nixos-servers/modules/custom/terraform-database.nix

{ pkgs, lib, config, ... }:
let cfg = config.custom.terraformDatabase;
in {
  options = {
    custom = {
      terraformDatabase.enable = lib.mkOption {
        default = false;
        type = lib.types.bool;
        description = ''
          Whether to start a postgreSQL database for Terraform states
        '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
      ensureDatabases = [ "terraformstates" ];
      package = pkgs.postgresql_15;
      enableTCPIP = true;
      dataDir = lib.mkIf config.custom.dataDisk.enable
        "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
      authentication = ''
        hostssl terraformstates terraform all cert
      '';
      settings = let
        serverCert = builtins.toFile "postgresql_server.crt"
          (builtins.readFile ../../postgresql_server.crt);
      in {
        ssl = true;
        ssl_cert_file = serverCert;
        ssl_key_file = config.age.secrets."postgresql_server.key".path;
        ssl_ca_file = serverCert;
      };
      ensureUsers = [{
        name = "terraform";
        ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
      }];
    };

    age.secrets."postgresql_server.key" = {
      file = ../../secrets/postgresql_server.key.age;
      mode = "400";
      owner = builtins.toString config.ids.uids.postgres;
      group = builtins.toString config.ids.gids.postgres;
    };
  };
}
refactor module logic 2023-11-24 12:52:51 +00:00			`{ pkgs, lib, config, ... }:`
			`let cfg = config.custom.terraformDatabase;`
			`in {`
			`options = {`
			`custom = {`
			`terraformDatabase.enable = lib.mkOption {`
			`default = false;`
			`type = lib.types.bool;`
			`description = ''`
			`Whether to start a postgreSQL database for Terraform states`
			`'';`
			`};`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`services.postgresql = {`
			`enable = true;`
			`ensureDatabases = [ "terraformstates" ];`
			`package = pkgs.postgresql_15;`
			`enableTCPIP = true;`
			`dataDir = lib.mkIf config.custom.dataDisk.enable`
			`"/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";`
			`authentication = ''`
enable client certificate checking 2023-11-25 12:41:49 +00:00			`hostssl terraformstates terraform all cert`
refactor module logic 2023-11-24 12:52:51 +00:00			`'';`
enable client certificate checking 2023-11-25 12:41:49 +00:00			`settings = let`
			`serverCert = builtins.toFile "postgresql_server.crt"`
refactor module logic 2023-11-24 12:52:51 +00:00			`(builtins.readFile ../../postgresql_server.crt);`
enable client certificate checking 2023-11-25 12:41:49 +00:00			`in {`
			`ssl = true;`
			`ssl_cert_file = serverCert;`
refactor module logic 2023-11-24 12:52:51 +00:00			`ssl_key_file = config.age.secrets."postgresql_server.key".path;`
enable client certificate checking 2023-11-25 12:41:49 +00:00			`ssl_ca_file = serverCert;`
refactor module logic 2023-11-24 12:52:51 +00:00			`};`
			`ensureUsers = [{`
			`name = "terraform";`
			`ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };`
			`}];`
			`};`

			`age.secrets."postgresql_server.key" = {`
			`file = ../../secrets/postgresql_server.key.age;`
			`mode = "400";`
			`owner = builtins.toString config.ids.uids.postgres;`
			`group = builtins.toString config.ids.gids.postgres;`
			`};`
			`};`
			`}`