73 lines
2 KiB
Nix
73 lines
2 KiB
Nix
|
{
|
||
|
pkgs,
|
||
|
config,
|
||
|
lib,
|
||
|
...
|
||
|
}:
|
||
|
let
|
||
|
inherit (lib)
|
||
|
types
|
||
|
concatLines
|
||
|
optionalString
|
||
|
mkOption
|
||
|
;
|
||
|
|
||
|
createPasswords = pkgs.writeText "psql-password-def" (
|
||
|
concatLines (
|
||
|
map (
|
||
|
s:
|
||
|
optionalString (!isNull s.passFile) ''
|
||
|
DO $$
|
||
|
DECLARE password TEXT;
|
||
|
BEGIN
|
||
|
password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
|
||
|
EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
|
||
|
END $$;
|
||
|
''
|
||
|
) config.services.postgresql.ensureUsers
|
||
|
)
|
||
|
);
|
||
|
in
|
||
|
{
|
||
|
config = {
|
||
|
systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
|
||
|
|
||
|
services.postgresql = {
|
||
|
package = pkgs.postgresql_15;
|
||
|
|
||
|
authentication = pkgs.lib.mkOverride 10 ''
|
||
|
#type database DBuser auth-method
|
||
|
local all all peer map=superuser_map
|
||
|
local all all peer
|
||
|
host all all 127.0.0.1/32 md5
|
||
|
host all all ::1/128 md5
|
||
|
local replication all peer
|
||
|
host replication all 127.0.0.1/32 md5
|
||
|
host replication all ::1/128 md5
|
||
|
'';
|
||
|
identMap = ''
|
||
|
# ArbitraryMapName systemUser DBUser
|
||
|
superuser_map root postgres
|
||
|
superuser_map matrix-synapse synapse
|
||
|
superuser_map postgres-exporter postgres
|
||
|
# Let other names login as themselves
|
||
|
superuser_map /^(.*)$ \1
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
|
||
|
options.services.postgresql.ensureUsers = mkOption {
|
||
|
type = types.listOf (
|
||
|
types.submodule {
|
||
|
options = {
|
||
|
passFile = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
description = "path to a password file containing the password to be set";
|
||
|
};
|
||
|
};
|
||
|
}
|
||
|
);
|
||
|
};
|
||
|
}
|