modules/postgres.nix

{ lib, config, pkgs, ... }: {
  services.postgresql = {
    enable = true;

    package = pkgs.postgresql;
    settings = {
      log_connections = true;
      logging_collector = true;
      log_disconnections = true;
      log_destination = lib.mkForce "syslog";
    };

    ensureDatabases = [
      "vaultwarden"
      "gerrit"
      "privatebin"
      "keycloak"
      "nextcloud"
    ];

    ensureUsers = [
      {
        name = "clicks_grafana";
        ensurePermissions = {
          "ALL TABLES IN SCHEMA public" = "SELECT";
          "SCHEMA public" = "USAGE";
        };
      }
      {
        name = "synapse";
        ensurePermissions = {
          "DATABASE synapse" = "ALL PRIVILEGES";
        };
      }
      {
        name = "keycloak";
        ensurePermissions = {
          "DATABASE keycloak" = "ALL PRIVILEGES";
        };
      }
      {
        name = "gerrit";
        ensurePermissions = {
          "DATABASE gerrit" = "ALL PRIVILEGES";
        };
      }
      {
        name = "vaultwarden";
        ensurePermissions = {
          "DATABASE vaultwarden" = "ALL PRIVILEGES";
        };
      }
      {
        name = "privatebin";
        ensurePermissions = {
          "DATABASE privatebin" = "ALL PRIVILEGES";
        };
      }
      {
        name = "nextcloud";
        ensurePermissions = {
          "DATABASE nextcloud" = "ALL PRIVILEGES";
        };
      }
    ] ++ (map
      (name: (
        {
          inherit name;
          ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
        }
      )) [ "minion" "coded" "pinea" ]);

  };

  systemd.services.postgresql.postStart = lib.mkMerge [
    (
      let
        database = "synapse";
        cfg = config.services.postgresql;
      in
      lib.mkBefore (
        ''
          PSQL="psql --port=${toString cfg.port}"

          while ! $PSQL -d postgres -c "" 2> /dev/null; do
              if ! kill -0 "$MAINPID"; then exit 1; fi
              sleep 0.1
          done

          $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
        ''
      ) # synapse needs C collation, so we can't use ensureDatabases for it
    )
    (lib.mkAfter (lib.pipe [
      { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
      { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
      { user = "gerrit"; passwordFile = config.sops.secrets.clicks_gerrit_db_password.path; }
      { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
      { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
      { user = "nextcloud"; passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path; }
    ] [
      (map (userData: ''
        $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
      ''))
      (lib.concatStringsSep "\n")
    ]))
  ];

  sops.secrets = lib.pipe [
    "clicks_grafana_db_password"
    "clicks_keycloak_db_password"
    "clicks_gerrit_db_password"
    "clicks_bitwarden_db_password"
    "clicks_privatebin_db_password"
    "clicks_nextcloud_db_password"
  ] [
    (map (name: {
      inherit name;
      value = {
        mode = "0400";
        owner = config.services.postgresql.superUser;
        group = config.users.users.${config.services.postgresql.superUser}.group;
        sopsFile = ../secrets/postgres.json;
        format = "json";
      };
    }))
    builtins.listToAttrs
  ];
}