Cluster secrets #100

Merged
max merged 17 commits from pr-cluster-secrets into master 2024-07-08 22:23:11 +03:00
7 changed files with 16 additions and 18 deletions
Showing only changes of commit b87b3d000d - Show all commits

View file

@ -1,13 +1,6 @@
{ config, lib, ... }:
{
vars.patroni = {
passwords = {
PATRONI_REPLICATION_PASSWORD = ./passwords/replication.age;
PATRONI_SUPERUSER_PASSWORD = ./passwords/superuser.age;
PATRONI_REWIND_PASSWORD = ./passwords/rewind.age;
};
};
links = {
patroni-pg-internal.ipv4 = "0.0.0.0";
patroni-api.ipv4 = "0.0.0.0";
@ -25,5 +18,17 @@
];
haproxy = ./haproxy.nix;
};
secrets = let
inherit (config.services.patroni) nodes;
default = {
nodes = nodes.worker;
owner = "patroni";
};
in {
PATRONI_REPLICATION_PASSWORD = default;
PATRONI_SUPERUSER_PASSWORD = default;
PATRONI_REWIND_PASSWORD = default;
metricsCredentials.nodes = nodes.worker;
};
};
}

View file

@ -2,13 +2,12 @@
let
inherit (cluster.config) links vars;
inherit (cluster.config.services.patroni) secrets;
getMeshIp = name: vars.mesh.${name}.meshIp;
in
{
age.secrets.postgres-metrics-db-credentials.file = ./passwords/metrics.age;
services.grafana-agent = {
settings.integrations.postgres_exporter = {
enabled = true;
@ -19,7 +18,7 @@ in
autodiscover_databases = true;
};
credentials = {
PG_METRICS_DB_PASSWORD = config.age.secrets.postgres-metrics-db-credentials.path;
PG_METRICS_DB_PASSWORD = secrets.metricsCredentials.path;
};
};
}

View file

@ -2,6 +2,7 @@
let
inherit (cluster.config) vars;
inherit (cluster.config.services.patroni) secrets;
inherit (config.networking) hostName;
getMeshIp = name: vars.mesh.${name}.meshIp;
@ -20,13 +21,6 @@ in
depot.nixosModules.patroni
];
age.secrets = lib.mapAttrs (_: file: {
inherit file;
mode = "0400";
owner = "patroni";
group = "patroni";
}) vars.patroni.passwords;
systemd.tmpfiles.rules = [
"d '${baseDir}' 0700 patroni patroni - -"
"d '${walDir}' 0700 patroni patroni - -"
@ -83,6 +77,6 @@ in
];
};
};
environmentFiles = lib.mapAttrs (n: _: config.age.secrets.${n}.path) vars.patroni.passwords;
environmentFiles = lib.mapAttrs (_: secret: secret.path) (lib.filterAttrs (name: _: lib.hasPrefix "PATRONI_" name) secrets);
};
}