databasus

2026-04-01 18:05:39 -05:00
parent 166123e8fe
commit acc683bac3
4 changed files with 40 additions and 0 deletions
--- a/modules/nixos/services/databasus/default.nix
+++ b/modules/nixos/services/databasus/default.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.services."databasus";
+in
+{
+  imports = [
+    (lib.${namespace}.mkContainerService {
+      inherit config;
+      name = "databasus";
+      image = "databasus/databasus";
+      internalPort = 4005;
+      volumes = [
+        "${cfg.configDir}/databasus:/databasus-data"
+      ];
+      environmentFiles = [ ];
+    })
+  ];
+}
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -103,6 +103,11 @@ in
          envFile = config.sops.templates."ntfy.env".path;
        };
      };
+      databasus = {
+        enable = true;
+        port = 4005;
+        reverseProxy = enabled;
+      };
      dispatcharr = {
        enable = false;
        port = 9191;
--- a/systems/x86_64-linux/jallen-nas/nas-defaults.nix
+++ b/systems/x86_64-linux/jallen-nas/nas-defaults.nix
@@ -46,6 +46,7 @@ in
      "collabora"
      "coturn"
      "crowdsec"
+      "databasus"
      "dispatcharr"
      "free-games-claimer"
      "gitea"
--- a/systems/x86_64-linux/jallen-nas/services.nix
+++ b/systems/x86_64-linux/jallen-nas/services.nix
@@ -29,6 +29,13 @@ in
          GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
          GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
        "
+
+        psql -c "
+          ALTER ROLE databasus WITH PASSWORD 'databasus';
+          ALTER ROLE databasus BYPASSRLS;
+          GRANT CONNECT ON DATABASE nextcloud TO databasus;
+          GRANT pg_read_all_data TO databasus;
+        "
      '';
    };
  };
@@ -99,6 +106,9 @@ in
          name = "suggestarr";
          ensureDBOwnership = true;
        }
+        {
+          name = "databasus";
+        }
      ];
      # pg_hba.conf — use lib.mkForce to replace the module defaults entirely.
      #
@@ -124,6 +134,7 @@ in

        # Podman container network — suggestarr server connects via host LAN IP
        host    suggestarr      suggestarr        10.88.0.0/16         scram-sha-256
+        host    all             databasus         10.88.0.0/16         scram-sha-256
      '';

      # identMap — maps OS usernames to PostgreSQL usernames for peer auth.