allow no password for postgresql
This commit is contained in:
parent
cc57b1ced7
commit
40522c8540
2 changed files with 44 additions and 13 deletions
|
@ -24,8 +24,10 @@ in
|
|||
};
|
||||
|
||||
passwordFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Password file for the postgres user.";
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
description = "Optional password file for the postgres user.";
|
||||
default = null;
|
||||
example = "/run/secrets/postgresql/password";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
@ -64,16 +66,18 @@ in
|
|||
pwdConfig = passwordCfgs: {
|
||||
systemd.services.postgresql.postStart =
|
||||
let
|
||||
script = { username, passwordFile, ... }: ''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
script = { username, passwordFile, ... }:
|
||||
if isNull passwordFile then "" else
|
||||
''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
in
|
||||
lib.concatStringsSep "\n" (map script passwordCfgs);
|
||||
};
|
||||
|
|
|
@ -36,7 +36,34 @@ in
|
|||
expr = testConfig {};
|
||||
};
|
||||
|
||||
testPostgresOnePassword = {
|
||||
testPostgresOneWithoutPassword = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
Users = [{
|
||||
name = "myuser";
|
||||
ensurePermissions = {
|
||||
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}];
|
||||
ensureDatabases = ["mydatabase"];
|
||||
};
|
||||
systemd.services.postgresql.postStart = "";
|
||||
};
|
||||
expr = testConfig {
|
||||
shb.postgresql.passwords = [
|
||||
{
|
||||
username = "myuser";
|
||||
database = "mydatabase";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testPostgresOneWithPassword = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in a new issue