# The database service of choice. Most services can use this so far
# (thankfully).
{ config, lib, pkgs, ... }:
let
hostCfg = config.hosts.plover;
cfg = hostCfg.services.database;
postgresqlDomain = "postgres.${config.networking.domain}";
in
{
options.hosts.plover.services.database.enable =
lib.mkEnableOption "preferred service SQL database";
config = lib.mkIf cfg.enable (lib.mkMerge [
{
state.ports.postgresql.value = 5432;
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
settings =
let
credsDir = path: "/run/credentials/postgresql.service/${path}";
in
{
port = config.state.ports.postgresql.value;
# Still doing the secure schema usage pattern.
search_path = ''"$user"'';
ssl_cert_file = credsDir "cert.pem";
ssl_key_file = credsDir "key.pem";
ssl_ca_file = credsDir "fullchain.pem";
};
};
# With a database comes a dumping.
services.postgresqlBackup = {
enable = true;
compression = "zstd";
compressionLevel = 11;
# Start at every 3 days starting from the first day of the month.
startAt = "*-*-1/3";
};
# Setting this up for TLS.
systemd.services.postgresql = {
requires = [ "acme-finished-${postgresqlDomain}.target" ];
serviceConfig.LoadCredential =
let
certDirectory = config.security.acme.certs."${postgresqlDomain}".directory;
certCredentialPath = path: "${path}:${certDirectory}/${path}";
in
[
(certCredentialPath "cert.pem")
(certCredentialPath "key.pem")
(certCredentialPath "fullchain.pem")
];
};
security.acme.certs."${postgresqlDomain}".postRun = ''
systemctl restart postgresql.service
'';
}
(lib.mkIf hostCfg.services.backup.enable {
# Add the dumps to be backed up.
services.borgbackup.jobs.services-backup.paths = [ config.services.postgresqlBackup.location ];
})
]);
}