{ pkgs, config, lib, ... }: let inherit (lib) types concatLines optionalString mkOption ; createPasswords = pkgs.writeText "psql-password-def" ( concatLines ( map ( s: optionalString (!isNull s.passFile) '' DO $$ DECLARE password TEXT; BEGIN password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', ''')); EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password); END $$; '' ) config.services.postgresql.ensureUsers ) ); in { config = { systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}"; services.postgresql = { package = pkgs.postgresql_15; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all peer map=superuser_map local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 ''; identMap = '' # ArbitraryMapName systemUser DBUser superuser_map root postgres superuser_map matrix-synapse synapse superuser_map postgres-exporter postgres # Let other names login as themselves superuser_map /^(.*)$ \1 ''; }; }; options.services.postgresql.ensureUsers = mkOption { type = types.listOf ( types.submodule { options = { passFile = mkOption { type = types.nullOr types.path; default = null; description = "path to a password file containing the password to be set"; }; }; } ); }; }