diff --git a/modules/postgresql.nix b/modules/postgresql.nix index edc0710..bced82f 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -24,8 +24,10 @@ in }; passwordFile = lib.mkOption { - type = lib.types.str; - description = "Password file for the postgres user."; + type = lib.types.nullOr lib.types.str; + description = "Optional password file for the postgres user."; + default = null; + example = "/run/secrets/postgresql/password"; }; }; }); @@ -64,16 +66,18 @@ in pwdConfig = passwordCfgs: { systemd.services.postgresql.postStart = let - script = { username, passwordFile, ... }: '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', ''')); - EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; + script = { username, passwordFile, ... }: + if isNull passwordFile then "" else + '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', ''')); + EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; in lib.concatStringsSep "\n" (map script passwordCfgs); }; diff --git a/test/modules/postgresql.nix b/test/modules/postgresql.nix index ae28808..f76889d 100644 --- a/test/modules/postgresql.nix +++ b/test/modules/postgresql.nix @@ -36,7 +36,34 @@ in expr = testConfig {}; }; - testPostgresOnePassword = { + testPostgresOneWithoutPassword = { + expected = { + services.postgresql = { + enable = true; + Users = [{ + name = "myuser"; + ensurePermissions = { + "DATABASE mydatabase" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + }]; + ensureDatabases = ["mydatabase"]; + }; + systemd.services.postgresql.postStart = ""; + }; + expr = testConfig { + shb.postgresql.passwords = [ + { + username = "myuser"; + database = "mydatabase"; + } + ]; + }; + }; + + testPostgresOneWithPassword = { expected = { services.postgresql = { enable = true;