parent
13a90f1ad4
commit
0242ae26c4
4 changed files with 40 additions and 60 deletions
32
flake.lock
32
flake.lock
|
@ -35,11 +35,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687412861,
|
"lastModified": 1701253981,
|
||||||
"narHash": "sha256-Z/g0wbL68C+mSGerYS2quv9FXQ1RRP082cAC0Bh4vcs=",
|
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e603dc5f061ca1d8a19b3ede6a8cf9c9fcba6cdc",
|
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -51,11 +51,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687031877,
|
"lastModified": 1701568804,
|
||||||
"narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
|
"narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
|
"rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -67,11 +67,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1686979235,
|
"lastModified": 1701336116,
|
||||||
"narHash": "sha256-gBlBtk+KrezFkfMrZw6uwTuA7YWtbFciiS14mEoTCo0=",
|
"narHash": "sha256-kEmpezCR/FpITc6yMbAh4WrOCiT2zg5pSjnKrq51h5Y=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "7cc30fd5372ddafb3373c318507d9932bd74aafe",
|
"rev": "f5c27c6136db4d76c30e533c20517df6864c46ee",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -84,11 +84,11 @@
|
||||||
"nmdsrc": {
|
"nmdsrc": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687627428,
|
"lastModified": 1701431551,
|
||||||
"narHash": "sha256-7zGfXuNS5RHqhpEdz2fwrtqvF86JRo5U1hrxZSYgcm8=",
|
"narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "824a380546b5d0d0eb701ff8cd5dbafb360750ff",
|
"rev": "f18defadcc25e69e95b04493ee02682005472255",
|
||||||
"revCount": 63,
|
"revCount": 65,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.sr.ht/~rycee/nmd"
|
"url": "https://git.sr.ht/~rycee/nmd"
|
||||||
},
|
},
|
||||||
|
@ -112,11 +112,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687398569,
|
"lastModified": 1701572436,
|
||||||
"narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
|
"narHash": "sha256-0anfOQqDend6kSuF8CmOSAZsiAS1nwOsin5VQukh6Q4=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "2ff6973350682f8d16371f8c071a304b8067f192",
|
"rev": "8bca48cb9a12bbd8766f359ad00336924e91b7f7",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -72,12 +72,8 @@ in
|
||||||
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
|
services.postgresql.ensureDatabases = map ({ database, ... }: database) ensureCfgs;
|
||||||
services.postgresql.ensureUsers = map ({ username, database, ... }: {
|
services.postgresql.ensureUsers = map ({ username, database, ... }: {
|
||||||
name = username;
|
name = username;
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE ${database}" = "ALL PRIVILEGES";
|
ensureClauses.login = true;
|
||||||
};
|
|
||||||
ensureClauses = {
|
|
||||||
"login" = true;
|
|
||||||
};
|
|
||||||
}) ensureCfgs;
|
}) ensureCfgs;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -64,9 +64,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "myuser";
|
name = "myuser";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
|
@ -92,9 +90,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "myuser";
|
name = "myuser";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
|
@ -131,18 +127,14 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "user1";
|
name = "user1";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db1" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "user2";
|
name = "user2";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db2" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
|
@ -174,18 +166,14 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "user1";
|
name = "user1";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db1" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "user2";
|
name = "user2";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db2" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
|
@ -230,18 +218,14 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "user1";
|
name = "user1";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db1" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "user2";
|
name = "user2";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE db2" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
ensureClauses = {
|
ensureClauses = {
|
||||||
"login" = true;
|
"login" = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
shb.postgresql.ensures = [
|
shb.postgresql.ensures = [
|
||||||
{
|
{
|
||||||
username = "me";
|
username = "me";
|
||||||
database = "mine";
|
database = "me";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -25,10 +25,10 @@
|
||||||
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
|
return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)
|
||||||
|
|
||||||
with subtest("cannot login because of missing user"):
|
with subtest("cannot login because of missing user"):
|
||||||
machine.fail(peer_cmd("me", "mine"), timeout=10)
|
machine.fail(peer_cmd("me", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login with unknown user"):
|
with subtest("cannot login with unknown user"):
|
||||||
machine.fail(peer_cmd("notme", "mine"), timeout=10)
|
machine.fail(peer_cmd("notme", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login to unknown database"):
|
with subtest("cannot login to unknown database"):
|
||||||
machine.fail(peer_cmd("me", "notmine"), timeout=10)
|
machine.fail(peer_cmd("me", "notmine"), timeout=10)
|
||||||
|
@ -53,7 +53,7 @@
|
||||||
shb.postgresql.ensures = [
|
shb.postgresql.ensures = [
|
||||||
{
|
{
|
||||||
username = "me";
|
username = "me";
|
||||||
database = "mine";
|
database = "me";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -70,16 +70,16 @@
|
||||||
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
|
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
|
||||||
|
|
||||||
with subtest("can login with provisioned user and database"):
|
with subtest("can login with provisioned user and database"):
|
||||||
machine.succeed(peer_cmd("me", "mine"), timeout=10)
|
machine.succeed(peer_cmd("me", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login with unknown user"):
|
with subtest("cannot login with unknown user"):
|
||||||
machine.fail(peer_cmd("notme", "mine"), timeout=10)
|
machine.fail(peer_cmd("notme", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login to unknown database"):
|
with subtest("cannot login to unknown database"):
|
||||||
machine.fail(peer_cmd("me", "notmine"), timeout=10)
|
machine.fail(peer_cmd("me", "notmine"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login with tcpip"):
|
with subtest("cannot login with tcpip"):
|
||||||
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
|
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@
|
||||||
shb.postgresql.ensures = [
|
shb.postgresql.ensures = [
|
||||||
{
|
{
|
||||||
username = "me";
|
username = "me";
|
||||||
database = "mine";
|
database = "me";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -112,10 +112,10 @@
|
||||||
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
|
return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)
|
||||||
|
|
||||||
with subtest("cannot login without existing user"):
|
with subtest("cannot login without existing user"):
|
||||||
machine.fail(peer_cmd("me", "mine"), timeout=10)
|
machine.fail(peer_cmd("me", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot login with user without password"):
|
with subtest("cannot login with user without password"):
|
||||||
machine.fail(tcpip_cmd("me", "mine", "5432"), timeout=10)
|
machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -141,7 +141,7 @@
|
||||||
shb.postgresql.ensures = [
|
shb.postgresql.ensures = [
|
||||||
{
|
{
|
||||||
username = "me";
|
username = "me";
|
||||||
database = "mine";
|
database = "me";
|
||||||
passwordFile = "/run/dbsecret";
|
passwordFile = "/run/dbsecret";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -159,13 +159,13 @@
|
||||||
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
|
return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)
|
||||||
|
|
||||||
with subtest("can peer login with provisioned user and database"):
|
with subtest("can peer login with provisioned user and database"):
|
||||||
machine.succeed(peer_cmd("me", "mine"), timeout=10)
|
machine.succeed(peer_cmd("me", "me"), timeout=10)
|
||||||
|
|
||||||
with subtest("can tcpip login with provisioned user and database"):
|
with subtest("can tcpip login with provisioned user and database"):
|
||||||
machine.succeed(tcpip_cmd("me", "mine", "5432", "secretpw"), timeout=10)
|
machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10)
|
||||||
|
|
||||||
with subtest("cannot tcpip login with wrong password"):
|
with subtest("cannot tcpip login with wrong password"):
|
||||||
machine.fail(tcpip_cmd("me", "mine", "5432", "oops"), timeout=10)
|
machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue