fixes
This commit is contained in:
mjallen18
@@ -203,7 +203,7 @@ in
|
||||
};
|
||||
sparky-fitness-db = {
|
||||
enable = false;
|
||||
port = 5433;
|
||||
port = 5432;
|
||||
};
|
||||
sparky-fitness-server = {
|
||||
enable = true;
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
@@ -75,24 +76,38 @@ in
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
# Allow access via pg_hba.conf rules:10.88.0.63
|
||||
authentication = pkgs.lib.mkOverride 50 ''
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
local all all trust
|
||||
host homeassistant homeassistant 10.0.1.0/24 trust
|
||||
local nextcloud nextcloud trust
|
||||
host nextcloud nextcloud 10.0.1.0/24 trust
|
||||
host nextcloud nextcloud ::1/128 trust
|
||||
local onlyoffice onlyoffice trust
|
||||
host onlyoffice onlyoffice 10.0.1.0/24 trust
|
||||
local synapse synapse trust
|
||||
host synapse synapse ::1/128 trust
|
||||
local sparkyfitness sparkyfitness trust
|
||||
host sparkyfitness sparkyfitness ::1/128 trust
|
||||
# pg_hba.conf — use lib.mkForce to replace the module defaults entirely.
|
||||
#
|
||||
# Connection matrix:
|
||||
# postgres (admin) — Unix socket, peer (OS user postgres = DB user postgres)
|
||||
# authentik — Unix socket, peer (OS user authentik = DB user authentik)
|
||||
# nextcloud — Unix socket, peer (OS user nextcloud = DB user nextcloud)
|
||||
# homeassistant — Unix socket, peer via identMap (OS user hass → DB user homeassistant)
|
||||
# synapse — Unix socket, peer via identMap (OS user matrix-synapse → DB user synapse)
|
||||
# onlyoffice — Unix socket, peer (OS user onlyoffice = DB user onlyoffice) [disabled]
|
||||
# sparkyfitness — Podman container TCP (10.88.0.0/16), scram-sha-256
|
||||
authentication = lib.mkForce ''
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
# All local Unix socket connections use peer auth (with identMap for mismatched names)
|
||||
local all all peer map=system
|
||||
|
||||
# Podman container network — sparkyfitness server connects via host LAN IP
|
||||
host sparkyfitness sparkyfitness 10.88.0.0/16 scram-sha-256
|
||||
'';
|
||||
initialScript = pkgs.writeText "init-sql-script" ''
|
||||
alter user sparkyfitness with password 'sparkyfitness';
|
||||
|
||||
# identMap — maps OS usernames to PostgreSQL usernames for peer auth.
|
||||
# The catch-all regex rule (/^(.*)$ \1) allows any OS user whose name matches
|
||||
# their DB user directly (authentik, nextcloud, onlyoffice, postgres).
|
||||
# Explicit entries cover the mismatches.
|
||||
identMap = lib.mkForce ''
|
||||
# MAPNAME OS-USERNAME DB-USERNAME
|
||||
system hass homeassistant
|
||||
system matrix-synapse synapse
|
||||
system /^(.*)$ \1
|
||||
'';
|
||||
# TODO: set sparkyfitness password declaratively via ensureUsers.*.ensureClauses.password
|
||||
# once the SCRAM-SHA-256 hash is stored in SOPS (jallen-nas/sparky-fitness/db-password).
|
||||
# The old initialScript has been removed — it only ran on first DB init and is now stale.
|
||||
};
|
||||
|
||||
mysql = {
|
||||
|
||||
@@ -257,6 +257,22 @@ in
|
||||
sopsFile = defaultSops;
|
||||
};
|
||||
|
||||
# ------------------------------
|
||||
# sparky-fitness
|
||||
# ------------------------------
|
||||
"jallen-nas/sparky-fitness/db-password" = {
|
||||
sopsFile = defaultSops;
|
||||
restartUnits = [ "podman-sparky-fitness-server.service" ];
|
||||
};
|
||||
"jallen-nas/sparky-fitness/api-encryption-key" = {
|
||||
sopsFile = defaultSops;
|
||||
restartUnits = [ "podman-sparky-fitness-server.service" ];
|
||||
};
|
||||
"jallen-nas/sparky-fitness/auth-secret" = {
|
||||
sopsFile = defaultSops;
|
||||
restartUnits = [ "podman-sparky-fitness-server.service" ];
|
||||
};
|
||||
|
||||
# ------------------------------
|
||||
# authentik-rac
|
||||
# NOTE: add to nas-secrets.yaml via `sops secrets/nas-secrets.yaml`:
|
||||
|
||||
Reference in New Issue
Block a user