diff --git a/modules/postgresql.nix b/modules/postgresql.nix index 9b99bae..db07d43 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -66,20 +66,24 @@ in pwdConfig = passwordCfgs: { systemd.services.postgresql.postStart = let - script = { username, passwordFile, ... }: - if isNull passwordFile then "" else - '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', ''')); - EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; + prefix = '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + ''; + suffix = '' + END $$; + EOF + ''; + exec = { username, passwordFile, ... }: '' + password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', ''')); + EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); + ''; + cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) passwordCfgs; in - lib.concatStringsSep "\n" (map script passwordCfgs); + if (builtins.length cfgsWithPasswords) == 0 then "" else + prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix; }; in lib.mkMerge ( diff --git a/test/modules/postgresql.nix b/test/modules/postgresql.nix index 462ba78..22e9860 100644 --- a/test/modules/postgresql.nix +++ b/test/modules/postgresql.nix @@ -83,8 +83,8 @@ in DO $$ DECLARE password TEXT; BEGIN - password := trim(both from replace(pg_read_file('/my/file'), E'\n', ''')); - EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password); + password := trim(both from replace(pg_read_file('/my/file'), E'\n', ''')); + EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password); END $$; EOF ''; @@ -100,6 +100,155 @@ in }; }; + testPostgresTwoNoPassword = { + expected = { + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "user1"; + ensurePermissions = { + "DATABASE db1" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + { + name = "user2"; + ensurePermissions = { + "DATABASE db2" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + ]; + ensureDatabases = ["db1" "db2"]; + }; + systemd.services.postgresql.postStart = ""; + }; + expr = testConfig { + shb.postgresql.passwords = [ + { + username = "user1"; + database = "db1"; + } + { + username = "user2"; + database = "db2"; + } + ]; + }; + }; + + testPostgresTwoWithPassword = { + expected = { + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "user1"; + ensurePermissions = { + "DATABASE db1" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + { + name = "user2"; + ensurePermissions = { + "DATABASE db2" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + ]; + ensureDatabases = ["db1" "db2"]; + }; + systemd.services.postgresql.postStart = '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('/file/user1'), E'\n', ''')); + EXECUTE format('ALTER ROLE user1 WITH PASSWORD '''%s''';', password); + password := trim(both from replace(pg_read_file('/file/user2'), E'\n', ''')); + EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; + }; + expr = testConfig { + shb.postgresql.passwords = [ + { + username = "user1"; + database = "db1"; + passwordFile = "/file/user1"; + } + { + username = "user2"; + database = "db2"; + passwordFile = "/file/user2"; + } + ]; + }; + }; + + testPostgresTwoWithMixedPassword = { + expected = { + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "user1"; + ensurePermissions = { + "DATABASE db1" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + { + name = "user2"; + ensurePermissions = { + "DATABASE db2" = "ALL PRIVILEGES"; + }; + ensureClauses = { + "login" = true; + }; + } + ]; + ensureDatabases = ["db1" "db2"]; + }; + systemd.services.postgresql.postStart = '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('/file/user2'), E'\n', ''')); + EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; + }; + expr = testConfig { + shb.postgresql.passwords = [ + { + username = "user1"; + database = "db1"; + } + { + username = "user2"; + database = "db2"; + passwordFile = "/file/user2"; + } + ]; + }; + }; + testPostgresTCPIP = { expected = { services.postgresql = {