nixbld/rt: use psql peer authentication
This commit is contained in:
parent
4ccab3cf2b
commit
93e19c74e9
|
@ -816,12 +816,19 @@ in
|
||||||
siteUrl = "https://chat.m-labs.hk/";
|
siteUrl = "https://chat.m-labs.hk/";
|
||||||
mutableConfig = true;
|
mutableConfig = true;
|
||||||
};
|
};
|
||||||
services.postgresql.package = pkgs.postgresql_12;
|
|
||||||
services.matterbridge = {
|
services.matterbridge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
configPath = "/etc/nixos/secret/matterbridge.toml";
|
configPath = "/etc/nixos/secret/matterbridge.toml";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
package = pkgs.postgresql_12;
|
||||||
|
identMap =
|
||||||
|
''
|
||||||
|
rt rt rt_user
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
||||||
nix = super.nix.overrideAttrs(oa: {
|
nix = super.nix.overrideAttrs(oa: {
|
||||||
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
||||||
|
|
|
@ -19,14 +19,9 @@ let
|
||||||
Set($Timezone, '${cfg.timeZone}');
|
Set($Timezone, '${cfg.timeZone}');
|
||||||
|
|
||||||
Set($DatabaseType, 'Pg');
|
Set($DatabaseType, 'Pg');
|
||||||
Set($DatabaseHost, 'localhost');
|
Set($DatabaseHost, '/run/postgresql');
|
||||||
Set($DatabaseUser, 'rt_user');
|
Set($DatabaseUser, 'rt');
|
||||||
Set($DatabaseName, 'rt5');
|
Set($DatabaseName, 'rt5');
|
||||||
# Read database password from file
|
|
||||||
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
|
|
||||||
my $dbpw = do { local $/; <$fh> };
|
|
||||||
$dbpw =~ s/^\s+|\s+$//g;
|
|
||||||
Set($DatabasePassword, $dbpw);
|
|
||||||
|
|
||||||
# System (Logging)
|
# System (Logging)
|
||||||
Set($LogToSTDERR, undef); # Don't log twice
|
Set($LogToSTDERR, undef); # Don't log twice
|
||||||
|
@ -154,13 +149,6 @@ in {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
|
|
||||||
dbPasswordFile = mkOption {
|
|
||||||
description = "File containing the database password";
|
|
||||||
type = str;
|
|
||||||
default = "/etc/nixos/secret/rtpasswd";
|
|
||||||
internal = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
description = "Which domain RT is running on";
|
description = "Which domain RT is running on";
|
||||||
type = str;
|
type = str;
|
||||||
|
@ -245,8 +233,6 @@ in {
|
||||||
|
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
MemoryDenyWriteExecute = false;
|
MemoryDenyWriteExecute = false;
|
||||||
|
|
||||||
ReadOnlyPaths = [ cfg.dbPasswordFile ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
|
|
Loading…
Reference in New Issue