1
0
Fork 0
selfhostblocks/modules/postgresql.nix

93 lines
2.7 KiB
Nix
Raw Normal View History

2023-11-04 20:30:17 -07:00
{ config, lib, ... }:
let
cfg = config.shb.postgresql;
in
{
options.shb.postgresql = {
tcpIPPort = lib.mkOption {
type = lib.types.nullOr lib.types.port;
description = "Enable TCP/IP connection on given port.";
default = null;
};
passwords = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Postgres user name.";
};
database = lib.mkOption {
type = lib.types.str;
description = "Postgres database.";
};
passwordFile = lib.mkOption {
2023-11-04 20:59:55 -07:00
type = lib.types.nullOr lib.types.str;
description = "Optional password file for the postgres user.";
default = null;
example = "/run/secrets/postgresql/password";
2023-11-04 20:30:17 -07:00
};
};
});
default = [];
};
};
config =
let
tcpConfig = port: {
services.postgresql.enableTCPIP = true;
services.postgresql.port = port;
services.postgresql.authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
# ipv4
host all all 127.0.0.1/32 trust
# ipv6
host all all ::1/128 trust
'';
};
dbConfig = passwordCfgs: {
services.postgresql.enable = (builtins.length passwordCfgs) > 0;
services.postgresql.ensureDatabases = map ({ database, ... }: database) passwordCfgs;
services.postgresql.Users = map ({ username, database, ... }: {
name = username;
ensurePermissions = {
"DATABASE ${database}" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}) passwordCfgs;
};
pwdConfig = passwordCfgs: {
systemd.services.postgresql.postStart =
let
2023-11-04 20:59:55 -07:00
script = { username, passwordFile, ... }:
if isNull passwordFile then "" else
''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
2023-11-04 20:30:17 -07:00
in
lib.concatStringsSep "\n" (map script passwordCfgs);
};
in
lib.mkMerge (
[
(dbConfig cfg.passwords)
(pwdConfig cfg.passwords)
(lib.mkIf (!(isNull cfg.tcpIPPort)) (tcpConfig cfg.tcpIPPort))
]
);
}