tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 8 Pull requests Activity

refactor(postgres): Split postgres module

Browse source
This commit is contained in:
Tristan Daniël Maat 2026-02-24 23:45:18 +08:00
parent 13dc31c671
commit 2a9b08f1e6
Signed by: tlater
GPG key ID: 02E935006CF2E8E7
5 changed files with 105 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

14
configuration/default.nix
View file

@ -1,4 +1,5 @@
{ {
pkgs,
lib, lib,
modulesPath, modulesPath,
flake-inputs, flake-inputs,
@ -53,6 +54,19 @@
}; };
logrotate.enable = true; logrotate.enable = true;
postgresql = {
package = pkgs.postgresql_14;
enable = true;
# Only enable connections via the unix socket, and check with the
# OS to make sure the user matches the database name.
#
# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
authentication = ''
local sameuser all peer
'';
};
}; };
security = { security = {

1
configuration/services/default.nix
View file

@ -11,7 +11,6 @@
./ntfy-sh ./ntfy-sh
./minecraft.nix ./minecraft.nix
./nextcloud.nix ./nextcloud.nix
./postgres.nix
./webserver.nix ./webserver.nix
./wireguard.nix ./wireguard.nix
]; ];

147
configuration/services/metrics/grafana.nix
View file

@ -8,80 +8,93 @@ in
443 443
]; ];
services.grafana = { services = {
enable = true; grafana = {
settings = {
server = {
http_port = 3001; # Default overlaps with gitea
root_url = "https://metrics.tlater.net";
};
security = {
admin_user = "tlater";
admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
cookie_secure = true;
cookie_samesite = "strict";
content_security_policy = true;
};
database = {
user = "grafana";
name = "grafana";
type = "postgres";
host = "/run/postgresql";
};
};
declarativePlugins = [
pkgs.grafanaPlugins.victoriametrics-metrics-datasource
pkgs.grafanaPlugins.victoriametrics-logs-datasource
];
provision = {
enable = true; enable = true;
settings = {
server = {
http_port = 3001; # Default overlaps with gitea
root_url = "https://metrics.tlater.net";
};
datasources.settings.datasources = [ security = {
{ admin_user = "tlater";
name = "Victoriametrics - tlater.net"; admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
url = "http://localhost:8428"; secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
type = "victoriametrics-metrics-datasource"; cookie_secure = true;
access = "proxy"; cookie_samesite = "strict";
isDefault = true; content_security_policy = true;
} };
{ database = {
name = "Victorialogs - tlater.net"; user = "grafana";
url = "http://${config.services.victorialogs.bindAddress}"; name = "grafana";
type = "victoriametrics-logs-datasource"; type = "postgres";
access = "proxy"; host = "/run/postgresql";
} };
};
declarativePlugins = [
pkgs.grafanaPlugins.victoriametrics-metrics-datasource
pkgs.grafanaPlugins.victoriametrics-logs-datasource
]; ];
alerting.contactPoints.settings.contactPoints = [ provision = {
{ enable = true;
name = "ntfy";
receivers = [ datasources.settings.datasources = [
{ {
uid = "ntfy"; name = "Victoriametrics - tlater.net";
type = "webhook"; url = "http://localhost:8428";
settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana"; type = "victoriametrics-metrics-datasource";
} access = "proxy";
]; isDefault = true;
} }
];
{
name = "Victorialogs - tlater.net";
url = "http://${config.services.victorialogs.bindAddress}";
type = "victoriametrics-logs-datasource";
access = "proxy";
}
];
alerting.contactPoints.settings.contactPoints = [
{
name = "ntfy";
receivers = [
{
uid = "ntfy";
type = "webhook";
settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana";
}
];
}
];
};
}; };
};
services.nginx.virtualHosts."${domain}" = { postgresql = {
forceSSL = true; ensureUsers = [
useACMEHost = "tlater.net"; {
enableHSTS = true; name = "grafana";
locations = { ensureDBOwnership = true;
"/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; }
"/api/live" = { ];
proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; ensureDatabases = [ "grafana" ];
};
nginx.virtualHosts."${domain}" = {
forceSSL = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations = {
"/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
"/api/live" = {
proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
}; };
}; };
}; };

11
configuration/services/nextcloud.nix
View file

@ -103,6 +103,17 @@ in
}; };
}; };
services.postgresql = {
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "nextcloud" ];
};
# Ensure that this service doesn't start before postgres is ready # Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = [ "postgresql.target" ]; systemd.services.nextcloud-setup.after = [ "postgresql.target" ];

35
configuration/services/postgres.nix
View file

@ -1,35 +0,0 @@
{ pkgs, ... }:
{
services.postgresql = {
package = pkgs.postgresql_14;
enable = true;
# Only enable connections via the unix socket, and check with the
# OS to make sure the user matches the database name.
#
# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
authentication = ''
local sameuser all peer
'';
# Note: The following options with ensure.* are set-only; i.e.,
# when permissions/users/databases are removed from these lists,
# that operation needs to be performed manually on the system as
# well.
ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"grafana"
"nextcloud"
];
};
}