sneeuwvlok/clanServices/peristence/default.nix

{
  lib,
  clanLib,
  exports,
  ...
}: let
  inherit (builtins) toString;
in {
  _class = "clan.service";
  manifest = {
    name = "arda/persistence";
    description = ''
      Configuration of persistence resrouce(s)
      (for now this means a database. and specifically it means postgres)
    '';
    readme = builtins.readFile ./README.md;
    exports = {
      inputs = ["persistence"];
      out = ["persistence"];
    };
  };

  roles.default = {
    description = '''';

    interface = {lib, ...}: let
      inherit (lib) mkOption types;
    in {
      options = {
        port = mkOption {
          type = types.port;
          default = 5432;
        };
      };
    };

    perInstance = {
      mkExports,
      machine,
      settings,
      ...
    }: let
      requested_databases =
        exports
        |> clanLib.selectExports (_scope: true)
        |> lib.mapAttrsToList (_: value: value.persistence.databases or [])
        |> lib.concatLists;
    in {
      exports = mkExports {
        persistence = {
          main = "postgresql";
          driver.postgresql = {
            host = "localhost";
            port = settings.port;
          };
        };
      };

      nixosModule = {
        lib,
        pkgs,
        config,
        ...
      }: {
        clan.core.vars.generators.postgresql = let
          password_files =
            requested_databases
            |> lib.map (db: [
              {
                name = "${db}_password";
                value = {
                  secret = true;
                  deploy = false;
                };
              }
            ])
            |> lib.concatLists
            |> lib.listToAttrs;
        in {
          files =
            {
              "server.crt" = {
                secret = true;
                deploy = true;
              };
              "server.key" = {
                secret = true;
                deploy = true;
              };
              ".pgpass" = {
                secret = true;
                deploy = true;

                owner = "postgres";
                group = "postgres";
                mode = "0600";
                restartUnits = ["postgresql.service"];
              };
            }
            // password_files;

          runtimeInputs = with pkgs; [openssl_3_5 pwgen];
          script = ''
            openssl req \
            -new -x509 -days 365 -nodes -text \
            -out $out/server.crt \
            -keyout $out/server.key \
            -subj "/CN=db.${config.networking.fqdn}"

            ${requested_databases
              |> lib.map (db: "pwgen -s 128 1 > $out/${db}_password")
              |> lib.join "\n"}

            cat << EOL > $out/.pgpass
            #host:port:database:user:password
            ${requested_databases
              |> lib.map (db: "*:${toString settings.port}:${db}:${db}:$(cat $out/${db}_password)")
              |> lib.join "\n"}
            EOL
          '';
        };

        systemd.services.postgresql.environment.PGPASSFILE = config.clan.core.vars.generators.postgresql.files.".pgpass".path;

        services = {
          postgresql = {
            enable = true;
            # enableTCPIP = true;

            settings = {
              port = settings.port;
              ssl = true;
            };

            ensureDatabases = requested_databases;
            ensureUsers =
              requested_databases
              |> lib.map (db: {
                name = db;
                ensureDBOwnership = true;
                ensureClauses = {
                  login = true;
                  connection_limit = 5;
                };
              });

            identMap = ''
              #map            sys user    db user
              superuser_map   root        postgres
              superuser_map   postgres    postgres
              superuser_map   /^(.+)$     \1
            '';

            authentication = ''
              # Generated file, do not edit!
              # type    database  user  auth-method   optional_ident_map
                local   sameuser  all   peer          map=superuser_map

              # TYPE    DATABASE  USER  ADDRESS       METHOD
              # local   all       all                 trust
                host    all       all   127.0.0.1/32  scram-sha-256
                host    all       all   ::1/128       scram-sha-256
            '';
          };
        };
      };
    };
  };
}