mkOption {
15+
type = lib.types.bool;
16+
default = false;
17+
example = true;
18+
description = "Whether to configure and create a local PostgreSQL database.";
19+
};
20+
1421
domain = lib.mkOption {
1522
type = lib.types.str;
1623
example = "matrix.example.com";
@@ -198,12 +205,24 @@ in
198205
];
199206
};
200207

208+
services.postgresql = lib.mkIf cfg.configurePostgres {
209+
databases = [ "matrix-synapse" ]; # some parts of nixos-modules read this field to know all databases
210+
};
211+
201212
services.portunus.seedSettings.groups = lib.mkIf (cfgl.userGroup != null) [ {
202213
long_name = "Matrix Users";
203214
name = cfgl.userGroup;
204215
permissions = { };
205216
} ];
206217

218+
systemd.services = lib.mkIf cfg.configurePostgres {
219+
# https://element-hq.github.io/synapse/latest/postgres.html#set-up-database
220+
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/databases/postgresql.nix#L655
221+
postgresql.postStart = ''
222+
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "matrix-synapse" ENCODING="UTF8" LOCALE="C" TEMPLATE="template0" OWNER="matrix-synapse"'
223+
'';
224+
};
225+
207226
users.users = lib.mkIf cfg.listenOnSocket {
208227
nginx.extraGroups = [ "matrix-synapse" ];
209228
};

0 commit comments

Comments
 (0)