refactor: postgresql

2026-02-09 12:29:19 -08:00 · 2024-01-13 12:42:41 -08:00 · 2024-01-13 12:42:41 -08:00 · 3d188ab76e
commit 3d188ab76e
parent a50966a8ea
8 changed files with 80 additions and 13 deletions
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@ -82,6 +82,9 @@ in {
            "200::/7"
            "100.64.0.0/10"
            "fd7a:115c:a1e0:ab12::/64"
+            "fd7a:115c:a1e0::/96"
+            "10.1.1.0/24"
+            "fd0a::/64"
            "::1"
          ];
        };
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault mkDefault;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.lists) any;
+  cfg = config.services.postgresql;
+  ensureUserModule = { config, ... }: {
+    options = with lib.types; {
+      tailscale = {
+        allow = mkEnableOption "tailscale TCP connections";
+        database = mkOption {
+          type = str;
+        };
+      };
+    };
+    config = {
+      tailscale.database = mkIf (config.ensureDBOwnership) (
+        mkOptionDefault config.name
+      );
+    };
+  };
+in {
+  options.services.postgresql = with lib.types; {
+    ensureUsers = mkOption {
+      type = listOf (submodule ensureUserModule);
+    };
+  };
+  config.services.postgresql = {
+    enableTCPIP = mkIf (any (user: user.tailscale.allow) cfg.ensureUsers) (
+      mkDefault true
+    );
+    authentication = let
+      allowTail = { database, user }: ''
+        host ${database} ${user} fd7a:115c:a1e0::/96 md5
+        host ${database} ${user} fd7a:115c:a1e0:ab12::/64 md5
+        host ${database} ${user} 100.64.0.0/10 md5
+      '';
+    in mkMerge (map
+      (user: mkIf user.tailscale.allow (
+        allowTail { inherit (user.tailscale) database; user = user.name; }
+      )) cfg.ensureUsers
+    );
+  };
+}