diff options
author | Florian Klink <flokli@flokli.de> | 2019-05-20 10:58:48 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-05-20 10:58:48 +0200 |
commit | cd96b50d909c39871ab41079705e484b9edc9e65 (patch) | |
tree | e427cb98d4bca9c8ab89825ed0279d11f0fa104d /nixos/modules/services/databases | |
parent | a3e7e1bbc8e4fea44fa2bdaac74a2371f1989a82 (diff) | |
parent | 7f3d0aee1c4f41266a9ff46c3561b805ded707e4 (diff) | |
download | nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar.gz nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar.bz2 nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar.lz nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar.xz nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.tar.zst nixlib-cd96b50d909c39871ab41079705e484b9edc9e65.zip |
nixos/postgresql: add ensureDatabases & ensureUsers options (#56720)
nixos/postgresql: add ensureDatabases & ensureUsers options
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 91 |
1 files changed, 89 insertions, 2 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 87b236dd5fd1..5661edbee2db 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -105,6 +105,80 @@ in ''; }; + ensureDatabases = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Ensures that the specified databases exist. + This option will never delete existing databases, especially not when the value of this + option is changed. This means that databases created once through this option or + otherwise have to be removed manually. + ''; + example = [ + "gitea" + "nextcloud" + ]; + }; + + ensureUsers = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.str; + description = '' + Name of the user to ensure. + ''; + }; + ensurePermissions = mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + Permissions to ensure for the user, specified as an attribute set. + The attribute names specify the database and tables to grant the permissions for. + The attribute values specify the permissions to grant. You may specify one or + multiple comma-separated SQL privileges here. + + For more information on how to specify the target + and on which privileges exist, see the + <link xlink:href="https://www.postgresql.org/docs/current/sql-grant.html">GRANT syntax</link>. + The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>. + ''; + example = literalExample '' + { + "DATABASE nextcloud" = "ALL PRIVILEGES"; + "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + } + ''; + }; + }; + }); + default = []; + description = '' + Ensures that the specified users exist and have at least the ensured permissions. + The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the + same name only, and that without the need for a password. + This option will never delete existing users or remove permissions, especially not when the value of this + option is changed. This means that users created and permissions assigned once through this option or + otherwise have to be removed manually. + ''; + example = literalExample '' + [ + { + name = "nextcloud"; + ensurePermissions = { + "DATABASE nextcloud" = "ALL PRIVILEGES"; + }; + } + { + name = "superuser"; + ensurePermissions = { + "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + }; + } + ] + ''; + }; + enableTCPIP = mkOption { type = types.bool; default = false; @@ -256,17 +330,30 @@ in # Wait for PostgreSQL to be ready to accept connections. postStart = '' - while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do + PSQL="${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port}" + + while ! $PSQL -d postgres -c "" 2> /dev/null; do if ! kill -0 "$MAINPID"; then exit 1; fi sleep 0.1 done if test -e "${cfg.dataDir}/.first_startup"; then ${optionalString (cfg.initialScript != null) '' - ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres + $PSQL -f "${cfg.initialScript}" -d postgres ''} rm -f "${cfg.dataDir}/.first_startup" fi + '' + optionalString (cfg.ensureDatabases != []) '' + ${concatMapStrings (database: '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE ${database}" + '') cfg.ensureDatabases} + '' + '' + ${concatMapStrings (user: '' + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}" + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + $PSQL -tAc "GRANT ${permission} ON ${database} TO ${user.name}" + '') user.ensurePermissions)} + '') cfg.ensureUsers} ''; unitConfig.RequiresMountsFor = "${cfg.dataDir}"; |