1
0
Fork 0

fix postgresql password script when multiple users

This commit is contained in:
ibizaman 2023-11-05 15:42:14 -08:00
parent a05f9d6942
commit 685133ba47
2 changed files with 168 additions and 15 deletions

View file

@ -66,20 +66,24 @@ in
pwdConfig = passwordCfgs: {
systemd.services.postgresql.postStart =
let
script = { username, passwordFile, ... }:
if isNull passwordFile then "" else
''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
prefix = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
'';
suffix = ''
END $$;
EOF
'';
exec = { username, passwordFile, ... }: ''
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
'';
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) passwordCfgs;
in
lib.concatStringsSep "\n" (map script passwordCfgs);
if (builtins.length cfgsWithPasswords) == 0 then "" else
prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
};
in
lib.mkMerge (

View file

@ -83,8 +83,8 @@ in
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
@ -100,6 +100,155 @@ in
};
};
testPostgresTwoNoPassword = {
expected = {
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
];
ensureDatabases = ["db1" "db2"];
};
systemd.services.postgresql.postStart = "";
};
expr = testConfig {
shb.postgresql.passwords = [
{
username = "user1";
database = "db1";
}
{
username = "user2";
database = "db2";
}
];
};
};
testPostgresTwoWithPassword = {
expected = {
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
];
ensureDatabases = ["db1" "db2"];
};
systemd.services.postgresql.postStart = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('/file/user1'), E'\n', '''));
EXECUTE format('ALTER ROLE user1 WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
};
expr = testConfig {
shb.postgresql.passwords = [
{
username = "user1";
database = "db1";
passwordFile = "/file/user1";
}
{
username = "user2";
database = "db2";
passwordFile = "/file/user2";
}
];
};
};
testPostgresTwoWithMixedPassword = {
expected = {
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "user1";
ensurePermissions = {
"DATABASE db1" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
{
name = "user2";
ensurePermissions = {
"DATABASE db2" = "ALL PRIVILEGES";
};
ensureClauses = {
"login" = true;
};
}
];
ensureDatabases = ["db1" "db2"];
};
systemd.services.postgresql.postStart = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
};
expr = testConfig {
shb.postgresql.passwords = [
{
username = "user1";
database = "db1";
}
{
username = "user2";
database = "db2";
passwordFile = "/file/user2";
}
];
};
};
testPostgresTCPIP = {
expected = {
services.postgresql = {