nixos-hypervisor/services/postgresql/default.nix

{
  lib,
  config,
  pkgs,
  ...
}: let
  cfg = config.services.vm_postgresql;
in {
  options.services.vm_postgresql = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    age.secrets = {
      nextcloudDBPass = {
        file = ./secrets/nextcloudDBPass.age;
        owner = "postgres";
      };
      giteaDBPass = {
        file = ./secrets/giteaDBPass.age;
        owner = "postgres";
      };
      authentikDBPass = {
        file = ./secrets/authentikDBPass.age;
        owner = "postgres";
      };
      grafanaDBPass = {
        file = ./secrets/grafanaDBPass.age;
        owner = "postgres";
      };
    };
    services.postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
      enableTCPIP = true;
      settings.port = 5432;
      authentication = "
        host  nextcloud  nextcloud  192.168.1.44/32   md5
        host  gitea      gitea      192.168.1.14/32   md5
        host  authentik  authentik  192.168.1.125/32  md5
        host  grafana    grafana    192.168.1.27/32   md5
        ";
      initialScript = pkgs.writeText "init-sql-script" ''
        nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path})
        CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
        CREATE DATABASE nextcloud;
        GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;

        giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path})
        CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
        CREATE DATABASE gitea;
        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;

        authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path})
        CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
        CREATE DATABASE authentik;
        GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;

        grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path})
        CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
        CREATE DATABASE grafana;
        GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
      '';
    };
    networking.firewall.allowedTCPPorts = [5432];
  };
}