fix postgresql password script when multiple users

modules/postgresql.nix

@@ -66,20 +66,24 @@ in
       pwdConfig = passwordCfgs: {
         systemd.services.postgresql.postStart =
           let
-            script = { username, passwordFile, ... }:
+            prefix = ''
-              if isNull passwordFile then "" else
+            $PSQL -tA <<'EOF'
-              ''
+              DO $$
-                $PSQL -tA <<'EOF'
+              DECLARE password TEXT;
-                  DO $$
+              BEGIN
-                  DECLARE password TEXT;
+            '';
-                  BEGIN
+            suffix = ''
-                    password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
+              END $$;
-                    EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
+            EOF
-                  END $$;
+            '';
-                EOF
+            exec = { username, passwordFile, ... }: ''
-              '';
+            password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
+            EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
+            '';
+            cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) passwordCfgs;
           in
-            lib.concatStringsSep "\n" (map script passwordCfgs);
+            if (builtins.length cfgsWithPasswords) == 0 then "" else
+              prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
       };
     in
       lib.mkMerge (

test/modules/postgresql.nix

@@ -83,8 +83,8 @@ in
         DO $$
         DECLARE password TEXT;
         BEGIN
-          password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
+      password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
-          EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
+      EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
         END $$;
       EOF
       '';
@@ -100,6 +100,155 @@ in
     };
   };
 
+  testPostgresTwoNoPassword = {
+    expected = {
+      services.postgresql = {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "user1";
+            ensurePermissions = {
+              "DATABASE db1" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+          {
+            name = "user2";
+            ensurePermissions = {
+              "DATABASE db2" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+        ];
+        ensureDatabases = ["db1" "db2"];
+      };
+      systemd.services.postgresql.postStart = "";
+    };
+    expr = testConfig {
+      shb.postgresql.passwords = [
+        {
+          username = "user1";
+          database = "db1";
+        }
+        {
+          username = "user2";
+          database = "db2";
+        }
+      ];
+    };
+  };
+
+  testPostgresTwoWithPassword = {
+    expected = {
+      services.postgresql = {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "user1";
+            ensurePermissions = {
+              "DATABASE db1" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+          {
+            name = "user2";
+            ensurePermissions = {
+              "DATABASE db2" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+        ];
+        ensureDatabases = ["db1" "db2"];
+      };
+      systemd.services.postgresql.postStart = ''
+      $PSQL -tA <<'EOF'
+        DO $$
+        DECLARE password TEXT;
+        BEGIN
+      password := trim(both from replace(pg_read_file('/file/user1'), E'\n', '''));
+      EXECUTE format('ALTER ROLE user1 WITH PASSWORD '''%s''';', password);
+      password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
+      EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
+        END $$;
+      EOF
+      '';
+    };
+    expr = testConfig {
+      shb.postgresql.passwords = [
+        {
+          username = "user1";
+          database = "db1";
+          passwordFile = "/file/user1";
+        }
+        {
+          username = "user2";
+          database = "db2";
+          passwordFile = "/file/user2";
+        }
+      ];
+    };
+  };
+
+  testPostgresTwoWithMixedPassword = {
+    expected = {
+      services.postgresql = {
+        enable = true;
+        ensureUsers = [
+          {
+            name = "user1";
+            ensurePermissions = {
+              "DATABASE db1" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+          {
+            name = "user2";
+            ensurePermissions = {
+              "DATABASE db2" = "ALL PRIVILEGES";
+            };
+            ensureClauses = {
+              "login" = true;
+            };
+          }
+        ];
+        ensureDatabases = ["db1" "db2"];
+      };
+      systemd.services.postgresql.postStart = ''
+      $PSQL -tA <<'EOF'
+        DO $$
+        DECLARE password TEXT;
+        BEGIN
+      password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
+      EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
+        END $$;
+      EOF
+      '';
+    };
+    expr = testConfig {
+      shb.postgresql.passwords = [
+        {
+          username = "user1";
+          database = "db1";
+        }
+        {
+          username = "user2";
+          database = "db2";
+          passwordFile = "/file/user2";
+        }
+      ];
+    };
+  };
+
   testPostgresTCPIP = {
     expected = {
       services.postgresql = {