nixos/shill: Add postgres container

2022-06-06 17:52:36 +01:00 · 2022-06-06 17:52:36 +01:00 · 646b582984
commit 646b582984
parent 3ec00b60f5
9 changed files with 121 additions and 36 deletions
--- a/nixos/boxes/colony/vms/shill/containers/colony-psql.nix
+++ b/nixos/boxes/colony/vms/shill/containers/colony-psql.nix
@ -0,0 +1,69 @@
+{ lib, ... }: {
+  nixos.systems.colony-psql = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "colony-psql-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}4";
+        ipv6 = {
+          iid = "::4";
+          address = "${lib.my.colony.start.ctrs.v6}4";
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, assignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkly/tnPmoX05lDjEpQOkllPqYA0PY92pOKqvx8Po02";
+            };
+
+            firewall = {
+              tcp.allowed = [ 5432 ];
+            };
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+          };
+
+          services = {
+            postgresql = {
+              package = pkgs.postgresql_14;
+              enable = true;
+              enableTCPIP = true;
+              ensureUsers = [
+                {
+                  name = "root";
+                  ensurePermissions = {
+                    "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+                  };
+                }
+              ];
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 55432; guest.port = 5432; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./middleman
    ./vaultwarden.nix
+    ./colony-psql.nix
  ];
 }
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@ -101,6 +101,7 @@
              }) {
                middleman = {};
                vaultwarden = {};
+                colony-psql = {};
              };
            };
          }
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@ -235,6 +235,16 @@ in
          }
        ];
      })
+      (mkIf config.services.postgresql.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/postgresql";
+            mode = "0750";
+            user = "postgres";
+            group = "postgres";
+          }
+        ];
+      })
      (mkIf config.my.build.isDevVM {
        fileSystems = mkVMOverride {
          # Hijack the "root" device for persistence in the VM
--- a/secrets/cloudflare-credentials.conf.age
+++ b/secrets/cloudflare-credentials.conf.age
@ -1,10 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 H162lQ a/oJHGIB43DHpX/EUdal2ZyOlf+zYUbNwztGSP1iuGE
-W8bd1I0rgDMEc18zjpP0d4dyp4PGd19/8vJFlVOsGSs
-> X25519 cjqYOE0e9IHvWvcGyOPDNTcNR6Ynv8TdRCoHiBx4UzI
-/EzNz/SSzvs9DbCGr28B4/jwZMnpUxoBtDOt9Ombv4Y
-> x]-grease
-fRt2HHsTmZbotWaLfgPZ4PT76A
--- M2/lLzEUiSmSuoPhtO/QAg+CPPvnBBMQhisX66A/aKE
-ŸbDœýl¨‹Òð÷	<09>½·Î“»€
-ˆG¸¤g”-˜2“êðJbç†àt‹IÕ:B·Ù1õ?»VëÛ—óz÷Á™}ù3õqÒIÇü¾þ’>Å
{ÌâæÖ=œÁHê')UŠ"°)HS¢Éæ1-Ö-–pêåêYÆ…½HÖtn<74>ìà[ÐÝŸ-¬òl™Ö|Uolgç¨Ó
+-> ssh-ed25519 H162lQ /adzwW9x7USsH5CdsioRijyAty8oWd/+cAMwUjIUlFc
+wZ37SG3kMPAFv6b7XUsQODXJyf0+2UGYO4W4ZYITIx4
+-> X25519 hgS0FxBoQ+aE8XPP9C+py9MG6olCCX2MNo8ySfdI3S4
+0MFoKWao1FSvPSSbvgPvoW/9IhenHbcFfRdF8QCiX6Y
+-> W-r]SXB-grease #sr)tHY s)\!y phJi@.
+i9yJp2IczY7G/4sEX5Lmzyn3KOxca7/pDQ
+--- UAo0KfTO0IzWS7mj5vWRzMLT3wrrgIpr2PYUYKSDSIQ
+ÇòD%IÉ5·»ba›ÉÃø¿†wËq<C38B>–èS(Vj_]ðíý§Î=šDŒó‚»±
+ßY2è¸_Í	uñz>Û6îŸ®by‘wØa½O¨B—Õ>fÎÞ$§X¤ß®Ÿ•›íq%º_§ºc®Ñ¬«V‚e[ÈÎ0ŸpbÙŽnÎo}ãÁ`0|0<>ÓŒ’ôk©ÈŸâ
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
@ -1,17 +1,21 @@
 age-encryption.org/v1
-> ssh-ed25519 SKXJUw fW7jrhrKwP6iyzZmVgb7vJ2UcNJF/5WD4yMdIAHkmjY
-2oxq2j4imOCs+SS7X8B6l+lfyxS1oc2pP9Yn5xH2TYg
-> ssh-ed25519 B9K/XQ k2wmCaqbN607JztgylqS0HnB0VDDirJdTT0A/YcWmDc
-p50mr15TcNSosXhqOp1piJ4zovntXupDN0wKyuQcLOI
-> ssh-ed25519 H162lQ gB7vN1QOBBwgGnQm01/Qgi5BOKROqiGUeRhl5o0Fshs
-RahbmvQtsVZqWp0Aw+p5nNPiiLy9Bx5CIUlNBDUHqvk
-> ssh-ed25519 b6YMqg GRHZS+hPYYtvmdWjubBWHWRcW6tN1CH8ad/uQIy94UY
-YoW/7nXuDsFRpHfz0gxHcq86yp28k36jeDeE5rgWbu0
-> ssh-ed25519 Lqn0Yw QMRSGRz5JwLBxTHP2rcG13IUvQzB+0hlWDqYZFvC1n4
-Nn/4hg59WRT6/89nS7i+gQ8lH/xnPV5U8tVL7jzqrQU
-> X25519 GStCgfxXuAFeZEZi0REzF57PASJgsUjJKqhbxOWGMG4
-P13cOlKyoec4dxraCm/FYNbkSQiG13X2qqLeYJNxb8w
-> o-grease
-9eVgGIr20m1qCUJk3smZBflaLXQrMcMM
--- 2Z86MUDSQR+ZsPLWzR8zO74BFfmy9C5HDd6mabW7fuY
-TH°ÛŒ›Ðá‰<C3A1>î—;ÏVÀjD?€<`:Æ¨×*yAùÓ<C3B9><C393>s„Ÿ/àZËféÿ¨?Œ—ªÁ¡¤´æ;QhÇwY†	NÝ9U„/Û0wBq.O¶€þÄÇÿ8ä,² U…/ò7T_ÎýŒNËö‘ÅVzyUâæ/ŒöF:HuÅ5
+-> ssh-ed25519 SKXJUw CsKtHFHS/9MNiNGT/O+bxx+btotr9riXwJWgHAplcXQ
+W6kL/S4y1aFstYGOIhrwJfXx2uhswH3uSdyJzRCAtHM
+-> ssh-ed25519 wbGjmA 7em05wqUq9PA9CZ9MlnNSxdeknvN0lrS0yYxUTtGawE
+TyAI9Pu0DJodhdT5sBodIaBxPg3VBmXcq18IIHtFs3I
+-> ssh-ed25519 B9K/XQ ZAVd8XBFPOJ6hC2WunnkGmEifYOHcUhYQIi4gvsLajc
+5hPdqVBWi9OtqQPyq4gz4CX6vVpuLGQURufTCnDNYgM
+-> ssh-ed25519 H162lQ wKj8wzesVAOzm5o4VB9NEBSr+xlr0VjR/A48NL+6uls
+lpmijvrflnMeVT6R2YcUmLFljFxZsTeVziErcQ7GKuk
+-> ssh-ed25519 b6YMqg ykVDRMnyBsh6+HN/A/5lT3K36wgJZggIcjlsPSc3byM
+HF5qzv2Lf2s87OHi/0++shAjF4+xr5NAHL/9lncMHRU
+-> ssh-ed25519 Lqn0Yw 4+F3gxpsI9QnbCHWpLz29CUj3RAeXSH7PHkuFw3E7T8
+yzZAylZ7QAV7ufljd4VEBys8sNd8JodWqN5f0JzRI/g
+-> X25519 YMeCBP/yDOGPs04ihx7NkZSpqEotUHKs3yMRkg9JWAI
+Li1FOGm6NIAPGVQRj3HYiyKiR/ZSk35vnOK/ia59IQU
+-> tjxC(g-grease
+817wn107V7X7yjCXvKBMt/55PWcEYdm6ZDOdoZC5A3s+iRFVpLvGmxlkEVxQCqsA
+K4WG/Ye5PC/raEjsS8/6AqHs4E+JSfuZjm47fVclbu3kp8Yu3BaLEa9glucxBQbc
+X0A
+--- C/lfT3RLOrCR2mOv6Q0aDyEVUrq4GzdVpHhj7Ly2ov4
+§&„Ç¨<C387>äò<C3A4><C3B2>q)È	Whº<68>ÀŠŸ&3œ‚M}]R§E<C2A7>e%ÝtXýˆˆŒ*X˜l
ï¹0hûl[@ö]8'G><3E>ÊpþeSf°Ý™™®ÀóPËÃÛJYÛ”Fª¸Lz¿¨1ñ¨?<3F>ƒ»¬"Ý²ÜÿÎµ•)àœG¡ÀËêª_ºÐÜõí
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@ -1,12 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw ybVbnUjgm3QGOZPv9A/q6zPXjZbuYe4krqe+qjrkziw
-SIEEGlziouUT3pzxw+C7p2IO2sDJ3xmaTrHaDGFgLOs
-> X25519 bq/2lRh9a3BwhwR6o9TXeuXA5AGdtlrQm8/JOyAzUEU
-I5xRPDb6rUcNBXqOXefFkO2HvlYIJAG+OFkZygywkqg
-> 0g#WDK-grease .DWBEk*
-Vf8DHmVCY3bfTT+CPPm5dELSid+aZJquOxjEccmkZXVKtefHlwLRx6Dh3HT5IZqR
-Pl2j/4SQvVf1MrPjtbkMwBhxh9zPZa7WQIBGeF6oB2kl9vyc65lXpaxRSMs2eVsv
-
--- /eCT0Rqu+we6CXUSP3dpd+blpQxwOG0t5rDiGfffXPs
-F‚Õ
-ðf<EFBFBD>§¯<19>~"[®ù%?—}Âí1ÿP~½äÒ‹$ÑNrnh*y¢ _É…÷ùï!ë¨*™©h\Ž‡è…ÀMÖú¶ õß‘…x•sÞ”ëFdÀ3¯u/$9ô½ þ¢ÜâŠºÖ	Ð §è&ði¥v
+-> ssh-ed25519 Lqn0Yw 527NE0GoR6SQTwb1hmgpxn4APXMb2oW3/VNjjbwtnx8
+9jWxt9FYx8G4pyPVtU8mp33QuurzQHI4Npt+79ej2qU
+-> X25519 wW5ClCuDyZvFJOA/aeitGr5yr29DOdULnUlPRz1sDk0
+db70JP2sIH3T8NsMHqnTCGNE1tY7PyjGKOKmzNE632Q
+-> zGd-grease * _!K!a] 3C\vn
+sOkK0VjY4v3j6XcG
+--- CHljgmb9kcrECrIM2Ve+Wp5AkGWeIQb0Bhh9sgEtD5U
+K=ÖX÷K9	¸,¬q†ËjžŸÚ)=G›¹au{N
VœÐé‰,<2C>«2N$€wþ‡
+×kzO¸@‡‘¸#ÉFµøÇ<C3B8>
+ ¾ÕÛÌ»CFÅâ3ã³PzNG,3Pw]-VÊžo«Ôžm„zÉ
+ó¯<EFBFBD>ð²e