{ pkgs, lib, config, ... }: { options = { custom = { dataDisk.enable = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to automatically mount /dev/sda1 on /mnt/data ''; }; ssh = { hostCert = lib.mkOption { type = lib.types.str; description = '' SSH host certificate ''; }; userCert = lib.mkOption { type = lib.types.str; description = '' SSH user certificate ''; }; hostKey = lib.mkOption { default = ../secrets/${config.networking.hostName}_host_ed25519.age; type = lib.types.path; description = '' SSH host key ''; }; userKey = lib.mkOption { default = ../secrets/${config.networking.hostName}_user_ed25519.age; type = lib.types.path; description = '' SSH user key ''; }; }; terraformDatabase.enable = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to start a postgreSQL database for Terraform states ''; }; }; }; config = { fileSystems."/mnt/data" = lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; }; services.postgresql = lib.mkIf config.custom.terraformDatabase.enable { enable = true; ensureDatabases = [ "terraformstates" ]; package = pkgs.postgresql_15; enableTCPIP = true; dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; # TODO: for now trust, replace this with client certificate later authentication = '' hostssl terraformstates terraform all trust ''; settings = { ssl = true; ssl_cert_file = builtins.toFile "postgresql_server.crt" (builtins.readFile ../postgresql_server.crt); ssl_key_file = config.age.secrets."postgresql_server.key".path; }; ensureUsers = [{ name = "terraform"; ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; }]; }; age.secrets."postgresql_server.key" = { file = ../secrets/postgresql_server.key.age; mode = "400"; owner = builtins.toString config.ids.uids.postgres; group = builtins.toString config.ids.gids.postgres; }; }; }