Cluster secrets #100
7 changed files with 16 additions and 18 deletions
|
@ -1,13 +1,6 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
vars.patroni = {
|
|
||||||
passwords = {
|
|
||||||
PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
|
|
||||||
PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
|
|
||||||
PATRONI_REWIND_PASSWORD = ./passwords/rewind.age;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
links = {
|
links = {
|
||||||
patroni-pg-internal.ipv4 = "0.0.0.0";
|
patroni-pg-internal.ipv4 = "0.0.0.0";
|
||||||
patroni-api.ipv4 = "0.0.0.0";
|
patroni-api.ipv4 = "0.0.0.0";
|
||||||
|
@ -25,5 +18,17 @@
|
||||||
];
|
];
|
||||||
haproxy = ./haproxy.nix;
|
haproxy = ./haproxy.nix;
|
||||||
};
|
};
|
||||||
|
secrets = let
|
||||||
|
inherit (config.services.patroni) nodes;
|
||||||
|
default = {
|
||||||
|
nodes = nodes.worker;
|
||||||
|
owner = "patroni";
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
PATRONI_REPLICATION_PASSWORD = default;
|
||||||
|
PATRONI_SUPERUSER_PASSWORD = default;
|
||||||
|
PATRONI_REWIND_PASSWORD = default;
|
||||||
|
metricsCredentials.nodes = nodes.worker;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,13 +2,12 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (cluster.config) links vars;
|
inherit (cluster.config) links vars;
|
||||||
|
inherit (cluster.config.services.patroni) secrets;
|
||||||
|
|
||||||
getMeshIp = name: vars.mesh.${name}.meshIp;
|
getMeshIp = name: vars.mesh.${name}.meshIp;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
age.secrets.postgres-metrics-db-credentials.file = ./passwords/metrics.age;
|
|
||||||
|
|
||||||
services.grafana-agent = {
|
services.grafana-agent = {
|
||||||
settings.integrations.postgres_exporter = {
|
settings.integrations.postgres_exporter = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
|
@ -19,7 +18,7 @@ in
|
||||||
autodiscover_databases = true;
|
autodiscover_databases = true;
|
||||||
};
|
};
|
||||||
credentials = {
|
credentials = {
|
||||||
PG_METRICS_DB_PASSWORD = config.age.secrets.postgres-metrics-db-credentials.path;
|
PG_METRICS_DB_PASSWORD = secrets.metricsCredentials.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (cluster.config) vars;
|
inherit (cluster.config) vars;
|
||||||
|
inherit (cluster.config.services.patroni) secrets;
|
||||||
inherit (config.networking) hostName;
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
getMeshIp = name: vars.mesh.${name}.meshIp;
|
getMeshIp = name: vars.mesh.${name}.meshIp;
|
||||||
|
@ -20,13 +21,6 @@ in
|
||||||
depot.nixosModules.patroni
|
depot.nixosModules.patroni
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets = lib.mapAttrs (_: file: {
|
|
||||||
inherit file;
|
|
||||||
mode = "0400";
|
|
||||||
owner = "patroni";
|
|
||||||
group = "patroni";
|
|
||||||
}) vars.patroni.passwords;
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${baseDir}' 0700 patroni patroni - -"
|
"d '${baseDir}' 0700 patroni patroni - -"
|
||||||
"d '${walDir}' 0700 patroni patroni - -"
|
"d '${walDir}' 0700 patroni patroni - -"
|
||||||
|
@ -83,6 +77,6 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
environmentFiles = lib.mapAttrs (n: _: config.age.secrets.${n}.path) vars.patroni.passwords;
|
environmentFiles = lib.mapAttrs (_: secret: secret.path) (lib.filterAttrs (name: _: lib.hasPrefix "PATRONI_" name) secrets);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue