cluster/services/patroni: use cluster secrets

This commit is contained in:
Max Headroom 2024-07-08 20:19:45 +02:00
parent f8f6e27e6f
commit b87b3d000d
7 changed files with 16 additions and 18 deletions

View file

@ -1,13 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
{ {
vars.patroni = {
passwords = {
PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
PATRONI_REWIND_PASSWORD = ./passwords/rewind.age;
};
};
links = { links = {
patroni-pg-internal.ipv4 = "0.0.0.0"; patroni-pg-internal.ipv4 = "0.0.0.0";
patroni-api.ipv4 = "0.0.0.0"; patroni-api.ipv4 = "0.0.0.0";
@ -25,5 +18,17 @@
]; ];
haproxy = ./haproxy.nix; haproxy = ./haproxy.nix;
}; };
secrets = let
inherit (config.services.patroni) nodes;
default = {
nodes = nodes.worker;
owner = "patroni";
};
in {
PATRONI_REPLICATION_PASSWORD = default;
PATRONI_SUPERUSER_PASSWORD = default;
PATRONI_REWIND_PASSWORD = default;
metricsCredentials.nodes = nodes.worker;
};
}; };
} }

View file

@ -2,13 +2,12 @@
let let
inherit (cluster.config) links vars; inherit (cluster.config) links vars;
inherit (cluster.config.services.patroni) secrets;
getMeshIp = name: vars.mesh.${name}.meshIp; getMeshIp = name: vars.mesh.${name}.meshIp;
in in
{ {
age.secrets.postgres-metrics-db-credentials.file = ./passwords/metrics.age;
services.grafana-agent = { services.grafana-agent = {
settings.integrations.postgres_exporter = { settings.integrations.postgres_exporter = {
enabled = true; enabled = true;
@ -19,7 +18,7 @@ in
autodiscover_databases = true; autodiscover_databases = true;
}; };
credentials = { credentials = {
PG_METRICS_DB_PASSWORD = config.age.secrets.postgres-metrics-db-credentials.path; PG_METRICS_DB_PASSWORD = secrets.metricsCredentials.path;
}; };
}; };
} }

View file

@ -2,6 +2,7 @@
let let
inherit (cluster.config) vars; inherit (cluster.config) vars;
inherit (cluster.config.services.patroni) secrets;
inherit (config.networking) hostName; inherit (config.networking) hostName;
getMeshIp = name: vars.mesh.${name}.meshIp; getMeshIp = name: vars.mesh.${name}.meshIp;
@ -20,13 +21,6 @@ in
depot.nixosModules.patroni depot.nixosModules.patroni
]; ];
age.secrets = lib.mapAttrs (_: file: {
inherit file;
mode = "0400";
owner = "patroni";
group = "patroni";
}) vars.patroni.passwords;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${baseDir}' 0700 patroni patroni - -" "d '${baseDir}' 0700 patroni patroni - -"
"d '${walDir}' 0700 patroni patroni - -" "d '${walDir}' 0700 patroni patroni - -"
@ -83,6 +77,6 @@ in
]; ];
}; };
}; };
environmentFiles = lib.mapAttrs (n: _: config.age.secrets.${n}.path) vars.patroni.passwords; environmentFiles = lib.mapAttrs (_: secret: secret.path) (lib.filterAttrs (name: _: lib.hasPrefix "PATRONI_" name) secrets);
}; };
} }