From 431a7e9767245dc25e4a7421bf6bca04a8810126 Mon Sep 17 00:00:00 2001
From: alejandro-angulo <iam@alejandr0angul0.dev>
Date: Sat, 14 Feb 2026 22:17:04 -0800
Subject: [PATCH] Setup postgresql for atticd

---
 modules/nixos/services/atticd/default.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/nixos/services/atticd/default.nix b/modules/nixos/services/atticd/default.nix
index e78696e..48c9806 100644
--- a/modules/nixos/services/atticd/default.nix
+++ b/modules/nixos/services/atticd/default.nix
@@ -5,6 +5,7 @@
   ...
 }:
 let
+  attic_cfg = config.services.atticd;
   cfg = config.${namespace}.services.atticd;
 in
 {
@@ -22,6 +23,7 @@ in
 
   config = lib.mkIf cfg.enable {
     age.secrets.atticd.file = ../../../../secrets/atticd.age;
+
     services.atticd = {
       enable = true;
       # ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.
@@ -39,9 +41,27 @@ in
         api-endpoint = "https://attic.kilonull.com/";
         listen = "[::]:8080";
         garbage-collection.retention-period = "30d";
+        database.url = "postgresql://atticd/?host=/run/postgresql";
       };
     };
 
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "atticd" ];
+      ensureUsers = [
+        {
+          name = attic_cfg.user;
+          ensureDBOwnership = true;
+        }
+      ];
+      identMap = ''
+        attic attic attic
+      '';
+      authentication = ''
+        local all attic peer map=attic
+      '';
+    };
+
     services.nginx = {
       enable = true;
       virtualHosts."attic.kilonull.com" = {