From e0aa2783bb01ad00db6a1c5ed49afb29e3aee649 Mon Sep 17 00:00:00 2001
From: Sascha Koenig <m@m3tam3re.com>
Date: Mon, 12 May 2025 16:06:40 +0200
Subject: [PATCH] postgres upgrade@m3-atlas

---
 home/m3tam3re/m3-kratos.nix                   |  1 -
 hosts/common/users/m3tam3re.nix               |  1 +
 .../m3-atlas/services/containers/baserow.nix  |  2 +-
 hosts/m3-atlas/services/mysql.nix             |  7 +++-
 hosts/m3-atlas/services/paperless.nix         |  3 +-
 hosts/m3-atlas/services/postgres.nix          | 40 +++++++++++++------
 6 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/home/m3tam3re/m3-kratos.nix b/home/m3tam3re/m3-kratos.nix
index c906d28..e6ff182 100644
--- a/home/m3tam3re/m3-kratos.nix
+++ b/home/m3tam3re/m3-kratos.nix
@@ -13,7 +13,6 @@ in {
     ../features/cli
     ../features/coding
     ../features/desktop
-    ./services/librechat.nix
   ];
 
   options.features.desktop.hyprland.enable =
diff --git a/hosts/common/users/m3tam3re.nix b/hosts/common/users/m3tam3re.nix
index da7a58d..9e12cf4 100644
--- a/hosts/common/users/m3tam3re.nix
+++ b/hosts/common/users/m3tam3re.nix
@@ -7,6 +7,7 @@
   users.users.m3tam3re = {
     #initialHashedPassword = "$y$j9T$IoChbWGYRh.rKfmm0G86X0$bYgsWqDRkvX.EBzJTX.Z0RsTlwspADpvEF3QErNyCMC";
     password = "12345";
+    linger = true;
     isNormalUser = true;
     description = "m3tam3re";
     extraGroups = [
diff --git a/hosts/m3-atlas/services/containers/baserow.nix b/hosts/m3-atlas/services/containers/baserow.nix
index 2868160..0bf059e 100644
--- a/hosts/m3-atlas/services/containers/baserow.nix
+++ b/hosts/m3-atlas/services/containers/baserow.nix
@@ -1,6 +1,6 @@
 {config, ...}: {
   virtualisation.oci-containers.containers."baserow" = {
-    image = "docker.io/baserow/baserow:1.31.1";
+    image = "docker.io/baserow/baserow:1.33.2";
     environmentFiles = [config.age.secrets.baserow-env.path];
     ports = ["127.0.0.1:3001:80"];
     volumes = ["baserow_data:/baserow/data"];
diff --git a/hosts/m3-atlas/services/mysql.nix b/hosts/m3-atlas/services/mysql.nix
index 54afe9a..1acb0f0 100644
--- a/hosts/m3-atlas/services/mysql.nix
+++ b/hosts/m3-atlas/services/mysql.nix
@@ -18,5 +18,10 @@
     calendar = "03:00:00";
     databases = ["ghost" "matomo"];
   };
-  networking.firewall.allowedTCPPorts = [3306];
+  networking.firewall = {
+    extraCommands = ''
+      iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
+      iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 3306 -j ACCEPT
+    '';
+  };
 }
diff --git a/hosts/m3-atlas/services/paperless.nix b/hosts/m3-atlas/services/paperless.nix
index 335c119..2e3e179 100644
--- a/hosts/m3-atlas/services/paperless.nix
+++ b/hosts/m3-atlas/services/paperless.nix
@@ -7,10 +7,11 @@
     configureTika = true;
     settings = {
       PAPERLESS_URL = "https://pl.m3ta.dev";
-      DATABASE_URL = "postgresql://paperless:paperless@localhost:5432/paperless";
+      DATABASE_URL = "postgresql://paperless:paperless@127.0.0.1:5432/paperless";
       PAPERLESS_CONSUMER_IGNORE_PATTERN = [
         ".DS_STORE/*"
         "desktop.ini"
+        ".env"
       ];
       PAPERLESS_OCR_LANGUAGE = "deu+eng";
       PAPERLESS_OCR_USER_ARGS = {
diff --git a/hosts/m3-atlas/services/postgres.nix b/hosts/m3-atlas/services/postgres.nix
index 3b3f324..c61805a 100644
--- a/hosts/m3-atlas/services/postgres.nix
+++ b/hosts/m3-atlas/services/postgres.nix
@@ -2,23 +2,39 @@
   services.postgresql = {
     enable = true;
     enableTCPIP = true;
-    package = pkgs.postgresql_15;
+    package = pkgs.postgresql_17;
+    extensions = with pkgs.postgresql17Packages; [
+      pgvector
+    ];
     authentication = pkgs.lib.mkOverride 10 ''
-      local all all trust
-      host all all 127.0.0.1/32 trust
-      host all all ::1/128 trust
-      host all all 10.89.0.0/16 trust
-    '';
-    initialScript = pkgs.writeText "backend-initScript" ''
-      CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
-      CREATE DATABASE baserow;
-      ALTER DATABASE baserow OWNER to baserow;
+      # Local connections (Unix socket)
+      local   all         postgres    peer
+      local   paperless   paperless   scram-sha-256
+
+      # Localhost connections (IPv4 and IPv6)
+      host    all          postgres     127.0.0.1/32    scram-sha-256
+      host    all          postgres     ::1/128         scram-sha-256
+      host    paperless    paperless    127.0.0.1/32    scram-sha-256
+      host    paperless    paperless    ::1/128         scram-sha-256
+
+      # Podman network connections for Baserow
+      host    baserow      baserow      10.89.0.0/24    scram-sha-256
+
+      # Deny all other connections
+      local   all       all       reject
+      host    all       all       0.0.0.0/0      reject
+      host    all       all       ::/0           reject
     '';
   };
   services.postgresqlBackup = {
     enable = true;
     startAt = "03:10:00";
-    databases = ["baserow"];
+    databases = ["baserow" "paperless"];
+  };
+  networking.firewall = {
+    extraCommands = ''
+      iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
+      iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
+    '';
   };
-  networking.firewall.allowedTCPPorts = [5432];
 }