From 5e32e33ca7509f01c6dc4019f4bcea224a0c05cb Mon Sep 17 00:00:00 2001
From: TNE <tne@garudalinux.org>
Date: Thu, 14 Nov 2024 07:33:29 +0100
Subject: [PATCH] feat(postgres): Expose chaotic-router database to web

---
 nixos/hosts/immortalis/containers.nix |  5 +++++
 nixos/hosts/postgres.nix              | 18 +++++++++++++++---
 nixos/modules/common.nix              |  3 ++-
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/nixos/hosts/immortalis/containers.nix b/nixos/hosts/immortalis/containers.nix
index 197b4ad6..a5e1c806 100644
--- a/nixos/hosts/immortalis/containers.nix
+++ b/nixos/hosts/immortalis/containers.nix
@@ -309,6 +309,11 @@
               hostPort = 229;
               protocol = "tcp";
             }
+            {
+              containerPort = 5432;
+              hostPort = 5432;
+              protocol = "tcp";
+            }
           ];
           ephemeral = lib.mkForce true;
         };
diff --git a/nixos/hosts/postgres.nix b/nixos/hosts/postgres.nix
index dab88601..091e8a6a 100644
--- a/nixos/hosts/postgres.nix
+++ b/nixos/hosts/postgres.nix
@@ -36,6 +36,7 @@ in
       "lemmy"
       "mastodon"
       "wikijs"
+      "chaotic-aur"
     ];
     ensureUsers = [
       {
@@ -54,14 +55,25 @@ in
         name = "pgadmin";
         ensureClauses.superuser = true;
       }
+      {
+        name = "chaotic-router";
+      }
     ];
     initialScript = pkgs.writeText "backend-initScript" ''
       CREATE USER netdata;
       GRANT pg_monitor TO netdata;
     '';
-    authentication = "host all all 10.0.5.0/24 md5";
-    # We don't need to worry about different interfaces, because the only interface 
-    # available is eth0, which is fully isolated
+    authentication = lib.mkForce ''
+      local all all peer
+      host chaotic-aur chaotic-router 0.0.0.0/0 scram-sha-256
+      # Reject anything else coming from the outside world somehow someway
+      host all all 10.0.5.1/32 reject
+      # Allow connections from the internal network
+      host all all 10.0.5.0/24 md5
+      # Block the rest of the internet
+      host all all 0.0.0.0/0 reject
+    '';
+    # This is publically accesible now through port 5432, however only the chaotic-router user can access the database through the internet
     enableTCPIP = true;
   };
 
diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix
index 4f84b114..e228f0c0 100644
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -2,6 +2,7 @@
 , garuda-lib
 , lib
 , pkgs
+, inputs
 , ...
 }:
 {
@@ -164,7 +165,7 @@
       substituters = [ "https://garuda-linux.cachix.org" ];
       trusted-public-keys = lib.mkAfter [ "garuda-linux.cachix.org-1:tWw7YBE6qZae0L6BbyNrHo8G8L4sHu5QoDp0OXv70bg=" ];
     };
-
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
     package = pkgs.lix;
   };