From 43baf205dcb4dbde2d781af82f624abbda746b5b Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Sat, 28 Sep 2024 01:59:53 +0200
Subject: [PATCH] Add postgresql provider

---
 .terraform.lock.hcl               | 159 +++++++++++++++++++-----------
 hosts.auto.tfvars                 |  24 +++++
 inventory/group_vars/all/main.yml |   4 +-
 main.tf                           |  14 +++
 output.tf                         |  11 +++
 postgresql.tf                     |  23 +++++
 roles/forgejo/vars/main.yml       |   4 +-
 roles/linkwarden/vars/main.yml    |   4 +-
 scaleway.tf                       |  14 ++-
 secrets.auto.tfvars.example       |   3 +
 services.auto.tfvars              |  12 +++
 variables.tf                      |  56 ++++-------
 12 files changed, 221 insertions(+), 107 deletions(-)
 create mode 100644 hosts.auto.tfvars
 create mode 100644 postgresql.tf
 create mode 100644 services.auto.tfvars

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index e7e7ec1..bf938bd 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -1,6 +1,45 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 
+provider "registry.opentofu.org/cyrilgdn/postgresql" {
+  version     = "1.23.0"
+  constraints = "~> 1.23"
+  hashes = [
+    "h1:LxsIoeIkUhmlyKUwhWKLsRBm6Ho4j/O4GdxgxjfOm0A=",
+    "zh:0bea106d7ffc7058a9a03359d2d973dd2b10f357a751ad7ead34e919af963adc",
+    "zh:11758b27f60d74232a8a1b2cf2053ab27a7f060f1893fa773353425f295f6085",
+    "zh:278605be3cbcaab43598ccbe1152956691e7af41e3c105034b1f3f643362f8c0",
+    "zh:2d14614d58fc46a545e238b2fcdb4229cba6c2dcdbf499f287f0823527dc70a4",
+    "zh:3002900c6425240013b6eb20ad4450e7d7ed95c79b29ad4a7cf004c1fec4d91b",
+    "zh:418213529b21a6a54e093dadb2d04348b1f5ae486b6682e1fdfd799351ab0063",
+    "zh:46f82a470e07d6ca6eea4a5ca3f9bb9774bf65ed8f95891214d7cefb9abe76cb",
+    "zh:596b9d5233dc0efee067a2f243969b2c380616e38d4ca4cc35c6f95fd03ea30d",
+    "zh:74413ba9ffed3acd0574c26935e758360524693690d331d497fd2bf6742abd90",
+    "zh:7ff43a55325fd22b78fb3320ad651906314465af9f05c8eb026a63ca18b6f80b",
+    "zh:8f1bbc5d1a4c84cee294b4a7365f888ab1c8fd86c57bd965d89d026846a1ccd9",
+    "zh:b5ef4a4aa245e9d47fc2ba6b9ab5471e02ccabbdc3999fb2f603f26715d115ae",
+    "zh:d6da2968454febfa01de7b4197f5919e4faa04ab0f82e8793bd1c85a101d7c11",
+    "zh:fbebc34e03af57afcc4110768af733a9b71a540f32bf2c8f61783684b1f00e2a",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.3"
+  hashes = [
+    "h1:Ry0Lr0zaoicslZlcUR4rAySPpl/a7QupfMfuAxhW3fw=",
+    "zh:1bfd2e54b4eee8c761a40b6d99d45880b3a71abc18a9a7a5319204da9c8363b2",
+    "zh:21a15ac74adb8ba499aab989a4248321b51946e5431219b56fc827e565776714",
+    "zh:221acfac3f7a5bcd6cb49f79a1fca99da7679bde01017334bad1f951a12d85ba",
+    "zh:3026fcdc0c1258e32ab519df878579160b1050b141d6f7883b39438244e08954",
+    "zh:50d07a7066ea46873b289548000229556908c3be746059969ab0d694e053ee4c",
+    "zh:54280cdac041f2c2986a585f62e102bc59ef412cad5f4ebf7387c2b3a357f6c0",
+    "zh:632adf40f1f63b0c5707182853c10ae23124c00869ffff05f310aef2ed26fcf3",
+    "zh:b8c2876cce9a38501d14880a47e59a5182ee98732ad7e576e9a9ce686a46d8f5",
+    "zh:f27e6995e1e9fe3914a2654791fc8d67cdce44f17bf06e614ead7dfd2b13d3ae",
+    "zh:f423f2b7e5c814799ad7580b5c8ae23359d8d342264902f821c357ff2b3c6d3d",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/template" {
   version = "2.2.0"
   hashes = [
@@ -14,19 +53,19 @@ provider "registry.opentofu.org/hashicorp/template" {
 }
 
 provider "registry.opentofu.org/hashicorp/time" {
-  version = "0.12.0"
+  version = "0.12.1"
   hashes = [
-    "h1:Om7xF0GgRkBsAjKis3RAFXQJKmHgnO04C+PEScF/xTM=",
-    "zh:01b7ac8203eb7ed712a356215e44f8851b96ddcfdf63b13ff9f870f799667059",
-    "zh:06c4420bdb964209eb119f1740575df7b8ac44a3b5d71631dae2962a155f58b7",
-    "zh:2534d1d04ca934e25426ab5bb0b29a57a95c676f70b154bfb382d58bf1e6f6c9",
-    "zh:340de6c71a1090f13ab5c429ca2134c12189e8b86c2b104859e82eb30eea9772",
-    "zh:561a2780f7fb1b0a9092c59c4eb3e3d8c3ec9cecddc9214ae92fdc941c3bd2e7",
-    "zh:65b1a982617375123bc3a1dcd44d61264cabac6b3d83378e7079ee0655ec6679",
-    "zh:9ae9f6c9609c5ed9e35a702068629ef5adfb131f957a571fc39ce0127c782ca4",
-    "zh:ad7f066c5db340683cb5a3a29ced3a2ece13c5b84c46d6b3d30815444a6c78ee",
-    "zh:f532d2c33c2303a970e9ee813e37d208eb65321aec489da14786b7f04ea66105",
-    "zh:fb269e2425a4b996fef79665eaeec8f40a388bf7ac7bf8ce2c108fb83c4b10ca",
+    "h1:PnOB6IAQJoYi/r3iUH7Hml2c2zFrIzHksQsrK3VPjSI=",
+    "zh:50a9b67d5f5f42adbdb7712f67858aa64b5670070f6710751239b535fb48a4df",
+    "zh:5a846fae035e363aed75b966d64a56f3489a38083e8407aaa656730437f53ed7",
+    "zh:6767f1fc8a679b48eaa4cd114da0d8185fb3546375f3a0fb3728f10fa3dbc551",
+    "zh:85d3da407c828bf057cbc0e86c75ef3d0f9f74a73c4ea1b4aef18e33f41092b1",
+    "zh:9180721325139431112c638f5382a740ff219782f81d6346cdff5bccc418a43f",
+    "zh:9ba9989f905a64db1409a9a57649549c89c7aedfb55ae399a7fa9411aafaadac",
+    "zh:b3d9e7afb6a742e9be0541bc434b00d849fdfab0b4b859ceb0296c26c541af15",
+    "zh:c87da712d718acd9dd03f544b020c320699cb29df197be4f74783e3c3d80fc17",
+    "zh:cb1abe07638ef6d7b41d0e86dfb12d60a513aca3395a5da7191947f7459821dd",
+    "zh:ecff2e823ef49eda03663fa8ee8bdc17d27cd419dbdacbf1719f38812dbf417e",
   ]
 }
 
@@ -53,67 +92,67 @@ provider "registry.opentofu.org/hetznercloud/hcloud" {
 }
 
 provider "registry.opentofu.org/ovh/ovh" {
-  version     = "0.48.0"
+  version     = "0.50.0"
   constraints = "~> 0.48"
   hashes = [
-    "h1:dOwImR7DGX4FHt9IpY6S7z8z62fyhTOiLm0kgSA+MfE=",
-    "zh:64ae6a94f86115d6a0cf54e62de16f3751f2f511c7c133a58734b623ecd83133",
-    "zh:808c0dfc35f0cdde84fff2b772ef52aef57363e2f496ae8e5b5d191ae2482db3",
-    "zh:91427314fe73ee5bb3cc0fdcc88c15416709ff049751573674cb56a17ebf137f",
-    "zh:97a60491d8a50900c83365ab86343f59ae39a6a8d0ecbf2229be389143c584af",
-    "zh:a2be10afc172ea844706217143b003c21dd502fcfe429fa61f5cebdbd2c38c55",
-    "zh:a6e0e5978a6b1247a110e1bf2461771e3bf1b3c974cc83b56ae3255cdc5123d3",
-    "zh:b6cac2ddd451cb783faab09ec90a54be222a2bc9ef59eaaec309980b46a8650c",
-    "zh:d767fc3a8c992fa01be52a86ba92204d5ac7ea238a2ebce5e313eaf56e4ae3ac",
-    "zh:ed2f82995fbe92d7a750a9560cb325d6dbee1b031898dba4ab74447c6043c878",
-    "zh:ef20c721c5349f03106aa3514752b1df3583ce96a0e704a4b45d9b4b455ca57b",
-    "zh:f33f42bca65d40097033f0e64e45ad113107804be2198a2279d5561bb1122b34",
-    "zh:f922c6d3d73f8c252beb91dc9f97eb96643781ad3e7192018be47d4df2e4d0e3",
-    "zh:f93577ad688f449c03c4087a19cea3cc37bc30c94519eee4710323099bf501ad",
-    "zh:ff33c4b2543030a82935551631d209df87adf981b4661a4ab60406e704fe7485",
+    "h1:HKkJ0TdXphZb503dGYyOj4mXy9HPSSgXhf0yFmsRyxo=",
+    "zh:1c88525ece36dc8878567301fb245422d10a788a7545fff918c7b96828d2efd1",
+    "zh:311f5f3103ff0f5baab886e338de443e28d40557664c54697a21f2c091c0c673",
+    "zh:37a1dc197d9fc68cc1c90b8ef77411797c4bc494b528ad4880e6ee4185f1eddb",
+    "zh:6f61600d81b4c5c0a016d58c2dae7ca4bfaef28481abc12797bc7e90f9c7d3f8",
+    "zh:7eb791886e01bbbbcff93d9fedbc2d4d78852bfcf9d2aba188aa5032f45008dc",
+    "zh:87d53dcf87466ec341c3cc41b619e8829faa4805e06491ccd4d7e1945cb78664",
+    "zh:8b017819ea1d0cf2ca78de6b2d935b71a23e13030f5b2c2a2afe65122ec354d3",
+    "zh:8ddc5f0f50c551c78aabf5521e4418badb71e77c6103f8da85f1862eb620cc39",
+    "zh:91dbd9069b803582618e442f648d8a72f1e28ecf4c45c539d1b67f4acc601498",
+    "zh:c4b4f626adfb81179b9e4a61f1df08f26c581a6da093f958620abafa308c572e",
+    "zh:d836cd3127f93acf27c7bfd7b020f27cab977ff5e52f6c0403ab9eb54dcf9da4",
+    "zh:deb1b6352c5b6d3c210091587fbfab93453fcb5aaa761a02d61c03ab4d56637f",
+    "zh:e53cf3cb629bb0701bd54d9dcbd4253d6f001923f355e891b5776f7fa63f56ee",
+    "zh:f2026e2dacb00bc0571127a6435837943281b1e085fad2b11356db78c9a863c0",
   ]
 }
 
 provider "registry.opentofu.org/scaleway/scaleway" {
-  version     = "2.44.0"
+  version     = "2.45.0"
   constraints = "~> 2.43"
   hashes = [
-    "h1:VRA4GE/N4YaxrsDi4VtCvTa2F2VMz6cHvig+uXx95Ys=",
-    "zh:07626890d5417058f5999675304f039036253a2b17eb1b658cb4d8a9dd783cdd",
-    "zh:153fb6d63f7e7203cbadd35f0ec46f8a1ce2bee16817a3f7c2b7f908d833fe9e",
-    "zh:2d535d419d2c44810d538e06769afc02ca529f59d4340f563d4ca040f6c43f35",
-    "zh:3097ffad52ea5102dfd1c0693e86f812634a029dd1a98fb8a448154daa6063fc",
-    "zh:562477ee7953c836a1133e20158911ff3d831167689a691b58ce7f6954e636b5",
-    "zh:71c4168c400b421fa1edaee1970473b6f3abe3f76d2ea5c2ef2292df9f909bcb",
-    "zh:82c6c6c81a5dd911f33f5363d777f0009689a83fb7bf219e958717e4d9ed0e23",
-    "zh:88daeb4b398e7806a1c94afce439238bf2abcb290e8c65eb3ea7e0c42c1442b1",
-    "zh:a1e83eda0c66140d86239b3830a258fa98f2e964bd52f2a8f3cc97aca2390166",
-    "zh:d7d7e37de2a66d5048e19797edd59358c357f26ac03beab9fec36c1838969ad2",
-    "zh:dc0692b3378057e18354a1f7aa87e64f7b84ed8e9c005b9ad69bf01638f88246",
-    "zh:e32409c6dfd397c297dfb702f8dff0ae3c9592c017a24148fec8379c1a67e50c",
-    "zh:e4aa8b3bbfbe1b5bc9a06b32a68e30def2af91c886e6008a5d4b7d6a5e18f46f",
-    "zh:ef08071c2c4a398c6c287a26e2255831afe5b2049416d7e7c23117f199687676",
+    "h1:TUNrkoCHyGUJrmpOjg+Wfyf8IYe/6X6D2yu11Vi9UoM=",
+    "zh:11dc4916523a65acf06555816ed09a5d5267477b8c005c48f91ed036a1e8d93a",
+    "zh:20f8ee896d88ea85b89fb73311341a90ffe6c8c3211e5b710c7c8daa977d6156",
+    "zh:2d9a0dd05c34d36469625b139b8089b8dd9f93b92d18e3af24aaf6f37620c727",
+    "zh:3d0e1a19edbf707d488e3f35b1d6fdd1922cd1a376ff78314d4f06fd63666840",
+    "zh:676872e1613714e9f7d619eae23c33a96b423d27d378a2b935e773d9c6f79edf",
+    "zh:87b038b2e7d51c50469fa95dcd8a1a8c21fcc1decd75a49b6367fc80a1ac5809",
+    "zh:97bd93434231540cad2516e33e5f90edc9d2bd3d4eaabaefbdd76117004f7283",
+    "zh:a2c4ee0b8a81c61714d52449aeb92c8fae2d002b93865a355f72f18072171e8b",
+    "zh:a55372fc3470c493fa053d404f3332d2ffba3a70696b3926ac2fcc8852b6055a",
+    "zh:c0c413943a14a7a2cb277b12e6a70f4647e3ad34abc6fe7368c726ba3d2b31ff",
+    "zh:c0e0779ccc8233a8efa1ae0d9d3f23becc1ef6cdff00ca083282939e3d639631",
+    "zh:d40e4a9acd839589ad01ebed256b19725f31b4308681e11ea4a22ed0285963ee",
+    "zh:de1a592889747125dc739f4b1dfb20f848ffcc10a0c25272f8f2fd90b435940e",
+    "zh:fa200b7e1e24d63d5d4eb4ff4e44c00a6f7cfb883ce1eee98eb74a539f91774d",
   ]
 }
 
 provider "registry.opentofu.org/tailscale/tailscale" {
-  version     = "0.16.2"
+  version     = "0.17.1"
   constraints = "~> 0.16"
   hashes = [
-    "h1:m8r5+K4JWe+tdT4IyryZkAQ7d38GVPtoQ9mzp+5Scaw=",
-    "zh:2a37ef43b88ad8e26ecad79e6b34a896769be2b7d18140f855f6063775367841",
-    "zh:3867d3331b59c8281dd8a742260b22e18750ae84a9bd2009e8f9d90412d2c044",
-    "zh:5e5e5ee08e0ecefa08a0ce7a9281a858f9b3a2a66bc9c06802b1624a1cb3eae0",
-    "zh:6298e8ed55bccd5513060e0d357d055919b3a22146fcfb6c34881efd49ec33f8",
-    "zh:6ce0ab6564fbbc673ab98ce4b7db7d64258a916394436a005d14b25c3ea58ad1",
-    "zh:6fdc1fb66074d2af5124a6988f81efdc77011b185e710629140e87ffb8624956",
-    "zh:7ff7888d77a17b18c9bdc9dfc1bf1e7f98f512410c29d1a8c2e6c21c8fe2a5c4",
-    "zh:9cafb8660daffd5c9c490d4529c7ba3d691fee5e4093b55e73f188b17e34cead",
-    "zh:b11e0e1b6c8485eb832336a69be02dfae151b71350e25288ec7bf0637df35485",
-    "zh:c7371d0dcde253fcd1808f86be2fcfc6e0b6ec82aa714e5dc6b533ba10007d48",
-    "zh:dcddd847b8a03a3b7c9288d68e781d65a3b911ef9cc96df9502a2d069195ae42",
-    "zh:dfd37ec661fe5b1520b595dcb93cca65f716270edc173a393a600c85b3f842d7",
-    "zh:e3b623167859344ed93f4125e97d24c5793246ccb329e4d82b2d9d8e5c356380",
-    "zh:f4d38ec08191ae70ef05ffd3943df1c27e2b11192a02e1979498a59ea1881ee3",
+    "h1:yUzwRZxbCa0QDkn1VSYriZpC02tHaa5X05pxp/K2Sao=",
+    "zh:1823fbc277875863d7f7fd198b1636a3e213fff523c6882d5d7aaf83a745872e",
+    "zh:2a9a21fba0acbe44cd6b78ce8b49fba2e650576675818255cd1abf3c0493d448",
+    "zh:382450ba8918c1738b60a736fe2e37e845242fac7bf85c4936b135061864eaba",
+    "zh:413226903d4d924eb005505a2e06c11186185466d0d7741d67d154f3a4c49b41",
+    "zh:43e9fbb4f43df7c169651a07bdf56cdf10f315f25b5ca428d7f8325d236b77a7",
+    "zh:6a47fccb7d7248f42e36860aeb9c4b109bba9a0fe702cfb13ec88bc2babaccbf",
+    "zh:834308305b0ff8355a37869338f60ac072dad1bf0856964dd29f5b4542e1f41b",
+    "zh:859199d820fd66da7d4f6b30fd4b828952f5f318f37b8bacf80f5668b769c162",
+    "zh:89894383c69a6dd242faff79218850249d75673f736ceb212b26e13bc0950640",
+    "zh:8ab2011df75200dff2e9cb885de28ba00bc5141c9de7cad609cf12d39735a819",
+    "zh:90df5ea74438217ed981af32fb061fabc71b14cfd4bb1fbf5c830036152c6253",
+    "zh:b56875c717c155db6da4c54b9a242b087f1a4fcb31b84758902e072805159a07",
+    "zh:d1c328adab27ac8ef0afb97a518f4db4a1f5f916ba93927ecd3fca7e72023517",
+    "zh:e62555f5a1fb59141db198a22bc29c01eff1a781a1ea207107997a5e42ade45b",
   ]
 }
diff --git a/hosts.auto.tfvars b/hosts.auto.tfvars
new file mode 100644
index 0000000..c2f23d8
--- /dev/null
+++ b/hosts.auto.tfvars
@@ -0,0 +1,24 @@
+hosts = {
+  "node001" = {
+    hostname = "node001"
+    rdns = "node001.serguzim.net"
+    provider = "contabo"
+    ipv4_address = "144.91.106.67",
+    ipv6_address = "2a02:c207:2051:6620::1"
+  },
+  "node002" = {
+    hostname = "node002"
+    rdns = "node002.serguzim.net"
+    provider = "contabo"
+    ipv4_address = "62.171.181.192"
+    ipv6_address = "2a02:c207:2036:6681::1"
+  },
+  "node003" = {
+    hostname = "node003"
+    rdns = "mail.serguzim.me"
+    provider = "hetzner"
+    image = "debian-12"
+    server_type = "cx32"
+    datacenter = "fsn1-dc14"
+  },
+}
diff --git a/inventory/group_vars/all/main.yml b/inventory/group_vars/all/main.yml
index 5e37967..91ede79 100644
--- a/inventory/group_vars/all/main.yml
+++ b/inventory/group_vars/all/main.yml
@@ -2,8 +2,8 @@ admin_email: tobias@msrg.cc
 timezone: Europe/Berlin
 
 postgres:
-  host: db.serguzim.me
-  port: 5432
+  host: "{{ opentofu.postgresql.host }}"
+  port: "{{ opentofu.postgresql.port }}"
 
 mailer:
   host: mail.serguzim.me
diff --git a/main.tf b/main.tf
index 17e0ce6..4ac0181 100644
--- a/main.tf
+++ b/main.tf
@@ -8,6 +8,10 @@ terraform {
       source = "ovh/ovh"
       version = "~> 0.48"
     }
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+      version = "~> 1.23"
+    }
     scaleway = {
       source = "scaleway/scaleway"
       version = "~> 2.43"
@@ -48,6 +52,16 @@ provider "ovh" {
   consumer_key = "${var.ovh_consumer_key}"
 }
 
+provider "postgresql" {
+  host            = "${var.postgresql_host}"
+  port            = "${var.postgresql_port}"
+  database        = "postgres"
+  username        = "${var.postgresql_username}"
+  password        = "${var.postgresql_password}"
+  sslmode         = "verify-full"
+  connect_timeout = 15
+}
+
 provider "scaleway" {
   organization_id = "${var.scaleway_organization_id}"
   project_id = "${var.scaleway_project_id}"
diff --git a/output.tf b/output.tf
index cc4c8c6..5debd37 100644
--- a/output.tf
+++ b/output.tf
@@ -14,6 +14,17 @@ output "hosts" {
   }
 }
 
+output "postgresql_service_roles" {
+  value = postgresql_role.service_roles
+  sensitive = true
+}
+
+output "postgresql" {
+  value = {
+    "host" = var.postgresql_host
+    "port" = var.postgresql_port
+  }
+}
 
 output "scaleway_service_keys" {
   value       = scaleway_iam_api_key.service_keys
diff --git a/postgresql.tf b/postgresql.tf
new file mode 100644
index 0000000..d855879
--- /dev/null
+++ b/postgresql.tf
@@ -0,0 +1,23 @@
+locals {
+  service_databases = {for key, val in var.services : key => val if val.database}
+}
+
+
+resource "random_password" "postgresql_service_passwords" {
+  for_each = local.service_databases
+  length  = 32
+  special = false
+}
+
+resource "postgresql_role" "service_roles" {
+  for_each = local.service_databases
+  name     = each.value.name
+  login    = true
+  password = random_password.postgresql_service_passwords[each.key].result
+}
+
+resource "postgresql_database" "service_databases" {
+  for_each = local.service_databases
+  name     = each.value.name
+  owner    = postgresql_role.service_roles[each.key].name
+}
diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml
index 56b7247..92e81f8 100644
--- a/roles/forgejo/vars/main.yml
+++ b/roles/forgejo/vars/main.yml
@@ -15,8 +15,8 @@ forgejo_env:
   FORGEJO__database__DB_TYPE: postgres
   FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
   FORGEJO__database__NAME: forgejo
-  FORGEJO__database__USER: "{{ vault_forgejo.db.user }}"
-  FORGEJO__database__PASSWD: "{{ vault_forgejo.db.pass }}"
+  FORGEJO__database__USER: "{{ opentofu.postgresql_service_roles.forgejo.name }}"
+  FORGEJO__database__PASSWD: "{{ opentofu.postgresql_service_roles.forgejo.password }}"
   FORGEJO__database__SSL_MODE: verify-full
 
   FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml
index 54b82fe..445e01e 100644
--- a/roles/linkwarden/vars/main.yml
+++ b/roles/linkwarden/vars/main.yml
@@ -2,8 +2,8 @@
 linkwarden_secret: "{{ vault_linkwarden.secret }}"
 
 linkwarden_db_host_port: "{{ postgres.host }}:{{ postgres.port }}"
-linkwarden_db_user: "{{ vault_linkwarden.db.user }}"
-linkwarden_db_pass: "{{ vault_linkwarden.db.pass }}"
+linkwarden_db_user: "{{ opentofu.postgresql_service_roles.linkwarden.name }}"
+linkwarden_db_pass: "{{ opentofu.postgresql_service_roles.linkwarden.password }}"
 linkwarden_db_database: linkwarden
 
 linkwarden_s3_accesskey: "{{ opentofu.scaleway_service_keys.linkwarden.access_key }}"
diff --git a/scaleway.tf b/scaleway.tf
index 4853c83..b7a1033 100644
--- a/scaleway.tf
+++ b/scaleway.tf
@@ -11,13 +11,17 @@ data "scaleway_iam_user" "serguzim" {
   email = "tobias@msrg.cc"
 }
 
+locals {
+  service_buckets = {for key, val in var.services : key => val if val.bucket}
+}
+
 resource "scaleway_iam_application" "service_applications" {
-  for_each = var.service_buckets
+  for_each = local.service_buckets
   name = each.value.name
 }
 
 resource "scaleway_iam_policy" "service_storage_policies" {
-  for_each = var.service_buckets
+  for_each = local.service_buckets
   name = "${each.key}_storage_policy"
   application_id = scaleway_iam_application.service_applications[each.key].id
   rule {
@@ -27,7 +31,7 @@ resource "scaleway_iam_policy" "service_storage_policies" {
 }
 
 resource "scaleway_object_bucket" "service_buckets" {
-  for_each = var.service_buckets
+  for_each = local.service_buckets
   name = "${each.value.name}.serguzim.me"
   lifecycle {
    prevent_destroy = true
@@ -35,7 +39,7 @@ resource "scaleway_object_bucket" "service_buckets" {
 }
 
 resource "scaleway_object_bucket_policy" "service_bucket_policies" {
-  for_each = var.service_buckets
+  for_each = local.service_buckets
   bucket = scaleway_object_bucket.service_buckets[each.key].id
   policy = jsonencode({
     Version = "2023-04-17",
@@ -74,7 +78,7 @@ resource "time_rotating" "rotate_after_a_year" {
 }
 
 resource "scaleway_iam_api_key" "service_keys" {
-  for_each       = var.service_buckets
+  for_each       = local.service_buckets
   description    = "Service key for ${each.key}"
   application_id = scaleway_iam_application.service_applications[each.key].id
   expires_at     = time_rotating.rotate_after_a_year.rotation_rfc3339
diff --git a/secrets.auto.tfvars.example b/secrets.auto.tfvars.example
index 2e25253..0f0fb31 100644
--- a/secrets.auto.tfvars.example
+++ b/secrets.auto.tfvars.example
@@ -10,6 +10,9 @@ ovh_application_key = ""
 ovh_application_secret = ""
 ovh_consumer_key = ""
 
+postgresql_username = ""
+postgresql_password = ""
+
 scaleway_organization_id = ""
 scaleway_project_id = ""
 scaleway_access_key = ""
diff --git a/services.auto.tfvars b/services.auto.tfvars
new file mode 100644
index 0000000..0229caf
--- /dev/null
+++ b/services.auto.tfvars
@@ -0,0 +1,12 @@
+services = {
+  "linkwarden" = {
+    name = "linkwarden"
+    bucket = true
+    database = true
+  },
+  "forgejo" = {
+    name = "forgejo"
+    bucket = true
+    database = true
+  }
+}
diff --git a/variables.tf b/variables.tf
index f262a08..841f676 100644
--- a/variables.tf
+++ b/variables.tf
@@ -37,6 +37,23 @@ variable "ovh_consumer_key" {
 }
 
 
+variable "postgresql_host" {
+  default = "db.serguzim.me"
+}
+
+variable "postgresql_port" {
+  default = "5432"
+}
+
+variable "postgresql_username" {
+  sensitive = true
+}
+
+variable "postgresql_password" {
+  sensitive = true
+}
+
+
 variable "scaleway_organization_id" {
   sensitive = true
 }
@@ -63,21 +80,12 @@ variable "tailscale_tailnet" {
 }
 
 
-variable "service_buckets" {
+variable "services" {
   type = map(object({
     name = string
-    bucket = string
+    bucket = bool
+    database = bool
   }))
-  default = {
-    "linkwarden" = {
-      name = "linkwarden"
-      bucket = "linkwarden.serguzim.me"
-    },
-    "forgejo" = {
-      name = "forgejo"
-      bucket = "forgejo.serguzim.me"
-    }
-  }
 }
 
 variable "hosts" {
@@ -91,28 +99,4 @@ variable "hosts" {
     server_type = optional(string)
     datacenter = optional(string)
   }))
-  default = {
-    "node001" = {
-      hostname = "node001"
-      rdns = "node001.serguzim.net"
-      provider = "contabo"
-      ipv4_address = "144.91.106.67",
-      ipv6_address = "2a02:c207:2051:6620::1"
-    },
-    "node002" = {
-      hostname = "node002"
-      rdns = "node002.serguzim.net"
-      provider = "contabo"
-      ipv4_address = "62.171.181.192"
-      ipv6_address = "2a02:c207:2036:6681::1"
-    },
-    "node003" = {
-      hostname = "node003"
-      rdns = "mail.serguzim.me"
-      provider = "hetzner"
-      image = "debian-12"
-      server_type = "cx32"
-      datacenter = "fsn1-dc14"
-    },
-  }
 }