nixos-servers/nixos/modules/terraform-database/default.nix

{ pkgs, lib, config, ... }:
let cfg = config.lab.terraformDatabase;
in {
  options.lab.terraformDatabase.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to start a postgreSQL database for Terraform states
    '';
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.interfaces.${config.lab.networking.mainNicNamePattern}.allowedTCPPorts = [ 5432 ];

    services.postgresql = {
      enable = true;
      ensureDatabases = [ "terraformstates" ];
      package = pkgs.postgresql_15;
      enableTCPIP = true;

      dataDir = "${config.lab.storage.dataMountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";

      authentication = ''
        hostssl terraformstates terraform all cert
      '';

      settings =
        let
          serverCert = builtins.toFile "postgresql_server.crt"
            (builtins.readFile ./postgresql_server.crt);
        in
        {
          ssl = true;
          ssl_cert_file = serverCert;
          ssl_key_file = config.age.secrets."postgresql_server.key".path;
          ssl_ca_file = serverCert;
        };

      ensureUsers = [{ name = "terraform"; }];
    };

    age.secrets."postgresql_server.key" = {
      file = ../../secrets/postgresql_server.key.age;
      mode = "400";
      owner = builtins.toString config.ids.uids.postgres;
      group = builtins.toString config.ids.gids.postgres;
    };
  };
}
refactor module logic 2023-11-24 13:52:51 +01:00			`{ pkgs, lib, config, ... }:`
cleanup nixos modules a bit 2023-12-29 13:46:12 +01:00			`let cfg = config.lab.terraformDatabase;`
refactor module logic 2023-11-24 13:52:51 +01:00			`in {`
cleanup nixos modules a bit 2023-12-29 13:46:12 +01:00			`options.lab.terraformDatabase.enable = lib.mkOption {`
			`default = false;`
			`type = lib.types.bool;`
			`description = ''`
			`Whether to start a postgreSQL database for Terraform states`
			`'';`
refactor module logic 2023-11-24 13:52:51 +01:00			`};`

			`config = lib.mkIf cfg.enable {`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-13 00:05:25 +01:00			`networking.firewall.interfaces.${config.lab.networking.mainNicNamePattern}.allowedTCPPorts = [ 5432 ];`
cleanup nixos modules a bit 2023-12-29 13:46:12 +01:00
refactor module logic 2023-11-24 13:52:51 +01:00			`services.postgresql = {`
			`enable = true;`
			`ensureDatabases = [ "terraformstates" ];`
			`package = pkgs.postgresql_15;`
			`enableTCPIP = true;`
let nix manage firewall closes #20 2023-12-26 13:44:59 +01:00
merge modules into one storage module 2024-01-07 00:22:44 +01:00			`dataDir = "${config.lab.storage.dataMountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";`
let nix manage firewall closes #20 2023-12-26 13:44:59 +01:00
refactor module logic 2023-11-24 13:52:51 +01:00			`authentication = ''`
enable client certificate checking 2023-11-25 13:41:49 +01:00			`hostssl terraformstates terraform all cert`
refactor module logic 2023-11-24 13:52:51 +01:00			`'';`
let nix manage firewall closes #20 2023-12-26 13:44:59 +01:00
create custom module for k3s configuration 2023-12-15 14:55:48 +01:00			`settings =`
			`let`
			`serverCert = builtins.toFile "postgresql_server.crt"`
disable password logins by default in VMs restructure terraform database module 2023-12-30 14:34:21 +01:00			`(builtins.readFile ./postgresql_server.crt);`
create custom module for k3s configuration 2023-12-15 14:55:48 +01:00			`in`
			`{`
			`ssl = true;`
			`ssl_cert_file = serverCert;`
			`ssl_key_file = config.age.secrets."postgresql_server.key".path;`
			`ssl_ca_file = serverCert;`
			`};`
let nix manage firewall closes #20 2023-12-26 13:44:59 +01:00
don't manage database permissions in nix closes #24 2024-01-07 16:26:11 +01:00			`ensureUsers = [{ name = "terraform"; }];`
refactor module logic 2023-11-24 13:52:51 +01:00			`};`

			`age.secrets."postgresql_server.key" = {`
disable password logins by default in VMs restructure terraform database module 2023-12-30 14:34:21 +01:00			`file = ../../secrets/postgresql_server.key.age;`
refactor module logic 2023-11-24 13:52:51 +01:00			`mode = "400";`
			`owner = builtins.toString config.ids.uids.postgres;`
			`group = builtins.toString config.ids.gids.postgres;`
			`};`
			`};`
			`}`