working postgresql installation

modules/custom.nix

@@ -1,4 +1,4 @@
-{ lib, config, ... }: {
+{ pkgs, lib, config, ... }: {
   options = {
     custom = {
       dataDisk.enable = lib.mkOption {
@@ -40,11 +40,51 @@
           '';
         };
       };
+
+      terraformDatabase.enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to start a postgreSQL database for Terraform states
+        '';
+      };
     };
   };
 
   config = {
-    fileSystems."/dev/data" =
+    fileSystems."/mnt/data" =
       lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; };
+
+    services.postgresql = lib.mkIf config.custom.terraformDatabase.enable {
+      enable = true;
+      ensureDatabases = [ "terraformstates" ];
+      package = pkgs.postgresql_15;
+      enableTCPIP = true;
+      dataDir =
+        "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
+      # TODO: for now trust, replace this with client certificate later
+      authentication = ''
+        hostssl terraformstates all all trust
+      '';
+      settings = {
+        ssl = true;
+        # TODO: create key pair for server
+        ssl_cert_file = builtins.toFile "postgresql_server.crt"
+          (builtins.readFile ../postgresql_server.crt);
+        ssl_key_file = config.age.secrets."postgresql_server.key".path;
+      };
+    };
+
+    age.secrets."postgresql_server.key" = {
+      file = ../secrets/postgresql_server.key.age;
+      mode = "400";
+      owner = builtins.toString config.ids.uids.postgres;
+      group = builtins.toString config.ids.gids.postgres;
+    };
+
+    # age.secrets."postgresql_server.key" =
+    #   lib.mkIf config.custom.terraformDatabase.enable {
+    #     file = ../secrets/postgresql_server.key.age;
+    #   };
   };
 }