mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
chore(postgres): add dex
This commit is contained in:
arcnmx
parent
48e2a21425
commit
59a4ed49b5
3 changed files with 53 additions and 20 deletions
|
|
@ -9,15 +9,51 @@
|
||||||
cfg = config.services.postgresql;
|
cfg = config.services.postgresql;
|
||||||
ensureUserModule = { config, ... }: {
|
ensureUserModule = { config, ... }: {
|
||||||
options = with lib.types; {
|
options = with lib.types; {
|
||||||
tailscale = {
|
authentication = {
|
||||||
allow = mkEnableOption "tailscale TCP connections";
|
enable = mkEnableOption "TCP connections" // {
|
||||||
|
default = config.authentication.hosts != [ ];
|
||||||
|
};
|
||||||
|
hosts = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
method = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "md5";
|
||||||
|
};
|
||||||
database = mkOption {
|
database = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
|
tailscale = {
|
||||||
|
allow = mkEnableOption "tailscale TCP connections";
|
||||||
|
};
|
||||||
|
local = {
|
||||||
|
allow = mkEnableOption "local TCP connections";
|
||||||
|
};
|
||||||
|
authentication = mkOption {
|
||||||
|
type = lines;
|
||||||
|
default = "";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
tailscale.database = mkIf (config.ensureDBOwnership) (
|
authentication = {
|
||||||
|
hosts = mkMerge [
|
||||||
|
(mkIf config.authentication.tailscale.allow [
|
||||||
|
"fd7a:115c:a1e0::/96"
|
||||||
|
"fd7a:115c:a1e0:ab12::/64"
|
||||||
|
"100.64.0.0/10"
|
||||||
|
])
|
||||||
|
(mkIf config.authentication.local.allow [
|
||||||
|
"10.1.1.0/24"
|
||||||
|
"fd0a::/64"
|
||||||
|
])
|
||||||
|
];
|
||||||
|
authentication = mkMerge (map (host: ''
|
||||||
|
host ${config.authentication.database} ${config.name} ${host} ${config.authentication.method}
|
||||||
|
'') config.authentication.hosts);
|
||||||
|
};
|
||||||
|
authentication.database = mkIf (config.ensureDBOwnership) (
|
||||||
mkOptionDefault config.name
|
mkOptionDefault config.name
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
@ -29,19 +65,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config.services.postgresql = {
|
config.services.postgresql = {
|
||||||
enableTCPIP = mkIf (any (user: user.tailscale.allow) cfg.ensureUsers) (
|
enableTCPIP = mkIf (any (user: user.authentication.enable) cfg.ensureUsers) (
|
||||||
mkDefault true
|
mkDefault true
|
||||||
);
|
);
|
||||||
authentication = let
|
authentication = mkMerge (map (user:
|
||||||
allowTail = { database, user }: ''
|
mkIf user.authentication.enable user.authentication.authentication
|
||||||
host ${database} ${user} fd7a:115c:a1e0::/96 md5
|
) cfg.ensureUsers);
|
||||||
host ${database} ${user} fd7a:115c:a1e0:ab12::/64 md5
|
|
||||||
host ${database} ${user} 100.64.0.0/10 md5
|
|
||||||
'';
|
|
||||||
in mkMerge (map
|
|
||||||
(user: mkIf user.tailscale.allow (
|
|
||||||
allowTail { inherit (user.tailscale) database; user = user.name; }
|
|
||||||
)) cfg.ensureUsers
|
|
||||||
);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,17 @@
|
||||||
in {
|
in {
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = mkDefault true;
|
enable = mkDefault true;
|
||||||
ensureDatabases = ["hass"];
|
ensureDatabases = ["hass" "dex"];
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "hass";
|
name = "hass";
|
||||||
ensureDBOwnership = true;
|
ensureDBOwnership = true;
|
||||||
tailscale.allow = !config.services.home-assistant.enable;
|
authentication.tailscale.allow = !config.services.home-assistant.enable;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "dex";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
authentication.local.allow = true;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
postgresql-init: ENC[AES256_GCM,data:TUoqSxYsydMShNZXjx5Xee4P4Lsar746UOs/H4xQ3yk1xxHejpANo39uhQQdqVXOTQ17JXKOAHjUmFJyIq8BotEFWgQ=,iv:13yUHxGZ+dc8LtHF8NPXIqaMatVoop4TA5cHr87UXQA=,tag:IEF32Ct8+IRC9VoUBlWQbw==,type:str]
|
postgresql-init: ENC[AES256_GCM,data:qIZZDcUb4eva7lZ4VCUu+Jl8K37KN37+HQ+6/WisZkDrxshUI5hhrYM0ypGFW0L/W9K9hRHaKGuBqYSeLoXwObT+K4J5VshO+H6PNDjuWkmho5Q/dVENs6AOLcLtxWC3Uz/kcH368yR13F64dCGAzlbSLxcP2bxgfdMbOhQvar9OD602i7TW,iv:BJvjQUcohdBLYxuz+rUsulMbGBwH6axuxOIDhVZET3Y=,tag:yDUwUS6DmiQV7FHtWmRVIg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
shamir_threshold: 1
|
shamir_threshold: 1
|
||||||
kms: []
|
kms: []
|
||||||
|
|
@ -33,8 +33,8 @@ sops:
|
||||||
a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
|
a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
|
||||||
rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
|
rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-01-16T19:12:12Z"
|
lastmodified: "2024-01-21T18:25:21Z"
|
||||||
mac: ENC[AES256_GCM,data:xT5guyOuwPe4BH24aIUfpG95Gu6o9Df3oGeA8HFJ6dtHuWXrf2xba9rn4tXDHkIxDm/18Z8v6nX4OFoiEgkwWGsg/RXqG1Rs1/+fhWHe4UOUU675bn8zJiFgBKEtr1e0Q1THSPlgfM8L/qgJhEJSYoPcNArbxkfOgXlKJFyH8ro=,iv:kw+IR4Xh77kkHixfWKlX0+mqS3Sq2E+h8NSryrwYchI=,tag:N7yiMKagn4y5j9iOrh93fA==,type:str]
|
mac: ENC[AES256_GCM,data:b9eqSdZYccvK5WPQmP6/5X5raNFkqSu4sCOJZhL8OOSIfrvdbbJ9xJ7hZ2rsGp8XNxMPcofvLFb/JVwWIZOw1TOIiiyCwK+XfaRA7lcyTi3Kd9P8OADejo222ek/QgaAUzE7D8+q9PTSbLLgrfbvFCuwXJoEEslbjIh6UToziPY=,iv:0yK0y/QhYz8jAJqtMMkNmTPY0rTeonOhneyfdFJRoVw=,tag:e85Y3S7YgfB8EAb1TZSPYg==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-01-19T19:08:55Z"
|
- created_at: "2024-01-19T19:08:55Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue