feat: refactored database configuration

2025-10-27 03:55:09 -05:00 · 2025-10-27 03:55:09 -05:00 · f9c27c82b6
commit f9c27c82b6
parent e57c1df6e5
8 changed files with 229 additions and 204 deletions
--- a/modules/nixos-modules/server/postgres/impermanence.nix
+++ b/modules/nixos-modules/server/postgres/impermanence.nix
@ -5,7 +5,7 @@
 }: let
  dataDir = "/var/lib/postgresql/16";
 in {
-  config = lib.mkIf (config.host.postgres.enable && config.host.impermanence.enable) {
+  config = lib.mkIf (config.services.postgresql.enable && config.host.impermanence.enable) {
    assertions = [
      {
        assertion = config.services.postgresql.dataDir == dataDir;
--- a/modules/nixos-modules/server/postgres/postgres.nix
+++ b/modules/nixos-modules/server/postgres/postgres.nix
@ -4,70 +4,94 @@
  pkgs,
  ...
 }: let
-  adminUsers = lib.lists.filter (user: user.isAdmin) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
-  clientUsers = lib.lists.filter (user: user.isClient) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
-  createUsers = lib.lists.filter (user: user.createUser) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers);
-  createDatabases = lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraDatabases;
+  enabledDatabases = lib.filterAttrs (_: db: db.enable) config.services.postgresql.databases;
+  extraDatabasesList = config.services.postgresql.extraDatabases;
+
+  serviceDatabaseUsers = lib.mapAttrsToList (_: db: {
+    name = db.user;
+    ensureDBOwnership = true;
+  }) (lib.filterAttrs (_: db: db.ensureUser) enabledDatabases);
+
+  extraDatabaseUsers =
+    builtins.map (dbName: {
+      name = dbName;
+      ensureDBOwnership = true;
+    })
+    extraDatabasesList;
+
+  serviceDatabases = lib.mapAttrsToList (_: db: db.database) enabledDatabases;
+  extraDatabaseNames = extraDatabasesList;
+
+  serviceUserMappings = lib.mapAttrsToList (_: db: "user_map      ${db.user}   ${db.user}") enabledDatabases;
+  extraUserMappings = builtins.map (dbName: "user_map      ${dbName}   ${dbName}") extraDatabasesList;
+
+  builtinServiceMappings = let
+    forgejoMapping = lib.optional (config.services.forgejo.enable && config.services.forgejo.database.type == "postgres") "user_map      forgejo   forgejo";
+    immichMapping = lib.optional (config.services.immich.enable && config.services.immich.database.enable) "user_map      immich   immich";
+    paperlessMapping = lib.optional (config.services.paperless.enable && config.services.paperless.database.createLocally) "user_map      paperless   paperless";
+  in
+    forgejoMapping ++ immichMapping ++ paperlessMapping;
 in {
  options = {
-    host.postgres = {
-      enable = lib.mkEnableOption "enable postgres";
-      extraUsers = lib.mkOption {
+    services.postgresql = {
+      databases = lib.mkOption {
        type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
          options = {
-            name = lib.mkOption {
+            enable = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+              description = "Whether to create this database and user";
+            };
+            user = lib.mkOption {
              type = lib.types.str;
              default = name;
+              description = "Database user name";
            };
-            isAdmin = lib.mkOption {
-              type = lib.types.bool;
-              default = false;
+            database = lib.mkOption {
+              type = lib.types.str;
+              default = name;
+              description = "Database name";
            };
-            isClient = lib.mkOption {
+            ensureUser = lib.mkOption {
              type = lib.types.bool;
-              default = false;
-            };
-            createUser = lib.mkOption {
-              type = lib.types.bool;
-              default = false;
+              default = true;
+              description = "Whether to ensure the user exists";
            };
          };
        }));
        default = {};
+        description = "Databases to create for services";
      };
+
      extraDatabases = lib.mkOption {
-        type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
-          options = {
-            name = lib.mkOption {
-              type = lib.types.str;
-              default = name;
-            };
-          };
-        }));
-        default = {};
+        type = lib.types.listOf lib.types.str;
+        default = [];
+        description = "Additional databases to create (user name will match database name)";
+        example = ["custom_db" "test_db"];
+      };
+
+      adminUsers = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [];
+        description = "System users who should have PostgreSQL superuser access";
+        example = ["leyla" "admin"];
      };
    };
  };

-  config = lib.mkIf config.host.postgres.enable {
+  config = lib.mkIf config.services.postgresql.enable {
    services = {
      postgresql = {
-        enable = true;
        package = pkgs.postgresql_16;
+
        ensureUsers =
          [
-            {
-              name = "postgres";
-            }
+            {name = "postgres";}
          ]
-          ++ (
-            builtins.map (user: {
-              name = user.name;
-              ensureDBOwnership = true;
-            })
-            createUsers
-          );
-        ensureDatabases = builtins.map (database: database.name) createDatabases;
+          ++ serviceDatabaseUsers ++ extraDatabaseUsers;
+
+        ensureDatabases = serviceDatabases ++ extraDatabaseNames;
+
        identMap =
          ''
            # ArbitraryMapName systemUser DBUser
@ -77,16 +101,16 @@ in {
            superuser_map      postgres  postgres
          ''
          + (
-            lib.strings.concatLines (builtins.map (user: "superuser_map      ${user.name}   postgres") adminUsers)
+            lib.strings.concatLines (builtins.map (user: "superuser_map      ${user}   postgres") config.services.postgresql.adminUsers)
          )
          + ''

            # Client Users
          ''
          + (
-            lib.strings.concatLines (builtins.map (user: "user_map      ${user.name}   ${user.name}") clientUsers)
+            lib.strings.concatLines (serviceUserMappings ++ extraUserMappings ++ builtinServiceMappings)
          );
-        # configuration here lets users access the db that matches their name and lets user postgres access everything
+
        authentication = pkgs.lib.mkOverride 10 ''
          # type database DBuser    origin-address auth-method   optional_ident_map
          local  all      postgres                 peer          map=superuser_map