grimm-nixos-laptop/common/databases/postgres.nix

73 lines
2 KiB
Nix
Raw Normal View History

2024-05-25 21:50:51 +02:00
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
types
concatLines
optionalString
mkOption
;
createPasswords = pkgs.writeText "psql-password-def" (
concatLines (
map (
s:
optionalString (!isNull s.passFile) ''
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
END $$;
''
) config.services.postgresql.ensureUsers
)
);
in
{
config = {
systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
services.postgresql = {
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all peer map=superuser_map
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres-exporter postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
};
options.services.postgresql.ensureUsers = mkOption {
type = types.listOf (
types.submodule {
options = {
passFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "path to a password file containing the password to be set";
};
};
}
);
};
}