nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't use hostssl if we're local and ssl-free

Browse Source
This commit is contained in:
niten 2024-07-18 11:10:36 -07:00
parent 8f38f6a1c1
commit 9a55c90d7f
1 changed files with 22 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
lib/fudo/postgres.nix
View File

@ -7,10 +7,14 @@ let
hostname = config.instance.hostname; hostname = config.instance.hostname;
domain-name = config.instance.local-domain; domain-name = config.instance.local-domain;
sslEnabled = cfg.ssl-certificate != null;
gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm; gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm;
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename); strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
joinLines = concatStringsSep "\n";
userDatabaseOpts = { database, ... }: { userDatabaseOpts = { database, ... }: {
options = { options = {
access = mkOption { access = mkOption {
@ -99,7 +103,7 @@ let
exit 2 exit 2
fi fi
${concatStrings (mapAttrsToList (user: opts: ${joinLines (mapAttrsToList (user: opts:
password-setter-script user opts.password-file "$OUTPUT_FILE") password-setter-script user opts.password-file "$OUTPUT_FILE")
(filterPasswordedUsers users))} (filterPasswordedUsers users))}
''; '';
@ -109,17 +113,19 @@ let
nameValuePair "DATABASE ${database}" databaseOpts.access) databases; nameValuePair "DATABASE ${database}" databaseOpts.access) databases;
makeEntry = nw: makeEntry = nw:
"hostssl all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}"; let hostClause = if sslEnabled then "hostssl" else "host";
in "${hostClause} all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
makeNetworksEntry = networks: concatStrings (map makeEntry networks); makeNetworksEntry = networks: joinLines (map makeEntry networks);
makeLocalUserPasswordEntries = users: networks: makeLocalUserPasswordEntries = users: networks:
let let
network-entries = user: db: network-entries = user: db:
concatStrings joinLines (map (network:
(map (network: "hostssl ${db} ${user} ${network} md5") networks); let hostClause = if sslEnabled then "hostssl" else "host";
in concatStrings (mapAttrsToList (user: opts: in "${hostClause} ${db} ${user} ${network} md5") networks);
concatStrings (map (db: '' in joinLines (mapAttrsToList (user: opts:
joinLines (map (db: ''
local ${db} ${user} md5 local ${db} ${user} md5
host ${db} ${user} 127.0.0.1/16 md5 host ${db} ${user} 127.0.0.1/16 md5
host ${db} ${user} ::1/128 md5 host ${db} ${user} ::1/128 md5
@ -130,20 +136,18 @@ let
enableDatabaseExtensionsSql = database: databaseOpts: '' enableDatabaseExtensionsSql = database: databaseOpts: ''
\c ${database} \c ${database}
${concatStrings (map enableExtensionSql databaseOpts.extensions)} ${joinLines (map enableExtensionSql databaseOpts.extensions)}
''; '';
userTableAccessSql = user: entity: access: userTableAccessSql = user: entity: access:
"GRANT ${access} ON ${entity} TO ${user};"; "GRANT ${access} ON ${entity} TO ${user};";
userDatabaseAccessSql = user: database: dbOpts: '' userDatabaseAccessSql = user: database: dbOpts: ''
\c ${database} \c ${database}
${concatStrings ${joinLines (mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
(mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
''; '';
userAccessSql = user: userOpts: userAccessSql = user: userOpts:
concatStrings joinLines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
(mapAttrsToList (userDatabaseAccessSql user) userOpts.databases); usersAccessSql = users: joinLines (mapAttrsToList userAccessSql users);
usersAccessSql = users: concatStrings (mapAttrsToList userAccessSql users);
in { in {
@ -376,7 +380,7 @@ in {
# allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;"; # allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
# extra-settings-sql = pkgs.writeText "settings.sql" '' # extra-settings-sql = pkgs.writeText "settings.sql" ''
# ${concatStringsSep "\n" # ${joinLinesSep "\n"
# (map allow-user-login (mapAttrsToList (key: val: key) cfg.users))} # (map allow-user-login (mapAttrsToList (key: val: key) cfg.users))}
# ${usersAccessSql cfg.users} # ${usersAccessSql cfg.users}
# ''; # '';
@ -391,7 +395,7 @@ in {
serviceConfig.ExecStartPost = serviceConfig.ExecStartPost =
mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ]; mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ];
postStop = concatStringsSep "\n" cfg.cleanup-tasks; postStop = joinLinesSep "\n" cfg.cleanup-tasks;
}; };
postgresql-finalizer = { postgresql-finalizer = {
@ -402,7 +406,7 @@ in {
serviceConfig = { serviceConfig = {
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
ExecStart = let ExecStart = let
enableExtensionsClause = concatStrings enableExtensionsClause = joinLines
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases); (mapAttrsToList enableDatabaseExtensionsSql cfg.databases);
grantMasterAccessSql = db: user: '' grantMasterAccessSql = db: user: ''
@ -412,8 +416,8 @@ in {
\c postgres postgres \c postgres postgres
''; '';
grantMasterAccess = concatStrings (mapAttrsToList (database: opts: grantMasterAccess = joinLines (mapAttrsToList (database: opts:
concatStrings (map (grantMasterAccessSql database) opts.users)) joinLines (map (grantMasterAccessSql database) opts.users))
cfg.databases); cfg.databases);
extra-settings-sql = pkgs.writeText "settings.sql" '' extra-settings-sql = pkgs.writeText "settings.sql" ''