nix-dotfiles/hosts/tsuki/services/postgres.nix
h7x4 20de3c260f
tsuki/postgres: misc:
- add postgresql backup service
- harden systemd unit
- increase max_connections
2023-07-12 02:06:40 +02:00

60 lines
1.7 KiB
Nix

{ config, pkgs, lib, secrets, ... }: let
cfg = config.services.postgresql;
in {
services.postgresql = {
enable = true;
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
local hydra all ident map=hydra-users
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
port = secrets.ports.postgres;
dataDir = "${config.machineVars.dataDrives.drives.postgres}/${config.services.postgresql.package.psqlSchema}";
settings = {
max_connections = 150;
};
};
services.postgresqlBackup = {
enable = true;
location = "${config.machineVars.dataDrives.drives.backup}/postgres";
backupAll = true;
};
systemd.services.postgresqlBackup = {
requires = [ "postgresql.service" "data2-backup.mount" ];
};
systemd.services.postgresql = {
requires = [ "data2-postgres.mount" ];
serviceConfig = {
Restart = "always";
RestartSec = 3;
ReadWritePaths = [ cfg.dataDir ];
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
# PrivateMounts = true;
RestrictSUIDSGID = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
ProtectHome = true;
# PrivateNetwork = true;
PrivateUsers = true;
PrivateTmp = true;
UMask = "0077";
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
environment.systemPackages = [ config.services.postgresql.package ];
}