{ lib, config, pkgs, ... }: let cfg = config.services.vm_postgresql; in { options.services.vm_postgresql = { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { age.secrets = { nextcloudDBPass = { file = ./secrets/nextcloudDBPass.age; owner = "postgres"; }; giteaDBPass = { file = ./secrets/giteaDBPass.age; owner = "postgres"; }; authentikDBPass = { file = ./secrets/authentikDBPass.age; owner = "postgres"; }; grafanaDBPass = { file = ./secrets/grafanaDBPass.age; owner = "postgres"; }; }; services.postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; settings.port = 5432; authentication = " host nextcloud nextcloud 192.168.1.44/32 md5 host gitea gitea 192.168.1.14/32 md5 host authentik authentik 192.168.1.125/32 md5 host grafana grafana 192.168.1.27/32 md5 "; initialScript = pkgs.writeText "init-sql-script" '' nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path}) CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB; CREATE DATABASE nextcloud; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path}) CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB; CREATE DATABASE gitea; GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path}) CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB; CREATE DATABASE authentik; GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path}) CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB; CREATE DATABASE grafana; GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; ''; }; networking.firewall.allowedTCPPorts = [5432]; }; }