refactor: split configurations for fail2ban, postgres, and qbittorent into folders

2025-10-24 13:08:13 -05:00 · 2025-10-24 13:08:13 -05:00 · 0f5507c328
commit 0f5507c328
parent ad04be6534
13 changed files with 296 additions and 263 deletions
--- a/modules/nixos-modules/server/postgres/postgres.nix
+++ b/modules/nixos-modules/server/postgres/postgres.nix
@ -0,0 +1,98 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  adminUsers = lib.lists.filter (user: user.isAdmin) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
+  clientUsers = lib.lists.filter (user: user.isClient) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
+  createUsers = lib.lists.filter (user: user.createUser) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
+  createDatabases = lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraDatabases;
+in {
+  options = {
+    host.postgres = {
+      enable = lib.mkEnableOption "enable postgres";
+      extraUsers = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
+          options = {
+            name = lib.mkOption {
+              type = lib.types.str;
+              default = name;
+            };
+            isAdmin = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+            };
+            isClient = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+            };
+            createUser = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+            };
+          };
+        }));
+        default = {};
+      };
+      extraDatabases = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
+          options = {
+            name = lib.mkOption {
+              type = lib.types.str;
+              default = name;
+            };
+          };
+        }));
+        default = {};
+      };
+    };
+  };
+
+  config = lib.mkIf config.host.postgres.enable {
+    services = {
+      postgresql = {
+        enable = true;
+        package = pkgs.postgresql_16;
+        ensureUsers =
+          [
+            {
+              name = "postgres";
+            }
+          ]
+          ++ (
+            builtins.map (user: {
+              name = user.name;
+              ensureDBOwnership = true;
+            })
+            createUsers
+          );
+        ensureDatabases = builtins.map (database: database.name) createDatabases;
+        identMap =
+          ''
+            # ArbitraryMapName systemUser DBUser
+
+            # Administration Users
+            superuser_map      root      postgres
+            superuser_map      postgres  postgres
+          ''
+          + (
+            lib.strings.concatLines (builtins.map (user: "superuser_map      ${user.name}   postgres") adminUsers)
+          )
+          + ''
+
+            # Client Users
+          ''
+          + (
+            lib.strings.concatLines (builtins.map (user: "user_map      ${user.name}   ${user.name}") clientUsers)
+          );
+        # configuration here lets users access the db that matches their name and lets user postgres access everything
+        authentication = pkgs.lib.mkOverride 10 ''
+          # type database DBuser    origin-address auth-method   optional_ident_map
+          local  all      postgres                 peer          map=superuser_map
+          local  sameuser all                      peer          map=user_map
+        '';
+      };
+    };
+  };
+}