From 6d2850e78f93b93d110d4804afdcf94f4c9e4be9 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Thu, 2 Jan 2025 15:46:50 -0600
Subject: [PATCH] added postgres service

---
 modules/nixos-modules/server/default.nix  |  1 +
 modules/nixos-modules/server/postgres.nix | 86 +++++++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 modules/nixos-modules/server/postgres.nix

diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix
index 7e4d36b..9f06565 100644
--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@@ -3,5 +3,6 @@
     ./network_storage
     ./reverse_proxy.nix
     ./jellyfin.nix
+    ./postgres.nix
   ];
 }
diff --git a/modules/nixos-modules/server/postgres.nix b/modules/nixos-modules/server/postgres.nix
new file mode 100644
index 0000000..2aae5fa
--- /dev/null
+++ b/modules/nixos-modules/server/postgres.nix
@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  options = {
+    host.postgres = {
+      enable = lib.mkEnableOption "enable postgres";
+      extraAdminUsers = lib.mkOption {
+        type = lib.types.attrsOf lib.types.submodule ({name, ...}: {
+          options = {
+            name = lib.mkOption {
+              type = lib.types.str;
+              default = name;
+              description = ''
+                What should this users name on the system be
+              '';
+              defaultText = lib.literalExpression "config.host.users.\${name}.name";
+            };
+          };
+        });
+        default = {};
+      };
+      extraDatabaseUsers = lib.mkOption {
+        type = lib.types.attrsOf lib.types.submodule ({name, ...}: {
+          options = {
+            name = lib.mkOption {
+              type = lib.types.str;
+              default = name;
+              description = ''
+                What should this users name on the system be
+              '';
+              defaultText = lib.literalExpression "config.host.users.\${name}.name";
+            };
+          };
+        });
+        default = {};
+      };
+    };
+  };
+
+  config = lib.mkIf config.host.postgres.enable {
+    services = {
+      postgresql = {
+        enable = true;
+        ensureUsers =
+          [
+            {
+              name = "postgres";
+            }
+          ]
+          + (lib.attrsets.mapAttrsToList (user: {
+              name = user.name;
+              ensureDBOwnership = true;
+            })
+            config.host.postgres.extraDatabaseUsers);
+        ensureDatabases = lib.attrsets.mapAttrsToList (user: user.name) config.host.postgres.extraDatabaseUsers;
+        identMap =
+          ''
+            # ArbitraryMapName systemUser DBUser
+
+            # Administration Users
+            superuser_map      root      postgres
+            superuser_map      postgres  postgres
+          ''
+          + (
+            lib.strings.concatLines (lib.attrsets.mapAttrsToList (user: "superuser_map      ${user.name}   postgres") config.host.postgres.extraAdminUsers)
+          )
+          + ''
+
+            # Client Users
+          ''
+          + (
+            lib.strings.concatLines (lib.attrsets.mapAttrsToList (user: "superuser_map      ${user.name}   ${user.name}") config.host.postgres.extraDatabaseUsers)
+          );
+        # configuration here lets users access the db that matches their name and lets user postgres access everything
+        authentication = pkgs.lib.mkOverride 10 ''
+          # type database DBuser    origin-address auth-method   optional_ident_map
+          local  all      postgres                 peer          map=superuser_map
+          local  sameuser all                      peer          map=superuser_map
+        '';
+      };
+    };
+  };
+}