From 46dac540c189680e63efe917a8249aef3886a1c0 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 7 Feb 2023 09:45:37 +0800
Subject: [PATCH] hosts/plover: comply services to PostgreSQL secure schema
 usage

---
 hosts/plover/modules/services/gitea.nix       | 11 +++++++++++
 hosts/plover/modules/services/keycloak.nix    | 18 +++++++++---------
 hosts/plover/modules/services/vaultwarden.nix |  9 +++++++++
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix
index fa25d131..9708143b 100644
--- a/hosts/plover/modules/services/gitea.nix
+++ b/hosts/plover/modules/services/gitea.nix
@@ -6,6 +6,8 @@
 
 let
   codeForgeDomain = "code.${config.networking.domain}";
+
+  giteaDatabaseUser = config.services.gitea.user;
 in
 {
   services.gitea = {
@@ -123,6 +125,15 @@ in
     }];
   };
 
+  # Setting up Gitea for PostgreSQL secure schema usage.
+  systemd.services.gitea = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${giteaDatabaseUser}';" \
+        grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${giteaDatabaseUser};"
+    '';
+  };
+
   # Attaching it altogether with the reverse proxy of choice.
   services.nginx.virtualHosts."${codeForgeDomain}" = {
     forceSSL = true;
diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix
index 9aff1924..0f257b3c 100644
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@@ -46,15 +46,6 @@ in
     sslCertificateKey = "${certs."${authDomain}".directory}/key.pem";
   };
 
-  # Modifying it a little bit for per-user schema.
-  systemd.services.keycloak = {
-    path = [ config.services.postgresql.package ];
-    preStart = ''
-      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakDbName}';" \
-        grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS keycloak;"
-    '';
-  };
-
   # Configuring the database of choice to play nicely with the service.
   services.postgresql = {
     ensureDatabases = [ keycloakDbName ];
@@ -69,6 +60,15 @@ in
     ];
   };
 
+  # Modifying it a little bit for per-user schema.
+  systemd.services.keycloak = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakUser}';" \
+        | grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${keycloakUser};"
+    '';
+  };
+
   # Attach an domain name to the DNS server.
   services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ];
 
diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix
index 4d2c2f20..f2126057 100644
--- a/hosts/plover/modules/services/vaultwarden.nix
+++ b/hosts/plover/modules/services/vaultwarden.nix
@@ -67,6 +67,15 @@ in
     }];
   };
 
+  # Making it comply with PostgreSQL secure schema usage pattern.
+  systemd.services.vaultwarden = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${vaultwardenUser}';" \
+        | grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${vaultwardenUser};"
+    '';
+  };
+
   # Attaching it to our reverse proxy of choice.
   services.nginx.virtualHosts."${passwordManagerDomain}" = {
     forceSSL = true;