hosts/plover: comply services to PostgreSQL secure schema usage

2025-02-25 00:19:00 +00:00 · 2023-02-07 09:45:37 +08:00 · 2023-02-07 09:45:37 +08:00 · 46dac540c1
commit 46dac540c1
parent 27ee3feee6
3 changed files with 29 additions and 9 deletions
--- a/hosts/plover/modules/services/gitea.nix
+++ b/hosts/plover/modules/services/gitea.nix
@ -6,6 +6,8 @@

 let
  codeForgeDomain = "code.${config.networking.domain}";
+
+  giteaDatabaseUser = config.services.gitea.user;
 in
 {
  services.gitea = {
@ -123,6 +125,15 @@ in
    }];
  };

+  # Setting up Gitea for PostgreSQL secure schema usage.
+  systemd.services.gitea = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${giteaDatabaseUser}';" \
+        grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${giteaDatabaseUser};"
+    '';
+  };
+
  # Attaching it altogether with the reverse proxy of choice.
  services.nginx.virtualHosts."${codeForgeDomain}" = {
    forceSSL = true;
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@ -46,15 +46,6 @@ in
    sslCertificateKey = "${certs."${authDomain}".directory}/key.pem";
  };

-  # Modifying it a little bit for per-user schema.
-  systemd.services.keycloak = {
-    path = [ config.services.postgresql.package ];
-    preStart = ''
-      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakDbName}';" \
-        grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS keycloak;"
-    '';
-  };
-
  # Configuring the database of choice to play nicely with the service.
  services.postgresql = {
    ensureDatabases = [ keycloakDbName ];
@ -69,6 +60,15 @@ in
    ];
  };

+  # Modifying it a little bit for per-user schema.
+  systemd.services.keycloak = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${keycloakUser}';" \
+        | grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${keycloakUser};"
+    '';
+  };
+
  # Attach an domain name to the DNS server.
  services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ];

--- a/hosts/plover/modules/services/vaultwarden.nix
+++ b/hosts/plover/modules/services/vaultwarden.nix
@ -67,6 +67,15 @@ in
    }];
  };

+  # Making it comply with PostgreSQL secure schema usage pattern.
+  systemd.services.vaultwarden = {
+    path = [ config.services.postgresql.package ];
+    preStart = lib.mkAfter ''
+      psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${vaultwardenUser}';" \
+        | grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${vaultwardenUser};"
+    '';
+  };
+
  # Attaching it to our reverse proxy of choice.
  services.nginx.virtualHosts."${passwordManagerDomain}" = {
    forceSSL = true;