orm: install postgres

2025-03-07 22:02:34 +00:00 · 2025-03-07 22:02:34 +00:00 · 789324923b
parent 9760d4d3bc
commit 789324923b
1 changed files with 22 additions and 0 deletions
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@ -25,6 +25,7 @@
  randomcat.services.zfs.datasets = {
    "rpool_orm/state" = { mountpoint = "none"; };
    "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; };
+    "rpool_orm/state/postgresql" = { mountpoint = "/var/lib/postgresql"; };
  };

  services.sanoid.datasets."rpool_orm/state" = {
@ -33,6 +34,27 @@
    process_children_only = true;
  };

+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+    dataDir = "/var/lib/postgresql/17";
+    # managing imperatively instead of using ensureDatabases/ensureUsers
+
+    enableTCPIP = true;
+    settings = {
+      port = 5432;
+      ssl = true;
+    };
+    # only allow remote connections from within birdsong vpn
+    # TODO: don't hardcode the IP addresses
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+      host  sameuser  all     10.127.0.0/16 scram-sha-256
+      host  sameuser  all     fd70:81ca:f8f::/48 scram-sha-256
+    '';
+  };
+  networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ];
+
  qenya.services.actual.enable = true;

  system.stateVersion = "23.11";