tlaternet-server/configuration/services/postgres.nix

{pkgs, ...}: {
  services.postgresql = {
    package = pkgs.postgresql_14;
    enable = true;

    # Only enable connections via the unix socket, and check with the
    # OS to make sure the user matches the database name.
    #
    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
    authentication = ''
      local sameuser all peer
    '';

    # Note: The following options with ensure.* are set-only; i.e.,
    # when permissions/users/databases are removed from these lists,
    # that operation needs to be performed manually on the system as
    # well.
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions = {
          "DATABASE nextcloud" = "ALL PRIVILEGES";
        };
      }
    ];

    ensureDatabases = [
      "nextcloud"
    ];
  };
}
nextcloud: Use a hardened systemd unit instead of a container 2022-10-12 18:04:06 +01:00			`{pkgs, ...}: {`
			`services.postgresql = {`
			`package = pkgs.postgresql_14;`
			`enable = true;`

			`# Only enable connections via the unix socket, and check with the`
			`# OS to make sure the user matches the database name.`
			`#`
			`# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html`
			`authentication = ''`
			`local sameuser all peer`
			`'';`

			`# Note: The following options with ensure.* are set-only; i.e.,`
			`# when permissions/users/databases are removed from these lists,`
			`# that operation needs to be performed manually on the system as`
			`# well.`
			`ensureUsers = [`
			`{`
			`name = "nextcloud";`
			`ensurePermissions = {`
			`"DATABASE nextcloud" = "ALL PRIVILEGES";`
			`};`
			`}`
			`];`

			`ensureDatabases = [`
			`"nextcloud"`
			`];`
			`};`
			`}`