nixos/shill: Add postgres container

2022-06-06 17:52:36 +01:00
parent 3ec00b60f5
commit 646b582984
9 changed files with 121 additions and 36 deletions
--- a/nixos/boxes/colony/vms/shill/containers/colony-psql.nix
+++ b/nixos/boxes/colony/vms/shill/containers/colony-psql.nix
@@ -0,0 +1,69 @@
+{ lib, ... }: {
+  nixos.systems.colony-psql = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "colony-psql-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}4";
+        ipv6 = {
+          iid = "::4";
+          address = "${lib.my.colony.start.ctrs.v6}4";
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, assignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkly/tnPmoX05lDjEpQOkllPqYA0PY92pOKqvx8Po02";
+            };
+
+            firewall = {
+              tcp.allowed = [ 5432 ];
+            };
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+          };
+
+          services = {
+            postgresql = {
+              package = pkgs.postgresql_14;
+              enable = true;
+              enableTCPIP = true;
+              ensureUsers = [
+                {
+                  name = "root";
+                  ensurePermissions = {
+                    "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+                  };
+                }
+              ];
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 55432; guest.port = 5432; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@@ -2,5 +2,6 @@
  imports = [
    ./middleman
    ./vaultwarden.nix
+    ./colony-psql.nix
  ];
 }
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -101,6 +101,7 @@
              }) {
                middleman = {};
                vaultwarden = {};
+                colony-psql = {};
              };
            };
          }
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -235,6 +235,16 @@ in
          }
        ];
      })
+      (mkIf config.services.postgresql.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = "/var/lib/postgresql";
+            mode = "0750";
+            user = "postgres";
+            group = "postgres";
+          }
+        ];
+      })
      (mkIf config.my.build.isDevVM {
        fileSystems = mkVMOverride {
          # Hijack the "root" device for persistence in the VM