1
0
Fork 0

allow no password for postgresql

This commit is contained in:
ibizaman 2023-11-04 20:59:55 -07:00
parent cc57b1ced7
commit 40522c8540
2 changed files with 44 additions and 13 deletions

View file

@ -24,8 +24,10 @@ in
}; };
passwordFile = lib.mkOption { passwordFile = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Password file for the postgres user."; description = "Optional password file for the postgres user.";
default = null;
example = "/run/secrets/postgresql/password";
}; };
}; };
}); });
@ -64,16 +66,18 @@ in
pwdConfig = passwordCfgs: { pwdConfig = passwordCfgs: {
systemd.services.postgresql.postStart = systemd.services.postgresql.postStart =
let let
script = { username, passwordFile, ... }: '' script = { username, passwordFile, ... }:
$PSQL -tA <<'EOF' if isNull passwordFile then "" else
DO $$ ''
DECLARE password TEXT; $PSQL -tA <<'EOF'
BEGIN DO $$
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', ''')); DECLARE password TEXT;
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); BEGIN
END $$; password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EOF EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
''; END $$;
EOF
'';
in in
lib.concatStringsSep "\n" (map script passwordCfgs); lib.concatStringsSep "\n" (map script passwordCfgs);
}; };

View file

@ -36,7 +36,34 @@ in
expr = testConfig {}; expr = testConfig {};
}; };
testPostgresOnePassword = { testPostgresOneWithoutPassword = {
expected = {
services.postgresql = {
enable = true;
Users = [{
name = "myuser";
ensurePermissions = {
"DATABASE mydatabase" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}];
ensureDatabases = ["mydatabase"];
};
systemd.services.postgresql.postStart = "";
};
expr = testConfig {
shb.postgresql.passwords = [
{
username = "myuser";
database = "mydatabase";
}
];
};
};
testPostgresOneWithPassword = {
expected = { expected = {
services.postgresql = { services.postgresql = {
enable = true; enable = true;