server: add forgejo and postgresql

2026-01-06 14:16:51 +01:00 · 2026-01-06 14:16:51 +01:00 · 6014ad7d7a
commit 6014ad7d7a
parent 27d347d3c8
8 changed files with 158 additions and 3 deletions
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@ -25,7 +25,7 @@ in {
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
    ];

-    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" ];
+    trusted-users = [ "thegeneralist" "central" "root" "@build" "@wheel" "@admin" "jellyfin" "git" ];

    builders-use-substitutes = true;
  };
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -0,0 +1,44 @@
+# stolen from https://github.com/RGBCube/ncc/blob/94c349aa767f04f40ff4165c70c15ed3c3996f82/modules/postgresql.nix
+{ config, lib, pkgs, ... }: let
+  inherit (lib) flip mkForce mkOverride mkValue;
+in {
+  config.environment.systemPackages = [
+    config.services.postgresql.package
+  ];
+
+  options.services.postgresql.ensure = mkValue [];
+
+  config.services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+
+    enableJIT   = true;
+    enableTCPIP = true;
+
+    settings.listen_addresses = mkForce "::";
+    authentication            = mkOverride 10 /* ini */ ''
+      #     DATABASE USER        AUTHENTICATION
+      local all      all         peer
+
+      #     DATABASE USER ADDRESS AUTHENTICATION
+      host  all      all  ::/0    md5
+    '';
+
+    ensure = [ "postgres" "root" ];
+
+    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
+    ensureDatabases = config.services.postgresql.ensure;
+
+    ensureUsers = flip map config.services.postgresql.ensure (name: {
+      inherit name;
+
+      ensureDBOwnership = true;
+
+      ensureClauses = {
+        login       = true;
+        superuser   = name == "postgres" || name == "root";
+      };
+    });
+  };
+}
+