From 3cb2a7e000939e76b7ae406f0e90274026af224f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 15 Dec 2022 19:31:16 +0100 Subject: [PATCH] Add replicated postgresql --- config/instance-20221213-1915.nix | 2 + config/nixos-8gb-fsn1-1.nix | 3 +- config/nutty-noon.nix | 2 +- config/services/hydra.nix | 2 +- .../{postgres.nix => postgres/default.nix} | 2 +- config/services/postgres/high-available.nix | 49 +++++++++ config/thinkrac.nix | 2 +- flake.lock | 102 +++++++++++++++++- flake.nix | 5 + secrets/instance-20221213-1915.yaml | 12 ++- secrets/nixos-8gb-fsn1-1.yaml | 12 ++- 11 files changed, 183 insertions(+), 10 deletions(-) rename config/services/{postgres.nix => postgres/default.nix} (88%) create mode 100644 config/services/postgres/high-available.nix diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index 760afc5b..a5d0eff1 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -14,6 +14,7 @@ ./server.nix ./wireguard/public-server.nix ./services/named-submissive.nix + ./services/postgres/high-available.nix ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; @@ -75,6 +76,7 @@ systemd.tmpfiles.rules = [ "L /var/lib/acme - - - - /persist/var/lib/acme" + "L /var/lib/postgresql - - - - /persist/var/lib/postgresql" ]; networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"]; diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 74748fab..6cea0a06 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -15,7 +15,7 @@ ./services/named.nix ./services/grafana.nix ./users/miifox.nix - ./services/postgres.nix + ./services/postgres ./services/gitea.nix ./services/old-homepage.nix ./services/postfixadmin.nix @@ -30,6 +30,7 @@ ./services/peertube ./services/rspamd.nix ./wireguard/public-server.nix + ./services/postgres/high-available.nix ]; boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"]; diff --git a/config/nutty-noon.nix b/config/nutty-noon.nix index db9ca337..789a9ac4 100644 --- a/config/nutty-noon.nix +++ b/config/nutty-noon.nix @@ -18,7 +18,7 @@ nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-gpu-amd nixos-hardware.nixosModules.common-pc-ssd - ./services/postgres.nix + ./services/postgres ./services/drone-runner-docker.nix ./services/gitlab-runner ]; diff --git a/config/services/hydra.nix b/config/services/hydra.nix index e24fdf31..d78c4746 100644 --- a/config/services/hydra.nix +++ b/config/services/hydra.nix @@ -18,7 +18,7 @@ ''; in { imports = [ - ./postgres.nix + ./postgres ../../modules/hydra.nix ]; services.hydra = { diff --git a/config/services/postgres.nix b/config/services/postgres/default.nix similarity index 88% rename from config/services/postgres.nix rename to config/services/postgres/default.nix index 25b85181..0a688795 100644 --- a/config/services/postgres.nix +++ b/config/services/postgres/default.nix @@ -19,7 +19,7 @@ services.prometheus.exporters.postgres = { enable = true; user = "postgres"; - listenAddress = (import ../../utils/getInternalIP.nix config).listenIP; + listenAddress = (import ../../../utils/getInternalIP.nix config).listenIP; }; networking.firewall.interfaces."wg0".allowedTCPPorts = [9187]; } diff --git a/config/services/postgres/high-available.nix b/config/services/postgres/high-available.nix new file mode 100644 index 00000000..cef5126d --- /dev/null +++ b/config/services/postgres/high-available.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + lib, + hapsql, + ... +}: let + internalIP = (import ../../../utils/getInternalIP.nix config).listenIP; + haNodes = ["[fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49]" "[fd0d:a262:1fa6:e621:746d:4523:5c04:1453]"]; +in { + imports = [ + hapsql.nixosModule + ]; + services.hapsql = { + enable = true; + nodeName = config.networking.hostName; + nodeAddress = internalIP; + cluster = { + scope = "chirrs"; + nodes = builtins.filter (a: a != internalIP) haNodes; + ports = { + raft = 49921; + postgres = 2428; + restApi = 56708; + }; + }; + postgresqlPackage = pkgs.postgresql_15.withPackages (ps: with ps; [rum]); + prometheus = { + enable-postgres-exporter = true; + }; + }; + services.patroni2 = { + postgresql.data_dir = "/var/lib/postgresql/15"; + bootstrap = { + pg_hba = [ + "host replication replicator fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49/128 md5" + "host replication replicator fd0d:a262:1fa6:e621:746d:4523:5c04:1453/128 md5" + "host all all 0.0.0.0/0 md5" + "host all all ::/0 md5" + ]; + }; + }; + networking.firewall.interfaces."wg0".allowedTCPPorts = [ + 49921 + 2428 + 56708 + ]; + users.users.postgres.home = lib.mkForce "/var/lib/postgresql"; +} diff --git a/config/thinkrac.nix b/config/thinkrac.nix index 000aa6b8..a3c7d49b 100644 --- a/config/thinkrac.nix +++ b/config/thinkrac.nix @@ -18,7 +18,7 @@ nixos-hardware.nixosModules.lenovo-thinkpad-t470s nixos-hardware.nixosModules.common-cpu-intel-kaby-lake nixos-hardware.nixosModules.common-pc-ssd - ./services/postgres.nix + ./services/postgres ]; hardware.cpu.intel.updateMicrocode = true; diff --git a/flake.lock b/flake.lock index 3d1abd71..8f0b67f9 100644 --- a/flake.lock +++ b/flake.lock @@ -143,6 +143,31 @@ "type": "github" } }, + "hapsql": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "patroni": "patroni", + "prometheus-keepalived-exporter": "prometheus-keepalived-exporter", + "sops-nix": [ + "sops-nix" + ] + }, + "locked": { + "lastModified": 1668373073, + "narHash": "sha256-jevN2P7euK8hWc7iEF40cW2UfQsqurHL2Ccw4vz0S6s=", + "ref": "refs/heads/master", + "rev": "daf95d1e1e7f0270ac82edd7231d9daed0106a0d", + "revCount": 21, + "type": "git", + "url": "https://git.sr.ht/~bwolf/hapsql.nix" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~bwolf/hapsql.nix" + } + }, "haskell-flake": { "locked": { "lastModified": 1668096377, @@ -210,7 +235,7 @@ "nixpkgs": [ "nixpkgs" ], - "utils": "utils" + "utils": "utils_3" }, "locked": { "lastModified": 1670970889, @@ -484,6 +509,28 @@ "type": "github" } }, + "patroni": { + "inputs": { + "nixpkgs": [ + "hapsql", + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1668372943, + "narHash": "sha256-JSbuXzu1cHuu3NbQzRDs3ExPUP89xTNWfTRJG/vzOqg=", + "ref": "refs/heads/master", + "rev": "0e0e7c4e82f6583efc8cec47904e0a8deb92191f", + "revCount": 16, + "type": "git", + "url": "https://git.sr.ht/~bwolf/patroni.nix" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~bwolf/patroni.nix" + } + }, "plasma-manager": { "inputs": { "home-manager": [ @@ -530,6 +577,28 @@ "type": "github" } }, + "prometheus-keepalived-exporter": { + "inputs": { + "nixpkgs": [ + "hapsql", + "nixpkgs" + ], + "utils": "utils_2" + }, + "locked": { + "lastModified": 1662960295, + "narHash": "sha256-4nOsFasQ463Zf8TAlUBydtr5FS+ivpNNcfyWeAdsyNw=", + "ref": "refs/heads/master", + "rev": "52fe5366dde3d5a9ee8562fff5b0502544921dd0", + "revCount": 5, + "type": "git", + "url": "https://git.sr.ht/~bwolf/prometheus-keepalived-exporter.nix" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~bwolf/prometheus-keepalived-exporter.nix" + } + }, "root": { "inputs": { "dns": "dns", @@ -537,6 +606,7 @@ "emanote": "emanote", "flake-parts": "flake-parts_2", "flake-utils": "flake-utils", + "hapsql": "hapsql", "haskell-flake": "haskell-flake_2", "home-manager": "home-manager", "hosts-list": "hosts-list", @@ -622,6 +692,36 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_3": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8f5ecd74..bff20603 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,11 @@ rec { inputs.nixpkgs-lib.follows = "nixpkgs"; }; flake-utils.url = "github:numtide/flake-utils"; + hapsql = { + url = "git+https://git.sr.ht/~bwolf/hapsql.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.sops-nix.follows = "sops-nix"; + }; haskell-flake.url = "github:srid/haskell-flake"; home-manager = { url = "github:nix-community/home-manager"; diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml index 0b0499b6..f3aad863 100644 --- a/secrets/instance-20221213-1915.yaml +++ b/secrets/instance-20221213-1915.yaml @@ -21,6 +21,14 @@ root: password: root: ENC[AES256_GCM,data:wGFQ73r7XiOQ5HTtVwZfJu10Y0ZkBQ4YWm2MUCXyJy0kS2lh942aCOOobn+ZgDwZe2/esaaZi3UZ1sjmAMsRe4E5Fv6eJRXeqa7Ym+3Wj8LsssWIWBX06CkCS/LADUIUekcmDfGq5KLvIA==,iv:lvcSkngLc7phKVsFO0QooID62iI7Cm+qoYvW2nRo9Js=,tag:jTOBdy+EBrxMm5jyy8m3PA==,type:str] darkkirb: ENC[AES256_GCM,data:ji+aKSQgrVNSASAr23hRppGLnANXKD5CI+pRk6Lb4DHsVd+U0enDu68SAR6vh5xt5t2NlICdnN6K5IlS8DQvNWC+3X5IJb5F0dfBZYcTnu2FdmX1D2XyoniJw2z4Pd2YZLB6+fiVmgcL2g==,iv:GExkGbbImSDOXc8nGD3vGbBr7AIa0ArhaOaV8rOnWGk=,tag:pZB/IBZzNL9Cuv/xNRY3sA==,type:str] +patroni: + postgresql: + replication: + password: ENC[AES256_GCM,data:Rtvp3uFW5i8Ql2rmkqJEqwdePXvqcRH2pc1UVn1MIlBmbSupklkdnObnB6GHDPLpNB8e7WS3pg3DW7PoNCtTHQ==,iv:ON96cAS/TIxUwGePwhRQdwe/e4VEZ7AJrZbS5SpB5GY=,tag:qlUhxoGriNrYHnf8xJkK0Q==,type:str] + superuser: + password: ENC[AES256_GCM,data:biKsnCeSvrF+ALiflH0wbn+k9Lu+WUQinojSsRZKcQ3Btez/8x4BYM3FGekG+bKM+YGjYOb3hTEuElbes4KhLw==,iv:fhGxZ3RlRyJ0h+1m8pycHI+eHaYTZ6WUwJGiSNtyvdU=,tag:XLtU+ZhBz5Ea9K0iZpZVQg==,type:str] + rewind: + password: ENC[AES256_GCM,data:3SFUf/vesfzA8lM/ND/89yvJga5SNBFilRZNdDCw3wfCBmqtWnQB5P3BuEvR1Ccao6H9dKQuEn32EQVZcVqCrw==,iv:JiseXAZGflG3JtL+jMkZ4N1jAutTvyuAxIuGHbTMvZc=,tag:ZrVCC6M3xtXss5zXoFKtiQ==,type:str] sops: kms: [] gcp_kms: [] @@ -36,8 +44,8 @@ sops: bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-14T15:34:13Z" - mac: ENC[AES256_GCM,data:9DHLfOjTVKWbsWiUDr7pu5pyh6dzoExcgjRsAd2HMtdu+R/Y04Zy5dbCJpFu4mvyRD9GJ5aI4hufYRLvFsTuO9k8aWNUbqb1IYnX+D6zzLlecCHxEJ6zhm0PhjkcuN0XxFhBQb/aCUaisP891PqHM8ZbXblIaCdl4FFX/me3Cls=,iv:MnMInA14AxnCPjLYvksSdZVfpvcIjpbLSQRMbzSYr2M=,tag:eQsCwg6S60FpZ4bxaBMiJg==,type:str] + lastmodified: "2022-12-15T18:48:50Z" + mac: ENC[AES256_GCM,data:Mg8cfwxhjPfJHHwEI3R+ZMeJUzl/caVc/V3UxDwV4VIeAT/d+WDVtdanF6ro4SyELbR9PdWC5q8wLTlpoz/CAjQvoPI3WEmYMtxmMBuZATy86EWz07FEltaod0yYcDvQ1RW24Km3gWrghHMBQUehijG+xHI84jvv8o+LL+ItktI=,iv:47ms+YmKjNC7wnox4Lpxp0m4eyMDJ+BNYI7JUokvyWk=,tag:sRL/JO7MKbFcf3gx064r9g==,type:str] pgp: - created_at: "2022-12-14T15:34:13Z" enc: | diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index 14d5e86d..8b071a63 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -73,6 +73,14 @@ email: password: root: ENC[AES256_GCM,data:AmwmR4I14s8mGTJidm4yEys1pPlLSRWoL9632IZSM1pAgV1H27KZIi+z00JUqnkvaCwuOsUH77tl9cSIK3UN1GUMbMaev3Ltln8hshRIYXN/bgg7K2JlZ5rwjLYjvxbwEBGEG8mBubHSvg==,iv:uoUiZ7t0u2ezAI1cwf86YxQ30hTlu6o7g3avzyBKWn8=,tag:Agn3UgC6PO5TdegGNHiZPw==,type:str] darkkirb: ENC[AES256_GCM,data:DSecZ2Fw8akFfzor30x/lPVztZcaxM5YT2gTsFYJxV/GQHODy9htHT7blTU4tWzAJsUXqFo/GzcBIwyJZ1ox3jVpAqznaBuQxslrgMurb6T47wsUcbjmX6bkDGra4iQEYrRPyXlJgKpmlw==,iv:XY4S3skY2zbq771Y3Tva2povZRfcXEOhweajzvI1ebk=,tag:DrHRNFgYpNWCPIY1zbURKg==,type:str] +patroni: + postgresql: + replication: + password: ENC[AES256_GCM,data:iMbwJTCn0IQ7rm/W5+vVLyHCKQfFpkGDXb0lNQJtAO/GBioQ8TLcp5djhAlHljCt6uKCPqkQaN5PxRvAijUQUw==,iv:rmbgTxYEL5ANJqoDZatzXGflg9nDbbsD9/1jb26RFME=,tag:wB9YV997ForDjJxZWSYaig==,type:str] + superuser: + password: ENC[AES256_GCM,data:dxAfTgyDtiNNhFfjmfgZIdTZf4H4RktD7uX7ywKSOOkLkrQRbbrM43voxC4hiCPNKfDXOKODLTYKdoFz0UZQBw==,iv:sT44JwP4dNIfE9ImohTvPt0XNlFucJCHIsALZ8oT/O0=,tag:XCxegdIMJhwLLejv1RpQFg==,type:str] + rewind: + password: ENC[AES256_GCM,data:8svavhNeEtOTKfoUNmlEamlGy0bS1GnefUvTpPs624ied3nXc9lhOyg1ZT4tXY5OmL9Qy7Xzr0YgTLJt19dQVA==,iv:y8+Pl251pHoZQK70uJQ44odKSXTcBSyEykprQOyHN08=,tag:BbZJnEQOiTol+UrrzQnoHw==,type:str] sops: kms: [] gcp_kms: [] @@ -88,8 +96,8 @@ sops: N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-14T16:46:00Z" - mac: ENC[AES256_GCM,data:SZUAvmTDVMfzCU8j9FS4zGIHUpwyHFYC2ybPrgiISOO4ka1LAR+8FgsY9SAkI0to6BV/Ha6sf8GyTYzJhtwnhDiTzsd0nmi+ZRJHVb7wZfvUEsKr69XoYhjx4cO3hhCIhBgminxqctSnx4wtR4mxtoisTImm6hxbZOW4FL3Tbu4=,iv:5Qo/fYBph6pbhNTS44ibuyMbli4ojMeGQkQVdtMveRo=,tag:w4xzhjFXiuJT9Jw0ELUXTg==,type:str] + lastmodified: "2022-12-15T18:49:04Z" + mac: ENC[AES256_GCM,data:WyZHDnHUtzyD7G9B1pZ61u4RdMf3TkQK8DUFNS1+fnT5ix0T9N/tMq9xgD1xvkey8PJpoSXeAPcCGlom8VwyWOw0reiJXGIgXd5jW28YSOlP8Sqtq+G37vSavCFfvtEI0ZwCt9mtB+hPvzGQK5n0mRb8LvuQQlZThji+yMSDPfo=,iv:trpJ/FVMlbGXkvwTRJjiu/ewfs8uq5twkj26gmPrVd8=,tag:U7km68CPWBu/QQlnhbRMCw==,type:str] pgp: - created_at: "2022-02-02T17:50:42Z" enc: |