2023-11-05 04:30:17 +01:00
|
|
|
{ config, lib, ... }:
|
|
|
|
let
|
|
|
|
cfg = config.shb.postgresql;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.shb.postgresql = {
|
|
|
|
tcpIPPort = lib.mkOption {
|
|
|
|
type = lib.types.nullOr lib.types.port;
|
|
|
|
description = "Enable TCP/IP connection on given port.";
|
|
|
|
default = null;
|
|
|
|
};
|
|
|
|
|
|
|
|
passwords = lib.mkOption {
|
|
|
|
type = lib.types.listOf (lib.types.submodule {
|
|
|
|
options = {
|
|
|
|
username = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "Postgres user name.";
|
|
|
|
};
|
|
|
|
|
|
|
|
database = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "Postgres database.";
|
|
|
|
};
|
|
|
|
|
|
|
|
passwordFile = lib.mkOption {
|
2023-11-05 04:59:55 +01:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
description = "Optional password file for the postgres user.";
|
|
|
|
default = null;
|
|
|
|
example = "/run/secrets/postgresql/password";
|
2023-11-05 04:30:17 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
});
|
|
|
|
default = [];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config =
|
|
|
|
let
|
|
|
|
tcpConfig = port: {
|
|
|
|
services.postgresql.enableTCPIP = true;
|
|
|
|
services.postgresql.port = port;
|
|
|
|
services.postgresql.authentication = lib.mkOverride 10 ''
|
|
|
|
#type database DBuser origin-address auth-method
|
2023-11-07 04:43:00 +01:00
|
|
|
local all all peer
|
2023-11-05 04:30:17 +01:00
|
|
|
# ipv4
|
2023-11-07 04:43:00 +01:00
|
|
|
host all all 127.0.0.1/32 trust
|
2023-11-05 04:30:17 +01:00
|
|
|
# ipv6
|
2023-11-07 04:43:00 +01:00
|
|
|
host all all ::1/128 trust
|
2023-11-05 04:30:17 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
dbConfig = passwordCfgs: {
|
2023-11-06 00:47:13 +01:00
|
|
|
services.postgresql.enable = lib.mkDefault ((builtins.length passwordCfgs) > 0);
|
2023-11-05 04:30:17 +01:00
|
|
|
services.postgresql.ensureDatabases = map ({ database, ... }: database) passwordCfgs;
|
2023-11-05 13:48:39 +01:00
|
|
|
services.postgresql.ensureUsers = map ({ username, database, ... }: {
|
2023-11-05 04:30:17 +01:00
|
|
|
name = username;
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE ${database}" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
ensureClauses = {
|
|
|
|
"login" = true;
|
|
|
|
};
|
|
|
|
}) passwordCfgs;
|
|
|
|
};
|
|
|
|
|
|
|
|
pwdConfig = passwordCfgs: {
|
|
|
|
systemd.services.postgresql.postStart =
|
|
|
|
let
|
2023-11-06 00:42:14 +01:00
|
|
|
prefix = ''
|
|
|
|
$PSQL -tA <<'EOF'
|
|
|
|
DO $$
|
|
|
|
DECLARE password TEXT;
|
|
|
|
BEGIN
|
|
|
|
'';
|
|
|
|
suffix = ''
|
|
|
|
END $$;
|
|
|
|
EOF
|
|
|
|
'';
|
|
|
|
exec = { username, passwordFile, ... }: ''
|
|
|
|
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
|
|
|
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
|
|
|
'';
|
|
|
|
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) passwordCfgs;
|
2023-11-05 04:30:17 +01:00
|
|
|
in
|
2023-11-06 00:42:14 +01:00
|
|
|
if (builtins.length cfgsWithPasswords) == 0 then "" else
|
|
|
|
prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
|
2023-11-05 04:30:17 +01:00
|
|
|
};
|
|
|
|
in
|
|
|
|
lib.mkMerge (
|
|
|
|
[
|
|
|
|
(dbConfig cfg.passwords)
|
|
|
|
(pwdConfig cfg.passwords)
|
|
|
|
(lib.mkIf (!(isNull cfg.tcpIPPort)) (tcpConfig cfg.tcpIPPort))
|
|
|
|
]
|
|
|
|
);
|
|
|
|
}
|