2023-11-08 21:27:47 +01:00
|
|
|
{ lib, ... }:
|
2023-11-05 04:30:17 +01:00
|
|
|
let
|
|
|
|
anyOpt = default: lib.mkOption {
|
|
|
|
type = lib.types.anything;
|
|
|
|
inherit default;
|
|
|
|
};
|
|
|
|
|
|
|
|
testConfig = m:
|
|
|
|
let
|
|
|
|
cfg = (lib.evalModules {
|
|
|
|
modules = [
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
services = anyOpt {};
|
|
|
|
systemd = anyOpt {};
|
|
|
|
};
|
|
|
|
}
|
2023-11-21 07:20:19 +01:00
|
|
|
../../modules/blocks/postgresql.nix
|
2023-11-05 04:30:17 +01:00
|
|
|
m
|
|
|
|
];
|
|
|
|
}).config;
|
|
|
|
in {
|
|
|
|
inherit (cfg) systemd services;
|
|
|
|
};
|
2023-11-25 03:19:22 +01:00
|
|
|
|
|
|
|
commonSettings = {
|
|
|
|
idle_in_transaction_session_timeout = "30s";
|
|
|
|
idle_session_timeout = "30s";
|
|
|
|
track_io_timing = "true";
|
|
|
|
};
|
2023-11-05 04:30:17 +01:00
|
|
|
in
|
|
|
|
{
|
|
|
|
testPostgresNoOptions = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = false;
|
2023-11-05 13:48:39 +01:00
|
|
|
ensureUsers = [];
|
2023-11-05 04:30:17 +01:00
|
|
|
ensureDatabases = [];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-05 04:30:17 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = "";
|
|
|
|
};
|
|
|
|
expr = testConfig {};
|
|
|
|
};
|
|
|
|
|
2023-11-06 00:47:13 +01:00
|
|
|
testPostgresManualOptions = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ensureUsers = [];
|
|
|
|
ensureDatabases = [];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-06 00:47:13 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = "";
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
|
|
|
services.postgresql.enable = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-11-05 04:59:55 +01:00
|
|
|
testPostgresOneWithoutPassword = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
2023-11-05 13:48:39 +01:00
|
|
|
ensureUsers = [{
|
2023-11-05 04:59:55 +01:00
|
|
|
name = "myuser";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}];
|
|
|
|
ensureDatabases = ["mydatabase"];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-05 04:59:55 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = "";
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.ensures = [
|
2023-11-05 04:59:55 +01:00
|
|
|
{
|
|
|
|
username = "myuser";
|
|
|
|
database = "mydatabase";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testPostgresOneWithPassword = {
|
2023-11-05 04:30:17 +01:00
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
2023-11-05 13:48:39 +01:00
|
|
|
ensureUsers = [{
|
2023-11-05 04:30:17 +01:00
|
|
|
name = "myuser";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}];
|
|
|
|
ensureDatabases = ["mydatabase"];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-05 04:30:17 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = ''
|
|
|
|
$PSQL -tA <<'EOF'
|
|
|
|
DO $$
|
|
|
|
DECLARE password TEXT;
|
|
|
|
BEGIN
|
2023-11-06 00:42:14 +01:00
|
|
|
password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
|
|
|
|
EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
|
2023-11-05 04:30:17 +01:00
|
|
|
END $$;
|
|
|
|
EOF
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.ensures = [
|
2023-11-05 04:30:17 +01:00
|
|
|
{
|
|
|
|
username = "myuser";
|
|
|
|
database = "mydatabase";
|
|
|
|
passwordFile = "/my/file";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-11-06 00:42:14 +01:00
|
|
|
testPostgresTwoNoPassword = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "user1";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db1" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "user2";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db2" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
ensureDatabases = ["db1" "db2"];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-06 00:42:14 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = "";
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.ensures = [
|
2023-11-06 00:42:14 +01:00
|
|
|
{
|
|
|
|
username = "user1";
|
|
|
|
database = "db1";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
username = "user2";
|
|
|
|
database = "db2";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testPostgresTwoWithPassword = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "user1";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db1" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "user2";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db2" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
ensureDatabases = ["db1" "db2"];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-06 00:42:14 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = ''
|
|
|
|
$PSQL -tA <<'EOF'
|
|
|
|
DO $$
|
|
|
|
DECLARE password TEXT;
|
|
|
|
BEGIN
|
|
|
|
password := trim(both from replace(pg_read_file('/file/user1'), E'\n', '''));
|
|
|
|
EXECUTE format('ALTER ROLE user1 WITH PASSWORD '''%s''';', password);
|
|
|
|
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
|
|
|
|
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
|
|
|
|
END $$;
|
|
|
|
EOF
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.ensures = [
|
2023-11-06 00:42:14 +01:00
|
|
|
{
|
|
|
|
username = "user1";
|
|
|
|
database = "db1";
|
|
|
|
passwordFile = "/file/user1";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
username = "user2";
|
|
|
|
database = "db2";
|
|
|
|
passwordFile = "/file/user2";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testPostgresTwoWithMixedPassword = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "user1";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db1" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "user2";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE db2" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
ensureDatabases = ["db1" "db2"];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-06 00:42:14 +01:00
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = ''
|
|
|
|
$PSQL -tA <<'EOF'
|
|
|
|
DO $$
|
|
|
|
DECLARE password TEXT;
|
|
|
|
BEGIN
|
|
|
|
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
|
|
|
|
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
|
|
|
|
END $$;
|
|
|
|
EOF
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.ensures = [
|
2023-11-06 00:42:14 +01:00
|
|
|
{
|
|
|
|
username = "user1";
|
|
|
|
database = "db1";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
username = "user2";
|
|
|
|
database = "db2";
|
|
|
|
passwordFile = "/file/user2";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-11-05 04:30:17 +01:00
|
|
|
testPostgresTCPIP = {
|
|
|
|
expected = {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = false;
|
2023-11-05 13:48:39 +01:00
|
|
|
ensureUsers = [];
|
2023-11-05 04:30:17 +01:00
|
|
|
ensureDatabases = [];
|
2023-11-25 03:19:22 +01:00
|
|
|
settings = commonSettings;
|
2023-11-05 04:30:17 +01:00
|
|
|
|
|
|
|
enableTCPIP = true;
|
|
|
|
authentication = ''
|
|
|
|
#type database DBuser origin-address auth-method
|
2023-11-08 21:27:47 +01:00
|
|
|
local all all peer
|
2023-11-05 04:30:17 +01:00
|
|
|
# ipv4
|
2023-11-23 10:03:33 +01:00
|
|
|
host all all 127.0.0.1/32 password
|
2023-11-05 04:30:17 +01:00
|
|
|
# ipv6
|
2023-11-23 10:03:33 +01:00
|
|
|
host all all ::1/128 password
|
2023-11-05 04:30:17 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = "";
|
|
|
|
};
|
|
|
|
expr = testConfig {
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.enableTCPIP = true;
|
2023-11-05 04:30:17 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|