foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-25 06:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: comply services to PostgreSQL secure schema usage

Browse Source
This commit is contained in:
Gabriel Arazas 2023-02-07 09:45:37 +08:00
parent 27ee3feee6
commit 46dac540c1
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
3 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hosts/plover/modules/services/gitea.nix
View File

@ -6,6 +6,8 @@
let let
codeForgeDomain = "code.${config.networking.domain}"; codeForgeDomain = "code.${config.networking.domain}";
giteaDatabaseUser = config.services.gitea.user;
in in
{ {
services.gitea = { services.gitea = {
@ -123,6 +125,15 @@ in
}]; }];
}; };
# Setting up Gitea for PostgreSQL secure schema usage.
systemd.services.gitea = {
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${giteaDatabaseUser}';" \
grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${giteaDatabaseUser};"
'';
};
# Attaching it altogether with the reverse proxy of choice. # Attaching it altogether with the reverse proxy of choice.
services.nginx.virtualHosts."${codeForgeDomain}" = { services.nginx.virtualHosts."${codeForgeDomain}" = {
forceSSL = true; forceSSL = true;

18
hosts/plover/modules/services/keycloak.nix
View File

@ -46,15 +46,6 @@ in
sslCertificateKey = "${certs."${authDomain}".directory}/key.pem"; sslCertificateKey = "${certs."${authDomain}".directory}/key.pem";
}; };
# Modifying it a little bit for per-user schema.
systemd.services.keycloak = {
path = [ config.services.postgresql.package ];
preStart = ''
psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakDbName}';" \
grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS keycloak;"
'';
};
# Configuring the database of choice to play nicely with the service. # Configuring the database of choice to play nicely with the service.
services.postgresql = { services.postgresql = {
ensureDatabases = [ keycloakDbName ]; ensureDatabases = [ keycloakDbName ];
@ -69,6 +60,15 @@ in
]; ];
}; };
# Modifying it a little bit for per-user schema.
systemd.services.keycloak = {
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakUser}';" \
| grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${keycloakUser};"
'';
};
# Attach an domain name to the DNS server. # Attach an domain name to the DNS server.
services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ]; services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ];

9
hosts/plover/modules/services/vaultwarden.nix
View File

@ -67,6 +67,15 @@ in
}]; }];
}; };
# Making it comply with PostgreSQL secure schema usage pattern.
systemd.services.vaultwarden = {
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${vaultwardenUser}';" \
| grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${vaultwardenUser};"
'';
};
# Attaching it to our reverse proxy of choice. # Attaching it to our reverse proxy of choice.
services.nginx.virtualHosts."${passwordManagerDomain}" = { services.nginx.virtualHosts."${passwordManagerDomain}" = {
forceSSL = true; forceSSL = true;