feat: move postgres to shared modules

2025-07-27 10:07:44 +00:00 · 2025-02-27 23:40:34 +03:00 · 2025-02-27 23:40:34 +03:00 · dd4fa3b28d
commit dd4fa3b28d
parent cb7ba948d9
7 changed files with 197 additions and 115 deletions
--- a/hosts/best/postgresql.nix
+++ b/hosts/best/postgresql.nix
@ -0,0 +1,66 @@
+{ self, ... }: {
+  imports = [(self + /modules/postgresql.nix)];
+
+  # Generated by <https://pgconfigurator.cybertec.at/>
+  services.postgresql.settings = {
+    # Connectivity
+    max_connections                = 100;
+    superuser_reserved_connections = 3;
+
+    # Memory Settings
+    shared_buffers           = "10240 MB";
+    work_mem                 = "64 MB";
+    maintenance_work_mem     = "620 MB";
+    huge_pages               = "try"; # TODO: Tune kernel: <https://www.postgresql.org/docs/current/static/kernel-resources.html#LINUX-HUGE-PAGES>
+    effective_cache_size     = "45 GB";
+    effective_io_concurrency = 100;
+    random_page_cost         = 1.25;
+
+    # Monitoring
+    shared_preload_libraries = "pg_stat_statements";
+    track_io_timing          = "on";
+    track_functions          = "pl";
+
+    # Replication
+    wal_level          = "replica";
+    max_wal_senders    = 10;
+    synchronous_commit = "on";
+
+    # Checkpointing: 
+    checkpoint_timeout           = "15 min";
+    checkpoint_completion_target = 0.9;
+    max_wal_size                 = "1024 MB";
+    min_wal_size                 = "512 MB";
+
+    # WAL writing
+    wal_compression        = "on";
+    wal_buffers            = -1;
+    wal_writer_delay       = "200ms";
+    wal_writer_flush_after = "1MB";
+    wal_keep_size          = "3650 MB";
+
+
+    # Background writer
+    bgwriter_delay          = "200ms";
+    bgwriter_lru_maxpages   = 100;
+    bgwriter_lru_multiplier = 2.0;
+    bgwriter_flush_after    = 0;
+
+    # Parallel queries: 
+    max_worker_processes             = 20;
+    max_parallel_workers_per_gather  = 10;
+    max_parallel_maintenance_workers = 10;
+    max_parallel_workers             = 20;
+    parallel_leader_participation    = "on";
+
+    # Advanced features 
+    enable_partitionwise_join      = "on";
+    enable_partitionwise_aggregate = "on";
+    jit                            = "on";
+    max_slot_wal_keep_size         = "1000 MB";
+    track_wal_io_timing            = "on";
+    maintenance_io_concurrency     = 100;
+    wal_recycle                    = "on";
+  };
+}
+
--- a/hosts/cube/forgejo/default.nix
+++ b/hosts/cube/forgejo/default.nix
@ -5,7 +5,10 @@
  fqdn = "git.${domain}";
  port = 8001;
 in {
-  imports = [(self + /modules/nginx.nix)];
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];

  secrets.forgejoPasswordRunner = {
    file  = ./password.runner.age;
--- a/hosts/cube/grafana/default.nix
+++ b/hosts/cube/grafana/default.nix
@ -5,7 +5,10 @@
  fqdn = "metrics.${domain}";
  port = 8000;
 in {
-  imports = [(self + /modules/nginx.nix)];
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];

  secrets.grafanaPassword = {
    file  = ./password.age;
--- a/hosts/cube/matrix/default.nix
+++ b/hosts/cube/matrix/default.nix
@ -23,13 +23,18 @@
    };
  };
 in {
-  imports = [(self + /modules/nginx.nix)];
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];

  secrets.matrixSecret = {
    file  = ./password.secret.age;
    owner = "matrix-synapse";
  };

+  services.postgresql.ensure = [ "matrix-synapse" ];
+
  services.restic.backups = genAttrs config.services.restic.hosts <| const {
    paths = [ "/var/lib/matrix-synapse" ];
  };
--- a/hosts/cube/nextcloud/default.nix
+++ b/hosts/cube/nextcloud/default.nix
@ -6,7 +6,10 @@

  packageNextcloud = pkgs.nextcloud30;
 in {
-  imports = [(self + /modules/nginx.nix)];
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];

  secrets.nextcloudPassword = {
    file  = ./password.age;
--- a/hosts/cube/postgresql.nix
+++ b/hosts/cube/postgresql.nix
@ -1,66 +1,8 @@
-{ config, lib, pkgs, ... }: let
-  inherit (lib) const enabled flip genAttrs mkForce mkOverride mkValue;
-in {
-  config.services.prometheus.exporters.postgres = enabled {
-    listenAddress       = "[::]";
-    runAsLocalSuperUser = true;
-  };
-
-  config.services.restic.backups = genAttrs config.services.restic.hosts <| const {
-    paths = [ "/tmp/postgresql-dump.sql.gz" ];
-
-    backupPrepareCommand = /* sh */ ''
-      ${config.services.postgresql.package}/bin/pg_dumpall --clean \
-      | ${lib.getExe pkgs.gzip} --rsyncable \
-      > /tmp/postgresql-dump.sql.gz
-    '';
-
-    backupCleanupCommand = /* sh */ ''
-      rm /tmp/postgresql-dump.sql.gz
-    '';
-  };
-
-  options.services.postgresql.ensure = mkValue [];
-
-  config.environment.systemPackages = [
-    config.services.postgresql.package
-  ];
-
-  config.services.postgresql = enabled {
-    package = pkgs.postgresql_17;
-
-    enableJIT = true;
-
-    initdbArgs = [ "--locale=C" "--encoding=UTF8" ];
-
-    authentication = mkOverride 10 /* ini */ ''
-      #     DATABASE USER        AUTHENTICATION
-      local all      all         peer
-
-      #     DATABASE USER ADDRESS AUTHENTICATION
-      host  all      all  ::/0    md5
-    '';
-
-    ensure = [ "postgres" "root" ];
-
-    ensureDatabases = config.services.postgresql.ensure;
-
-    ensureUsers = flip map config.services.postgresql.ensure (name: {
-      inherit name;
-
-      ensureDBOwnership = true;
-
-      ensureClauses = {
-        login       = true;
-        superuser   = name == "postgres" || name == "root";
-      };
-    });
-
-    settings = {
-      listen_addresses = mkForce "::";
+{ self, ... }: {
+  imports = [(self + /modules/postgresql.nix)];

  # Generated by <https://pgconfigurator.cybertec.at/>
-
+  services.postgresql.settings = {
    # Connectivity
    max_connections                = 20;
    superuser_reserved_connections = 3;
@ -118,5 +60,4 @@ in {
    maintenance_io_concurrency     = 1;
    wal_recycle                    = "on";
  };
-  };
 }
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) const enabled flip genAttrs mkForce mkOverride mkValue;
+in {
+  config.services.prometheus.exporters.postgres = enabled {
+    listenAddress       = "[::]";
+    runAsLocalSuperUser = true;
+  };
+
+  config.services.restic.backups = genAttrs config.services.restic.hosts <| const {
+    paths = [ "/tmp/postgresql-dump.sql.gz" ];
+
+    backupPrepareCommand = /* sh */ ''
+      ${config.services.postgresql.package}/bin/pg_dumpall --clean \
+      | ${lib.getExe pkgs.gzip} --rsyncable \
+      > /tmp/postgresql-dump.sql.gz
+    '';
+
+    backupCleanupCommand = /* sh */ ''
+      rm /tmp/postgresql-dump.sql.gz
+    '';
+  };
+
+  config.environment.systemPackages = [
+    config.services.postgresql.package
+  ];
+
+  options.services.postgresql.ensure = mkValue [];
+
+  config.services.postgresql = enabled {
+    package = pkgs.postgresql_17;
+
+    enableJIT   = true;
+    enableTCPIP = true; # We override it, but might as well.
+
+    settings.listen_addresses = mkForce "::";
+    authentication            = mkOverride 10 /* ini */ ''
+      #     DATABASE USER        AUTHENTICATION
+      local all      all         peer
+
+      #     DATABASE USER ADDRESS AUTHENTICATION
+      host  all      all  ::/0    md5
+    '';
+
+    ensure = [ "postgres" "root" ];
+
+    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
+    ensureDatabases = config.services.postgresql.ensure;
+
+    ensureUsers = flip map config.services.postgresql.ensure (name: {
+      inherit name;
+
+      ensureDBOwnership = true;
+
+      ensureClauses = {
+        login       = true;
+        superuser   = name == "postgres" || name == "root";
+      };
+    });
+  };
+}
+