nixos-config/config/service/postgresql.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domain-name = config.fudo.hosts.${hostname}.domain;
  domain = config.fudo.domains.${domain-name};

  cfg = config.fudo.services.postgresql;

  zone-name = domain.zone;

  host-secrets = config.fudo.secrets.host-secrets.${hostname};

  postgresEnabled = domain.postgresql-server == hostname;
  publicNetwork = let
    site-name = config.fudo.hosts.${hostname}.site;
  in config.fudo.sites.${site-name}.local-gateway == null;
  isPostgresHost = hostname == domain.postgresql-server;

  postgresql-hostname = "postgresql.${domain-name}";

  acme-copies = config.fudo.acme.host-domains.${hostname};

  postgresUser = config.systemd.services.postgresql.serviceConfig.User;

in {
  options.fudo.services.postgresql = with types; {
    state-directory = mkOption {
      type = str;
      description = "Path at which to store PostgreSQL state.";
    };

    keytab = mkOption {
      type = str;
      description = "Keytab for PostgreSQL.";
    };
  };

  config = mkIf postgresEnabled {
    fudo = {
      acme.host-domains.${hostname} = mkIf (publicNetwork && isPostgresHost) {
        ${postgresql-hostname}.local-copies = {
          postgresql = {
            user = postgresUser;
            dependent-services = [ "postgresql.service" ];
            part-of = [ config.fudo.postgresql.systemd-target ];
          };
        };
      };

      secrets.host-secrets.${hostname}.postgres-keytab = mkIf (cfg.keytab != null) {
        source-file = cfg.keytab;
        target-file = "/run/postgresql/postgres.keytab";
        user = postgresUser;
      };

      zones.${zone-name}.aliases.postgresql =
        "${domain.postgresql-server}.${domain-name}.";

      postgresql = mkIf isPostgresHost (let
        ssl-config = optionalAttrs publicNetwork (let
          cert-copy = acme-copies.${postgresql-hostname}.local-copies.postgresql;
        in {
          ssl-certificate = mkIf publicNetwork cert-copy.full-certificate;
          ssl-private-key = mkIf publicNetwork cert-copy.private-key;
          required-services = [ cert-copy.service ];
        });
      in {
        enable = true;
        keytab = mkIf (cfg.keytab != null) host-secrets.postgres-keytab.target-file;
        local-networks = config.instance.local-networks;
        state-directory = cfg.state-directory;
        required-services = [ config.fudo.secrets.secret-target ];
      } // ssl-config);
    };
  };
}
Added live disk flake file 2022-03-16 09:49:54 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`domain-name = config.fudo.hosts.${hostname}.domain;`
			`domain = config.fudo.domains.${domain-name};`

			`cfg = config.fudo.services.postgresql;`

			`zone-name = domain.zone;`

			`host-secrets = config.fudo.secrets.host-secrets.${hostname};`

			`postgresEnabled = domain.postgresql-server == hostname;`
			`publicNetwork = let`
			`site-name = config.fudo.hosts.${hostname}.site;`
			`in config.fudo.sites.${site-name}.local-gateway == null;`
			`isPostgresHost = hostname == domain.postgresql-server;`

			`postgresql-hostname = "postgresql.${domain-name}";`

			`acme-copies = config.fudo.acme.host-domains.${hostname};`

			`postgresUser = config.systemd.services.postgresql.serviceConfig.User;`

			`in {`
			`options.fudo.services.postgresql = with types; {`
			`state-directory = mkOption {`
			`type = str;`
			`description = "Path at which to store PostgreSQL state.";`
			`};`

			`keytab = mkOption {`
			`type = str;`
			`description = "Keytab for PostgreSQL.";`
			`};`
			`};`

			`config = mkIf postgresEnabled {`
			`fudo = {`
			`acme.host-domains.${hostname} = mkIf (publicNetwork && isPostgresHost) {`
			`${postgresql-hostname}.local-copies = {`
			`postgresql = {`
			`user = postgresUser;`
			`dependent-services = [ "postgresql.service" ];`
			`part-of = [ config.fudo.postgresql.systemd-target ];`
			`};`
			`};`
			`};`

			`secrets.host-secrets.${hostname}.postgres-keytab = mkIf (cfg.keytab != null) {`
			`source-file = cfg.keytab;`
			`target-file = "/run/postgresql/postgres.keytab";`
			`user = postgresUser;`
			`};`

			`zones.${zone-name}.aliases.postgresql =`
			`"${domain.postgresql-server}.${domain-name}.";`

			`postgresql = mkIf isPostgresHost (let`
			`ssl-config = optionalAttrs publicNetwork (let`
			`cert-copy = acme-copies.${postgresql-hostname}.local-copies.postgresql;`
			`in {`
			`ssl-certificate = mkIf publicNetwork cert-copy.full-certificate;`
			`ssl-private-key = mkIf publicNetwork cert-copy.private-key;`
			`required-services = [ cert-copy.service ];`
			`});`
			`in {`
			`enable = true;`
			`keytab = mkIf (cfg.keytab != null) host-secrets.postgres-keytab.target-file;`
			`local-networks = config.instance.local-networks;`
			`state-directory = cfg.state-directory;`
			`required-services = [ config.fudo.secrets.secret-target ];`
			`} // ssl-config);`
			`};`
			`};`
			`}`