allow no password for postgresql
This commit is contained in:
parent
cc57b1ced7
commit
40522c8540
2 changed files with 44 additions and 13 deletions
|
@ -24,8 +24,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
passwordFile = lib.mkOption {
|
passwordFile = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "Password file for the postgres user.";
|
description = "Optional password file for the postgres user.";
|
||||||
|
default = null;
|
||||||
|
example = "/run/secrets/postgresql/password";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
@ -64,16 +66,18 @@ in
|
||||||
pwdConfig = passwordCfgs: {
|
pwdConfig = passwordCfgs: {
|
||||||
systemd.services.postgresql.postStart =
|
systemd.services.postgresql.postStart =
|
||||||
let
|
let
|
||||||
script = { username, passwordFile, ... }: ''
|
script = { username, passwordFile, ... }:
|
||||||
$PSQL -tA <<'EOF'
|
if isNull passwordFile then "" else
|
||||||
DO $$
|
''
|
||||||
DECLARE password TEXT;
|
$PSQL -tA <<'EOF'
|
||||||
BEGIN
|
DO $$
|
||||||
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
DECLARE password TEXT;
|
||||||
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
BEGIN
|
||||||
END $$;
|
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
||||||
EOF
|
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
||||||
'';
|
END $$;
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
lib.concatStringsSep "\n" (map script passwordCfgs);
|
lib.concatStringsSep "\n" (map script passwordCfgs);
|
||||||
};
|
};
|
||||||
|
|
|
@ -36,7 +36,34 @@ in
|
||||||
expr = testConfig {};
|
expr = testConfig {};
|
||||||
};
|
};
|
||||||
|
|
||||||
testPostgresOnePassword = {
|
testPostgresOneWithoutPassword = {
|
||||||
|
expected = {
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
Users = [{
|
||||||
|
name = "myuser";
|
||||||
|
ensurePermissions = {
|
||||||
|
"DATABASE mydatabase" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
|
ensureClauses = {
|
||||||
|
"login" = true;
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
ensureDatabases = ["mydatabase"];
|
||||||
|
};
|
||||||
|
systemd.services.postgresql.postStart = "";
|
||||||
|
};
|
||||||
|
expr = testConfig {
|
||||||
|
shb.postgresql.passwords = [
|
||||||
|
{
|
||||||
|
username = "myuser";
|
||||||
|
database = "mydatabase";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testPostgresOneWithPassword = {
|
||||||
expected = {
|
expected = {
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
Loading…
Reference in a new issue