refactor(postgres): Split postgres module

2026-02-24 23:45:18 +08:00 · 2026-02-24 23:45:18 +08:00 · 2a9b08f1e6
commit 2a9b08f1e6
parent 13dc31c671
5 changed files with 105 additions and 103 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -1,4 +1,5 @@
 {
+  pkgs,
  lib,
  modulesPath,
  flake-inputs,
@ -53,6 +54,19 @@
    };

    logrotate.enable = true;
+
+    postgresql = {
+      package = pkgs.postgresql_14;
+      enable = true;
+
+      # Only enable connections via the unix socket, and check with the
+      # OS to make sure the user matches the database name.
+      #
+      # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+      authentication = ''
+        local sameuser all peer
+      '';
+    };
  };

  security = {
--- a/configuration/services/default.nix
+++ b/configuration/services/default.nix
@ -11,7 +11,6 @@
    ./ntfy-sh
    ./minecraft.nix
    ./nextcloud.nix
-    ./postgres.nix
    ./webserver.nix
    ./wireguard.nix
  ];
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -8,7 +8,8 @@ in
    443
  ];

-  services.grafana = {
+  services = {
+    grafana = {
      enable = true;
      settings = {
        server = {
@ -73,7 +74,18 @@ in
      };
    };

-  services.nginx.virtualHosts."${domain}" = {
+    postgresql = {
+      ensureUsers = [
+        {
+          name = "grafana";
+          ensureDBOwnership = true;
+        }
+      ];
+
+      ensureDatabases = [ "grafana" ];
+    };
+
+    nginx.virtualHosts."${domain}" = {
      forceSSL = true;
      useACMEHost = "tlater.net";
      enableHSTS = true;
@ -85,6 +97,7 @@ in
        };
      };
    };
+  };

  sops.secrets = {
    "grafana/adminPassword" = {
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -103,6 +103,17 @@ in
    };
  };

+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+
+    ensureDatabases = [ "nextcloud" ];
+  };
+
  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = [ "postgresql.target" ];

--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@ -1,35 +0,0 @@
-{ pkgs, ... }:
-{
-  services.postgresql = {
-    package = pkgs.postgresql_14;
-    enable = true;
-
-    # Only enable connections via the unix socket, and check with the
-    # OS to make sure the user matches the database name.
-    #
-    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
-    authentication = ''
-      local sameuser all peer
-    '';
-
-    # Note: The following options with ensure.* are set-only; i.e.,
-    # when permissions/users/databases are removed from these lists,
-    # that operation needs to be performed manually on the system as
-    # well.
-    ensureUsers = [
-      {
-        name = "grafana";
-        ensureDBOwnership = true;
-      }
-      {
-        name = "nextcloud";
-        ensureDBOwnership = true;
-      }
-    ];
-
-    ensureDatabases = [
-      "grafana"
-      "nextcloud"
-    ];
-  };
-}