{ config, pkgs, ... }: { services.postgresql = { enable = true; enableTCPIP = true; package = pkgs.postgresql_17; settings = { ssl = true; max_connections = 200; shared_buffers = "4GB"; superuser_reserved_connections = 5; idle_in_transaction_session_timeout = "10min"; idle_session_timeout = "2h"; tcp_keepalives_idle = 60; tcp_keepalives_interval = 10; tcp_keepalives_count = 6; deadlock_timeout = "1s"; authentication_timeout = "30s"; log_connections = true; log_disconnections = true; log_lock_waits = true; }; extensions = with pkgs.postgresql17Packages; [ pgvector ]; initialScript = pkgs.writeText "backend-initScript" '' CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; CREATE DATABASE baserow; ALTER DATABASE baserow OWNER to baserow; ALTER DATABASE baserow CONNECTION LIMIT 60; CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra'; CREATE DATABASE kestra; ALTER DATABASE kestra OWNER to kestra; ALTER DATABASE kestra CONNECTION LIMIT 10; CREATE USER librechat_rag WITH ENCRYPTED PASSWORD 'librechat_rag'; CREATE DATABASE librechat_rag; ALTER DATABASE librechat_rag OWNER to librechat_rag; ALTER DATABASE librechat_rag CONNECTION LIMIT 20; CREATE USER librechat_rag_dev WITH ENCRYPTED PASSWORD 'librechat_rag_dev'; CREATE DATABASE librechat_rag_dev; ALTER DATABASE librechat_rag_dev OWNER to librechat_rag_dev; ALTER DATABASE librechat_rag_dev CONNECTION LIMIT 10; CREATE USER metabase WITH ENCRYPTED PASSWORD 'metabase'; CREATE DATABASE metabase; ALTER DATABASE metabase OWNER to metabase; ALTER DATABASE metabase CONNECTION LIMIT 15; CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n'; CREATE DATABASE n8n; ALTER DATABASE n8n OWNER to n8n; ALTER DATABASE n8n CONNECTION LIMIT 5; CREATE USER outline WITH ENCRYPTED PASSWORD 'outline'; CREATE DATABASE outline; ALTER DATABASE outline OWNER to outline; ALTER DATABASE outline CONNECTION LIMIT 5; CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'vaultwarden'; CREATE DATABASE vaultwarden; ALTER DATABASE vaultwarden OWNER to vaultwarden; ALTER DATABASE vaultwarden CONNECTION LIMIT 20; CREATE USER zammad-hr WITH ENCRYPTED PASSWORD 'zammad-hr'; CREATE DATABASE zammad-hr; ALTER DATABASE zammad-hr OWNER to zammad-hr; ALTER DATABASE zammad-hr CONNECTION LIMIT 50; ''; authentication = pkgs.lib.mkOverride 10 '' # Local connections (Unix socket) local all postgres peer local az_test az_test scram-sha-256 local metabase metabase scram-sha-256 local n8n n8n scram-sha-256 local outline outline scram-sha-256 local vaultwarden vaultwarden scram-sha-256 local zammad zammad scram-sha-256 # Localhost connections (IPv4 and IPv6) host all postgres 127.0.0.1/32 scram-sha-256 host all postgres ::1/128 scram-sha-256 host az_test az_test 127.0.0.1/32 scram-sha-256 host az_test az_test ::1/128 scram-sha-256 host outline outline 127.0.0.1/32 scram-sha-256 host outline outline ::1/128 scram-sha-256 host metabase metabase 127.0.0.1/32 scram-sha-256 host metabase metabase ::1/128 scram-sha-256 host n8n n8n 127.0.0.1/32 scram-sha-256 host n8n n8n ::1/128 scram-sha-256 host vaultwarden vaultwarden 127.0.0.1/32 scram-sha-256 host vaultwarden vaultwarden ::1/128 scram-sha-256 host zammad zammad 127.0.0.1/32 scram-sha-256 host zammad zammad ::1/128 scram-sha-256 # Podman network connections for Baserow host baserow baserow 10.89.0.0/24 scram-sha-256 host kestra kestra 10.89.0.0/24 scram-sha-256 host librechat_rag librechat_rag 10.89.0.0/24 scram-sha-256 host librechat_rag_dev librechat_rag_dev 10.89.1.0/24 scram-sha-256 host zammad_hr zammad_hr 10.89.0.0/24 scram-sha-256 host litellm litellm 10.89.0.0/24 scram-sha-256 # Deny all other connections local all all reject host all all 0.0.0.0/0 reject host all all ::/0 reject ''; }; services.postgresqlBackup = { enable = true; startAt = "03:10:00"; databases = ["baserow" "kestra" "librechat_rag" "litellm" "metabase" "n8n" "outline" "vaultwarden" "zammad" "zammad_hr"]; }; services.pgadmin = { enable = true; initialPasswordFile = "${config.age.secrets.pgadmin-pw.path}"; initialEmail = "sascha.koenig@azintec.com"; }; # Traefik configuration specific to baserow services.traefik.dynamicConfigOptions.http = { services.pgadmin.loadBalancer.servers = [{url = "http://localhost:5050/";}]; routers.pgadmin = { rule = "Host(`pg.az-gruppe.com`)"; tls.certResolver = "ionos"; service = "pgadmin"; entrypoints = "websecure"; }; }; networking.firewall = { extraCommands = '' iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT iptables -A INPUT -p tcp -s 10.89.1.0/24 --dport 5432 -j ACCEPT ''; }; }