nixos-servers/modules/custom.nix

89 lines
2.4 KiB
Nix
Raw Normal View History

2023-11-24 09:31:23 +00:00
{ pkgs, lib, config, ... }: {
2023-11-22 17:28:55 +00:00
options = {
custom = {
dataDisk.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to automatically mount /dev/sda1 on /mnt/data
'';
};
ssh = {
hostCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH host certificate
'';
};
userCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH user certificate
'';
};
hostKey = lib.mkOption {
default = ../secrets/${config.networking.hostName}_host_ed25519.age;
type = lib.types.path;
description = ''
SSH host key
'';
};
userKey = lib.mkOption {
default = ../secrets/${config.networking.hostName}_user_ed25519.age;
type = lib.types.path;
description = ''
SSH user key
'';
};
};
2023-11-24 09:31:23 +00:00
terraformDatabase.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to start a postgreSQL database for Terraform states
'';
};
2023-11-22 17:28:55 +00:00
};
};
config = {
2023-11-24 09:31:23 +00:00
fileSystems."/mnt/data" =
2023-11-22 17:28:55 +00:00
lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; };
2023-11-24 09:31:23 +00:00
services.postgresql = lib.mkIf config.custom.terraformDatabase.enable {
enable = true;
ensureDatabases = [ "terraformstates" ];
package = pkgs.postgresql_15;
enableTCPIP = true;
dataDir =
"/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
# TODO: for now trust, replace this with client certificate later
authentication = ''
hostssl terraformstates terraform all trust
2023-11-24 09:31:23 +00:00
'';
settings = {
ssl = true;
ssl_cert_file = builtins.toFile "postgresql_server.crt"
(builtins.readFile ../postgresql_server.crt);
ssl_key_file = config.age.secrets."postgresql_server.key".path;
};
ensureUsers = [{
name = "terraform";
ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
}];
2023-11-24 09:31:23 +00:00
};
age.secrets."postgresql_server.key" = {
file = ../secrets/postgresql_server.key.age;
mode = "400";
owner = builtins.toString config.ids.uids.postgres;
group = builtins.toString config.ids.gids.postgres;
};
2023-11-22 17:28:55 +00:00
};
}