fix postgresql password script when multiple users
This commit is contained in:
parent
a05f9d6942
commit
685133ba47
2 changed files with 168 additions and 15 deletions
|
@ -66,20 +66,24 @@ in
|
|||
pwdConfig = passwordCfgs: {
|
||||
systemd.services.postgresql.postStart =
|
||||
let
|
||||
script = { username, passwordFile, ... }:
|
||||
if isNull passwordFile then "" else
|
||||
''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
prefix = ''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
'';
|
||||
suffix = ''
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
exec = { username, passwordFile, ... }: ''
|
||||
password := trim(both from replace(pg_read_file('${passwordFile}'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
||||
'';
|
||||
cfgsWithPasswords = builtins.filter (cfg: cfg.passwordFile != null) passwordCfgs;
|
||||
in
|
||||
lib.concatStringsSep "\n" (map script passwordCfgs);
|
||||
if (builtins.length cfgsWithPasswords) == 0 then "" else
|
||||
prefix + (lib.concatStrings (map exec cfgsWithPasswords)) + suffix;
|
||||
};
|
||||
in
|
||||
lib.mkMerge (
|
||||
|
|
|
@ -83,8 +83,8 @@ in
|
|||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
|
||||
password := trim(both from replace(pg_read_file('/my/file'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE myuser WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
|
@ -100,6 +100,155 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
testPostgresTwoNoPassword = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "user1";
|
||||
ensurePermissions = {
|
||||
"DATABASE db1" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "user2";
|
||||
ensurePermissions = {
|
||||
"DATABASE db2" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = ["db1" "db2"];
|
||||
};
|
||||
systemd.services.postgresql.postStart = "";
|
||||
};
|
||||
expr = testConfig {
|
||||
shb.postgresql.passwords = [
|
||||
{
|
||||
username = "user1";
|
||||
database = "db1";
|
||||
}
|
||||
{
|
||||
username = "user2";
|
||||
database = "db2";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testPostgresTwoWithPassword = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "user1";
|
||||
ensurePermissions = {
|
||||
"DATABASE db1" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "user2";
|
||||
ensurePermissions = {
|
||||
"DATABASE db2" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = ["db1" "db2"];
|
||||
};
|
||||
systemd.services.postgresql.postStart = ''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('/file/user1'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE user1 WITH PASSWORD '''%s''';', password);
|
||||
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
expr = testConfig {
|
||||
shb.postgresql.passwords = [
|
||||
{
|
||||
username = "user1";
|
||||
database = "db1";
|
||||
passwordFile = "/file/user1";
|
||||
}
|
||||
{
|
||||
username = "user2";
|
||||
database = "db2";
|
||||
passwordFile = "/file/user2";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testPostgresTwoWithMixedPassword = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "user1";
|
||||
ensurePermissions = {
|
||||
"DATABASE db1" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "user2";
|
||||
ensurePermissions = {
|
||||
"DATABASE db2" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
"login" = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = ["db1" "db2"];
|
||||
};
|
||||
systemd.services.postgresql.postStart = ''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
BEGIN
|
||||
password := trim(both from replace(pg_read_file('/file/user2'), E'\n', '''));
|
||||
EXECUTE format('ALTER ROLE user2 WITH PASSWORD '''%s''';', password);
|
||||
END $$;
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
expr = testConfig {
|
||||
shb.postgresql.passwords = [
|
||||
{
|
||||
username = "user1";
|
||||
database = "db1";
|
||||
}
|
||||
{
|
||||
username = "user2";
|
||||
database = "db2";
|
||||
passwordFile = "/file/user2";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testPostgresTCPIP = {
|
||||
expected = {
|
||||
services.postgresql = {
|
||||
|
|
Loading…
Reference in a new issue