nixos-config/profiles/vm/postgres.nix

{ config, pkgs, environment, ... }:

let
  hostPath = /srv + ("/" + config.networking.hostName);
  srcCertificateDirectory = hostPath + "/certs";
  dstCertificateDirectory = "/etc/pki/certs/postgres";
  dstPrivateKey = dstCertificateDirectory + /private/privkey.pem;
  srcKeytabPath = hostPath + /keytabs/postgres;
  dstKeytabPath = "/etc/postgresql-common/keytab";

in {

   containers.postgres = {
     autoStart = true;

     bindMounts = {
       "${dstCertificateDirectory}" = {
         hostPath = "${srcCertificateDirectory}";
         isReadOnly = false;
       };
       "${dstKeytabPath}" = {
         hostPath = "${srcKeytabPath}";
         isReadOnly = false;
       };
     };

     config = { config, pkgs, environment, ... }: {
       environment.etc."${dstPrivateKey}".mode = "0400";

       boot.tmpOnTmpfs = true;

       # Kind of a stupid hack...bindMounts can't specify perms, and it defaults to
       # permissive (even for nested files). So, explicitly make the keys private.
       # TODO: eventually, use bindMount perms, hopefully?
       boot.postBootCommands = ''
         chown postgres ${dstKeytabPath}/postgres.keytab
         chmod 400 ${dstKeytabPath}/postgres.keytab
         chown -R postgres ${dstCertificateDirectory}
         chown 400 ${dstCertificateDirectory}/private/privkey.pem
       '';

       services.postgresql = {
         enable = true;
         package = pkgs.postgresql_10;
         enableTCPIP = true;

         extraConfig =
         ''
           krb_server_keyfile = '${dstKeytabPath}/postgres.keytab'

           ssl = true
           ssl_cert_file = '${dstCertificateDirectory}/cert.pem'
           ssl_key_file = '${dstCertificateDirectory}/private/privkey.pem'
         '';

         authentication =
         ''
           local   all              all             ident

           # host-local
           host    all              all             127.0.0.1/32            gss include_realm=0 krb_realm=FUDO.ORG
           host    all              all             ::1/128                 gss include_realm=0 krb_realm=FUDO.ORG

           # local network
           host     all             all             10.0.0.1/24             gss include_realm=0 krb_realm=FUDO.ORG
           host     all             all             2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
         '';

         initialScript = pkgs.writeText "backend-initscript" ''
           CREATE ROLE niten;
         '';
       };
    };
  };
}