From a14ba1235a61375ecfd319e8f0fb8c24e354232d Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Thu, 4 Aug 2022 23:57:54 +0200
Subject: [PATCH] cluster/services/patroni: init

---
 cluster/services/patroni/default.nix          |  49 +++++++++++
 cluster/services/patroni/etcd.nix             |  21 +++++
 cluster/services/patroni/haproxy.nix          |  41 ++++++++++
 .../patroni/passwords/replication.age         | Bin 0 -> 884 bytes
 cluster/services/patroni/passwords/rewind.age | Bin 0 -> 901 bytes
 .../services/patroni/passwords/superuser.age  | Bin 0 -> 867 bytes
 cluster/services/patroni/worker.nix           |  76 ++++++++++++++++++
 secrets.nix                                   |   3 +
 8 files changed, 190 insertions(+)
 create mode 100644 cluster/services/patroni/default.nix
 create mode 100644 cluster/services/patroni/etcd.nix
 create mode 100644 cluster/services/patroni/haproxy.nix
 create mode 100644 cluster/services/patroni/passwords/replication.age
 create mode 100644 cluster/services/patroni/passwords/rewind.age
 create mode 100644 cluster/services/patroni/passwords/superuser.age
 create mode 100644 cluster/services/patroni/worker.nix

diff --git a/cluster/services/patroni/default.nix b/cluster/services/patroni/default.nix
new file mode 100644
index 0000000..7c21e7a
--- /dev/null
+++ b/cluster/services/patroni/default.nix
@@ -0,0 +1,49 @@
+{ config, lib, ... }:
+
+let
+  inherit (config.vars) hosts;
+
+  cfg = config.services.patroni;
+
+  renameToLink = mode: n: v: lib.nameValuePair "patroni-etcd-node-${mode}-${n}" v;
+
+  genLinks = mode: nodes: f: lib.mapAttrs' (renameToLink mode) (lib.genAttrs nodes f);
+
+  getMeshIp = name: config.vars.mesh.${name}.meshIp;
+
+  mkLink = name: {
+    ipv4 = getMeshIp name;
+    protocol = "http";
+  };
+in
+{
+  vars.patroni = {
+    etcdNodes = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-peer-${name}");
+    etcdNodesClient = lib.genAttrs cfg.nodes.etcd (name: config.links."patroni-etcd-node-client-${name}");
+    etcdExtraNodes = [ "fly=http://10.1.1.151:2380" ];
+    passwords = {
+      PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
+      PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
+      PATRONI_REWIND_PASSWORD = ./passwords/rewind.age;
+    };
+  };
+  links = genLinks "client" cfg.nodes.etcd mkLink
+    // genLinks "peer" cfg.nodes.etcd mkLink
+    // {
+    patroni-pg-internal.ipv4 = "0.0.0.0";
+    patroni-api.ipv4 = "0.0.0.0";
+    patroni-pg-access.ipv4 = "127.0.0.1";
+  };
+  services.patroni = {
+    nodes = {
+      worker = [ "VEGAS" "prophet" ];
+      etcd = [ "VEGAS" "prophet" ];
+      haproxy = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      worker = ./worker.nix;
+      etcd = ./etcd.nix;
+      haproxy = ./haproxy.nix;
+    };
+  };
+}
diff --git a/cluster/services/patroni/etcd.nix b/cluster/services/patroni/etcd.nix
new file mode 100644
index 0000000..8f1cb5f
--- /dev/null
+++ b/cluster/services/patroni/etcd.nix
@@ -0,0 +1,21 @@
+{ cluster, lib, pkgs, ... }:
+
+let
+  inherit (cluster.config) vars;
+
+  getEtcdUrl = name: vars.patroni.etcdNodes.${name}.url;
+
+  mkMember = n: "${n}=${getEtcdUrl n}";
+in
+
+{
+  services.etcd = {
+    enable = true;
+    dataDir = "/srv/storage/private/etcd";
+    initialCluster = (map mkMember cluster.config.services.patroni.nodes.etcd) ++ vars.patroni.etcdExtraNodes;
+    listenPeerUrls = lib.singleton vars.patroni.etcdNodes.${vars.hostName}.url;
+    listenClientUrls = lib.singleton vars.patroni.etcdNodesClient.${vars.hostName}.url;
+  };
+  # run on any architecture
+  systemd.services.etcd.environment.ETCD_UNSUPPORTED_ARCH = pkgs.go.GOARCH;
+}
diff --git a/cluster/services/patroni/haproxy.nix b/cluster/services/patroni/haproxy.nix
new file mode 100644
index 0000000..6a4e7b8
--- /dev/null
+++ b/cluster/services/patroni/haproxy.nix
@@ -0,0 +1,41 @@
+{ cluster, ... }:
+
+let
+  inherit (cluster.config) vars;
+
+  internalPort = cluster.config.links.patroni-pg-internal.portStr;
+
+  checkPort = cluster.config.links.patroni-api.portStr;
+
+  nodes = cluster.config.services.patroni.nodes.worker;
+
+  getMeshIp = name: vars.mesh.${name}.meshIp;
+
+  mkServerString = name: "server pg_ha_${name}_${internalPort} ${getMeshIp name}:${internalPort} maxconn 200 check port ${checkPort}";
+in
+
+{
+  services.haproxy = {
+    enable = true;
+    config = ''
+      global
+          maxconn 200
+      
+      defaults
+          log global
+          mode tcp
+          retries 2
+          timeout client 30m
+          timeout connect 4s
+          timeout server 30m
+          timeout check 5s
+      
+      listen patroni
+          bind ${cluster.config.links.patroni-pg-access.tuple}
+          option httpchk
+          http-check expect status 200
+          default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+          ${builtins.concatStringsSep "    \n" (map mkServerString nodes)}
+    '';
+  };
+}
diff --git a/cluster/services/patroni/passwords/replication.age b/cluster/services/patroni/passwords/replication.age
new file mode 100644
index 0000000000000000000000000000000000000000..431e3f4e9353e6d364573cfc0433dcc7ebf6c3f3
GIT binary patch
literal 884
zcmZY4`)eC@0040D2WNvns1$sFdK01O%yM_RN1{W$BzMW>bxE7#a;H^t-%IXt$>ko&
zU2<{V4=woY9Bh*@R-Gb)jn(O>1qIjr(BfmQvZ+JYL1%Ri6hyl*uvV=4>--Bod@4%S
zUu^-~Gdp#owcW6lfQ$J2PeARq>aWTujw4|x%i#n{L2x2arlK{zY3Djd6$5U!Rp=L-
zVze9z)$yh(M)C{+H$+@veeIYUw(BWH&*oU9L1B#%rf$flDJo9V^g5<RTM?ciN<F)H
zqlO3i1-J{TsYs_Eb9Kr{hvZ1ZgK6HA0SWAqV>n`lLwgti1yDwNU7wh#sB%6et2w!v
z7&fD9rL5UCMJNbLBiyW+LRo912sSH~=o>XT$j2QDlDaK!1n=XaqGn44i!~iC*Y^5F
zx|Q_sLa<*m`rS@CB6wQchv>nkoHRwiQ4B#A%56Z3*+kwIu;G-5@OUmx#WNnBaq<6Y
zgpg_W6o`)^0jAiD6|+*G2xHk;q?lAoMgVJ@GR;V&pt0LHkchK9>%)}>2uayEQ?_|M
zMMyExGUcd|i=+db&ho}E&5V##-9y{Pe>c^y*wsqA3ZZ%xLekvM?qe;VT!OP2ZvhQU
z)iF9)bTj=@74Rgdq-kJSu%?x%VW9>KPOGPfOfD)mGY0Jnx+DHu@cSVUcM+`>Bk}~6
z-j<`?3dyk!hL$}t?;(yP#b7EJVA(K88@}{!FDqO3HsOhL*W#BxIQ+m-#{b|@iv;V3
zK3{r!YU^U;%GlxF(%!T4?4tU@i>WV07iL}J=Z{a`HF)R7_FHC7Sg$_KoVq)?>#K*A
z6YmdPVW&55RlL#r=4Kba{x<Q*sSB4zsnhhmdmjC4=*N{;{@$_YSN*-~`J-oN!9zdX
zbY|tH17r28JAaXW8r+;&1=ns%t}-sVK0aFST|9DdV{Nh#9Nc_e87Ta|AV2voa{l`r
z*8KAAH&5L2{PO(tk(1u!K<62lAup_n^T)2|K0)C>rmb=O^lRj&skLX9MQ8WS(ueB{
z_kXl|*SVF6@8&l4J-!+)9fYup^*0Z^wdL~o+Mn{~m(T5g<MPy@<57Jd;=f~PKl;tw
SJ7ZTT&u@9EcxFn;|Md@CuUk0)

literal 0
HcmV?d00001

diff --git a/cluster/services/patroni/passwords/rewind.age b/cluster/services/patroni/passwords/rewind.age
new file mode 100644
index 0000000000000000000000000000000000000000..d1a1722dd595d0a9668a38b269689f82e1e54883
GIT binary patch
literal 901
zcmZ9_>uVbY008hR7U71gu2?2R8|PzacD+aL(xk%V^1938Ub#!IIf|M~F84@scgf{>
zPR2l)#R>`qiP#UismK(O!5#=Ys#7aMZJE+pAIR(~8w@68#SKyX+TTC$D{3mJTBT;+
zX&JUPVK+6Xg8<+mpX=(NT1Igk3Hulp52A!GKOLKn)Fs!`WVB+_JZ~sinQXCjsfQY_
zz>`XuXe*sgJ&yr|9aDL+BJmg=sL}=A&H5orx8Q!BZW=;@OmR6nUV@pZ0q@*!$P?kN
zk9PYZQRZ`;8tM5PZ8DqEVHwvT5=(gvagr2Mb~c74jkHbx0%E310#hT?3A|vi1kGWt
z5MnYJy{S}0TG3lhBCKl7Zn?U1D+eU9P54MXA?X<;i)n10#iuJ~)k_wIQaAt=<Z?yg
zoJmK<9kUzv2w*yp)>=A?&;g38c}X%E>skTX&GsxU!57?$8%Y_kRWVCSVdoYs(6yfC
z3ry-LUxa$N4A*)wH78JTT*H)VC)!Tbow(2oQE^lj`L2`%><&pLSSp=Y`YzO!!%i^G
zX8N#YI-b)Y2rS$$>irtTqICTKjRm!)T69&w=u24&<%CSoZ8wQrF^jecFG5CSJ{%KD
z3Zp?t+bfF*qUW-v+VFQJrl>L+;#M4`A8f>cRD;r4M?v`(r*mwL!$}+NMMEV31VNwI
z2r(V8V+(|ol5i?y5{B(CcB_cNP9q>k^-@j5%#>-N1Tf@$i+uFs7`Qrgc5v&H*9N|^
z^^KnofvxR}=2U6ugVFtT{l*z`(SQcN7uVZoo>{u}#_-JM9n!|g;;zox{;PMr{Lkm~
z#lb=Nm+0+37f!;z&X5Hndj9%&@EwI%X&%}0<)-xmG<a+;y?t!<t7FTfmB99s4_`mJ
zyz<`7P3*wYd+&JwdYWidpCB&Jj9*z!Y@OR&^Pl`;VRquQb>EeL^K(yWOa80Ri#KN1
zE**H(G3Iv9tv>hNo|)pitJk(_95wR$Zn5^#`qEqHe+q5nJ{<n|?QgawPMy`L2k*aj
z=g8u|!z%*#J~ejf__M!#cIw>U!%anh<-{Ma&RgF<^5#RKy$cs6r`#8$$LHtoKJxYL
ZU7yA;GZzj+`~LFkqf_I#oAa+z{{a>YQwjh8

literal 0
HcmV?d00001

diff --git a/cluster/services/patroni/passwords/superuser.age b/cluster/services/patroni/passwords/superuser.age
new file mode 100644
index 0000000000000000000000000000000000000000..63a8259bea0d8e75b5428d8c1709693cef9a822c
GIT binary patch
literal 867
zcmZY4`-|HI0KoB~!mv6W_~Kw{7~Xax^xCvdnz%7ZUuoKFlQwPBbg*0VXp(DsX_GcD
zJ=xq3L-YqxP92==1|9=<C_0!Tj!teq=1rJ~?&Q?r54*!noX*FFl-tx_=U?#oe(SR2
zmnH?nZFg0Da#T0ufCc&dy8+Ww{E`@gVF&~A6pVy$Afm7wp~vz>qMJnvVXu}mvR*qK
z$~eeaJf;Xi1~keYzSZ$iA1&&k^aO^4Y6dvjCM}iEx>&{Q7QqM<C1IpcObaw;21KlU
zy9NimQqTstnkwg5z7RsmBB#`P0!*oDQB6^(q~UEWZjp6MYV#=UMtm(j!N82wu?3?_
zXlcu2okq<B8+uHZB-Be&scME)As7^bw`*dUC3-jzb=v3z<R%p^E<&kPDOhcm3XB1!
z8WwM$w2&4xs8Q~k<#5Eu>sY-Q&Q<aSTgs|71$zYDOtg?@Joaz2t63B&qMeMBw*IFf
zTuyUjAYnJ#LZ;z5VUA)eFbX>q34tt;Y%tNF1_tuBXJ&d>r>EjRRf!g)X2d~iWQ=HV
zp<;+mH7c+x)r1b&g7Biqh(su^*_iO(n?5=&v$S6}q`D~q!?q1zHDKSiWXnZ;pq*j(
z97EZjjo?Acs6@n`#7U$V!7Bussu)r)=JWggz$A-;yx`<W)XJ8|K)aPH;S)Mdl~_Ap
zBW(?d=gUzvSk1^u-*f#9v!=92gVXO_`Dowq%u?Dpb^&dpr;G<JWx4<I;|u-yoo8S1
z*7oim8!;-kw&1tc!mDrZPkemp&NuSc=G;$a*Y5vq%hfwp7hc;uJm~E>{C9ZI!qk}`
zS2i8iKUFsj=61b4d-empeVqpn9@zHSpVLo1^5{>)0r32#BO6!#8hPoP`N9KF&n{oz
z`XR1dc>egp_Qk97U2XFdm&f^;7w>Yns~0cNJat2!{$tQn_SjSM`lauO-kqBuUR|~d
zC#-|Nte-btxM%;DKOg$~*KbeLy9Ouq>Vb!L92%TsdZnAIRe1EBj&O0)iKXA~>pwjF
zmKMBu<Fgs+X!zb|SJ<O#8`s}lJX1gR#ncZcBUi2^`=2ijZ5;%^I(_7sz30Zi8yR|k
H=iUDRs(eyW

literal 0
HcmV?d00001

diff --git a/cluster/services/patroni/worker.nix b/cluster/services/patroni/worker.nix
new file mode 100644
index 0000000..f291365
--- /dev/null
+++ b/cluster/services/patroni/worker.nix
@@ -0,0 +1,76 @@
+{ aspect, cluster, config, lib, pkgs, ... }:
+
+let
+  inherit (cluster.config) vars;
+
+  getMeshIp = name: vars.mesh.${name}.meshIp;
+
+  net = vars.meshNet.cidr;
+
+  pg = pkgs.postgresql_14;
+
+  baseDir = "/srv/storage/database/postgres-ha";
+
+  cfg = config.services.patroni;
+in
+
+{
+  imports = [
+    aspect.modules.patroni
+  ];
+
+  age.secrets = lib.mapAttrs (_: file: {
+    inherit file;
+    mode = "0400";
+    owner = "patroni";
+    group = "patroni";
+  }) vars.patroni.passwords;
+
+  systemd.tmpfiles.rules = [ "d '${baseDir}' 0700 patroni patroni - -" ];
+  services.patroni = {
+    enable = true;
+    name = vars.hostName;
+    postgresqlPackage = pg;
+    postgresqlDataDir ="${baseDir}/${pg.psqlSchema}";
+    postgresqlPort = cluster.config.links.patroni-pg-internal.port;
+    restApiPort = cluster.config.links.patroni-api.port;
+    scope = "poseidon";
+    namespace = "/patroni";
+
+    nodeIp = getMeshIp vars.hostName;
+    otherNodesIps = map getMeshIp cluster.config.services.patroni.otherNodes.worker;
+    raft = false;
+    softwareWatchdog = true;
+    settings = {
+      etcd3.hosts = map (x: x.tuple) (lib.attrValues vars.patroni.etcdNodesClient);
+      bootstrap.dcs = {
+        ttl = 30;
+        loop_wait = 10;
+        retry_timeout = 10;
+        maximum_lag_on_failover = 1024 * 1024;
+      };
+      postgresql = {
+        use_pg_rewind = true;
+        use_slots = true;
+        authentication = {
+          replication.username = "patronirep";
+          rewind.username = "patronirew";
+          superuser.username = "postgres";
+        };
+        parameters = {
+          listen_addresses = getMeshIp vars.hostName;
+          wal_level = "replica";
+          hot_standby_feedback = "on";
+          unix_socket_directories = "/tmp";
+        };
+        pg_hba = [
+          "host replication patronirep ${net} scram-sha-256"
+          "host all patronirew ${net} scram-sha-256"
+          "host all postgres ${net} scram-sha-256"
+          "host all all 127.0.0.1/32 scram-sha-256"
+        ];
+      };
+    };
+    environmentFiles = lib.mapAttrs (n: _: config.age.secrets.${n}.path) vars.patroni.passwords;
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 102d9ea..c805655 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,9 @@ let
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
+  "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];