1
0
Fork 0

allow no password for postgresql

This commit is contained in:
ibizaman 2023-11-04 20:59:55 -07:00
parent cc57b1ced7
commit 40522c8540
2 changed files with 44 additions and 13 deletions

View file

@ -24,8 +24,10 @@ in
};
passwordFile = lib.mkOption {
type = lib.types.str;
description = "Password file for the postgres user.";
type = lib.types.nullOr lib.types.str;
description = "Optional password file for the postgres user.";
default = null;
example = "/run/secrets/postgresql/password";
};
};
});
@ -64,16 +66,18 @@ in
pwdConfig = passwordCfgs: {
systemd.services.postgresql.postStart =
let
script = { username, passwordFile, ... }: ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
script = { username, passwordFile, ... }:
if isNull passwordFile then "" else
''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
in
lib.concatStringsSep "\n" (map script passwordCfgs);
};

View file

@ -36,7 +36,34 @@ in
expr = testConfig {};
};
testPostgresOnePassword = {
testPostgresOneWithoutPassword = {
expected = {
services.postgresql = {
enable = true;
Users = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}];
ensureDatabases = ["mydatabase"];
};
systemd.services.postgresql.postStart = "";
};
expr = testConfig {
shb.postgresql.passwords = [
{
username = "myuser";
database = "mydatabase";
}
];
};
};
testPostgresOneWithPassword = {
expected = {
services.postgresql = {
enable = true;