feat(whitby): Create a Postgres database for Panettone r/1494

Create a running Postgres database server along with a user and database
for Panettone, and pass configuration for it to the panettone module

Change-Id: I333994288131be328e62069382d6d40f8034c400
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1466
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>

2 files changed, 70 insertions, 1 deletions

diff --git a/ops/nixos/panettone.nix b/ops/nixos/panettone.nix
index 009677a9d3..3d31d79caf 100644
--- a/ops/nixos/panettone.nix
+++ b/ops/nixos/panettone.nix
@@ -12,9 +12,49 @@ in {
       type = types.int;
       default = 7268;
     };
+
+    dbHost = mkOption {
+      description = "Postgresql host to connect to for Panettone";
+      type = types.string;
+      default = "localhost";
+    };
+
+    dbName = mkOption {
+      description = "Name of the database for Panettone";
+      type = types.string;
+      default = "panettone";
+    };
+
+    dbUser = mkOption {
+      description = "Name of the database user for Panettone";
+      type = types.string;
+      default = "panettone";
+    };
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = [{
+      assertion =
+        cfg.dbHost != "localhost" || config.services.postgresql.enable;
+      message = "Panettone requires a postgresql database";
+    } {
+      assertion =
+        cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP;
+      message = "Panettone can only connect to the postgresql database over TCP";
+    } {
+      assertion =
+        cfg.dbHost != "localhost" || (lib.any
+          (user: user.name == cfg.dbUser)
+          config.services.postgresql.ensureUsers);
+      message = "Panettone requires a database user";
+    } {
+      assertion =
+        cfg.dbHost != "localhost" || (lib.any
+          (db: db == cfg.dbName)
+          config.services.postgresql.ensureDatabases);
+      message = "Panettone requires a database";
+    }];
+
     systemd.services.panettone = {
       wantedBy = [ "multi-user.target" ];
       script = "${depot.web.panettone}/bin/panettone";
@@ -28,6 +68,9 @@ in {
       environment = {
         PANETTONE_PORT = toString cfg.port;
         PANETTONE_DATA_DIR = "/var/lib/panettone";
+        PGHOST = "localhost";
+        PGUSER = cfg.dbUser;
+        PGDATABASE = cfg.dbName;
       };
     };
   };
diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix
index a56f43786f..075e9505dc 100644
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@@ -217,9 +217,35 @@ in lib.fix(self: {
     sourcegraph.enable = true;
 
     # Run the Panettone issue tracker
-    panettone.enable = true;
+    panettone = {
+      enable = true;
+      dbUser = "panettone";
+      dbName = "panettone";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+
+    authentication = lib.mkOverride 10 ''
+      local all all trust
+      host all all ::1/128 trust
+    '';
+
+    ensureDatabases = [
+      "panettone"
+    ];
+
+    ensureUsers = [{
+      name = "panettone";
+      ensurePermissions = {
+        "DATABASE panettone" = "ALL PRIVILEGES";
+      };
+    }];
   };
 
+
   environment.systemPackages = with nixpkgs; [
     bb
     curl