modules/custom.nix

@@ -64,15 +64,18 @@
         "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
       # TODO: for now trust, replace this with client certificate later
       authentication = ''
-        hostssl terraformstates all all trust
+        hostssl terraformstates terraform all trust
       '';
       settings = {
         ssl = true;
-        # TODO: create key pair for server
         ssl_cert_file = builtins.toFile "postgresql_server.crt"
           (builtins.readFile ../postgresql_server.crt);
         ssl_key_file = config.age.secrets."postgresql_server.key".path;
       };
+      ensureUsers = [{
+        name = "terraform";
+        ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
+      }];
     };
 
     age.secrets."postgresql_server.key" = {
@@ -81,10 +84,5 @@
       owner = builtins.toString config.ids.uids.postgres;
       group = builtins.toString config.ids.gids.postgres;
     };
-
-    # age.secrets."postgresql_server.key" =
-    #   lib.mkIf config.custom.terraformDatabase.enable {
-    #     file = ../secrets/postgresql_server.key.age;
-    #   };
   };
 }