commit 779727b39ef6f3f7f28522ce21e02b7a8b344ed5
author Bartosz Stebel <implr@hackerspace.pl> Sun Mar 26 21:27:21 2023 +0200
committer implr <implr@hackerspace.pl> Tue Mar 28 21:22:50 2023 +0000
tree 39cf0c9c57e787c6fb8076308f4889997e87a524
parent f26286875391f13feb9f4d3f5c6dd5cd64b544dc

machines/bc01n05: postgres: auth, hba, more ram

Change-Id: Id10b97efa3588a2a9147a349391da559e6cce7e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1482
Reviewed-by: q3k <q3k@hackerspace.pl>

cluster/machines/bc01n05.hswaw.net.nix

diff --git a/cluster/machines/bc01n05.hswaw.net.nix b/cluster/machines/bc01n05.hswaw.net.nix
index d2b4da0..3155cc9 100644
--- a/cluster/machines/bc01n05.hswaw.net.nix
+++ b/cluster/machines/bc01n05.hswaw.net.nix
@@ -49,6 +49,8 @@
     gw = "185.236.240.33";
   };
 
+  networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+
   environment.systemPackages = [postgresPkg];
   services.postgresql = {
     enable = true;
@@ -57,9 +59,9 @@
     initdbArgs = ["--encoding='UTF8'" "--lc-collate='C'" "--lc-ctype='C'"];
     settings = {
       max_connections = 300;
-      shared_buffers = "4GB";
-      temp_buffers = "64MB";
-      work_mem = "64MB";
+      shared_buffers = "8GB";
+      temp_buffers = "128MB";
+      work_mem = "128MB";
       maintenance_work_mem = "258MB";
       effective_io_concurrency = 10;  # ssd, guess
       maintenance_io_concurrency = 100; # ssd, guess
@@ -88,12 +90,11 @@
         };
       }
     ];
-    # TODO actually allow synapse to talk to us
-    # also adjust firewall
     authentication = pkgs.lib.mkOverride 10 ''
-      local all all trust
-      host all all 127.0.0.1/32 trust
-      host all all ::1/128 trust
+      local   all               all                                 trust
+      host    all               all               127.0.0.1/32      trust
+      host    all               all               ::1/128           trust
+      host    synapse,mediarepo synapse,mediarepo 185.236.240.0/24  scram-sha-256
     '';
   };
 }