ensurePermissions no longer exists
This commit is contained in:
parent
4e071df85f
commit
a1f2e7f28b
@ -9,8 +9,6 @@ let
|
|||||||
|
|
||||||
gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm;
|
gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm;
|
||||||
|
|
||||||
join-lines = lib.concatStringsSep "\n";
|
|
||||||
|
|
||||||
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
|
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
|
||||||
|
|
||||||
userDatabaseOpts = { database, ... }: {
|
userDatabaseOpts = { database, ... }: {
|
||||||
@ -101,7 +99,7 @@ let
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
${join-lines (mapAttrsToList (user: opts:
|
${concatStrings (mapAttrsToList (user: opts:
|
||||||
password-setter-script user opts.password-file "$OUTPUT_FILE")
|
password-setter-script user opts.password-file "$OUTPUT_FILE")
|
||||||
(filterPasswordedUsers users))}
|
(filterPasswordedUsers users))}
|
||||||
'';
|
'';
|
||||||
@ -113,15 +111,15 @@ let
|
|||||||
makeEntry = nw:
|
makeEntry = nw:
|
||||||
"hostssl all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
|
"hostssl all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
|
||||||
|
|
||||||
makeNetworksEntry = networks: join-lines (map makeEntry networks);
|
makeNetworksEntry = networks: concatStrings (map makeEntry networks);
|
||||||
|
|
||||||
makeLocalUserPasswordEntries = users: networks:
|
makeLocalUserPasswordEntries = users: networks:
|
||||||
let
|
let
|
||||||
network-entries = user: db:
|
network-entries = user: db:
|
||||||
join-lines
|
concatStrings
|
||||||
(map (network: "hostssl ${db} ${user} ${network} md5") networks);
|
(map (network: "hostssl ${db} ${user} ${network} md5") networks);
|
||||||
in join-lines (mapAttrsToList (user: opts:
|
in concatStrings (mapAttrsToList (user: opts:
|
||||||
join-lines (map (db: ''
|
concatStrings (map (db: ''
|
||||||
local ${db} ${user} md5
|
local ${db} ${user} md5
|
||||||
host ${db} ${user} 127.0.0.1/16 md5
|
host ${db} ${user} 127.0.0.1/16 md5
|
||||||
host ${db} ${user} ::1/128 md5
|
host ${db} ${user} ::1/128 md5
|
||||||
@ -132,19 +130,20 @@ let
|
|||||||
|
|
||||||
enableDatabaseExtensionsSql = database: databaseOpts: ''
|
enableDatabaseExtensionsSql = database: databaseOpts: ''
|
||||||
\c ${database}
|
\c ${database}
|
||||||
${join-lines (map enableExtensionSql databaseOpts.extensions)}
|
${concatStrings (map enableExtensionSql databaseOpts.extensions)}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
userTableAccessSql = user: entity: access:
|
userTableAccessSql = user: entity: access:
|
||||||
"GRANT ${access} ON ${entity} TO ${user};";
|
"GRANT ${access} ON ${entity} TO ${user};";
|
||||||
userDatabaseAccessSql = user: database: dbOpts: ''
|
userDatabaseAccessSql = user: database: dbOpts: ''
|
||||||
\c ${database}
|
\c ${database}
|
||||||
${join-lines
|
${concatStrings
|
||||||
(mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
|
(mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
|
||||||
'';
|
'';
|
||||||
userAccessSql = user: userOpts:
|
userAccessSql = user: userOpts:
|
||||||
join-lines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
|
concatStrings
|
||||||
usersAccessSql = users: join-lines (mapAttrsToList userAccessSql users);
|
(mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
|
||||||
|
usersAccessSql = users: concatStrings (mapAttrsToList userAccessSql users);
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
@ -264,14 +263,18 @@ in {
|
|||||||
package = cfg.package;
|
package = cfg.package;
|
||||||
enableTCPIP = true;
|
enableTCPIP = true;
|
||||||
ensureDatabases = mapAttrsToList (name: value: name) cfg.databases;
|
ensureDatabases = mapAttrsToList (name: value: name) cfg.databases;
|
||||||
ensureUsers = ((mapAttrsToList (username: attrs: {
|
ensureUsers = map (user: {
|
||||||
name = username;
|
name = user;
|
||||||
ensurePermissions = userDatabaseAccess username attrs.databases;
|
ensureClauses.login = true;
|
||||||
}) cfg.users) ++ (flatten (mapAttrsToList (database: opts:
|
}) attrNames cfg.users;
|
||||||
(map (username: {
|
# ensureUsers = ((mapAttrsToList (username: attrs: {
|
||||||
name = username;
|
# name = username;
|
||||||
ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
|
# ensurePermissions = userDatabaseAccess username attrs.databases;
|
||||||
}) opts.users)) cfg.databases)));
|
# }) cfg.users) ++ (flatten (mapAttrsToList (database: opts:
|
||||||
|
# (map (username: {
|
||||||
|
# name = username;
|
||||||
|
# ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
|
||||||
|
# }) opts.users)) cfg.databases)));
|
||||||
|
|
||||||
settings = let ssl-enabled = cfg.ssl-certificate != null;
|
settings = let ssl-enabled = cfg.ssl-certificate != null;
|
||||||
in {
|
in {
|
||||||
@ -353,11 +356,12 @@ in {
|
|||||||
description =
|
description =
|
||||||
"A service to set postgresql user passwords after the server has started.";
|
"A service to set postgresql user passwords after the server has started.";
|
||||||
after = [ "postgresql.service" ] ++ cfg.required-services;
|
after = [ "postgresql.service" ] ++ cfg.required-services;
|
||||||
|
reqires = [ "postgresql.service" ] ++ cfg.required-services;
|
||||||
wantedBy = [ "postgresql.service" ];
|
wantedBy = [ "postgresql.service" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
User = config.services.postgresql.superUser;
|
User = config.services.postgresql.superUser;
|
||||||
ExecStart = "${password-wrapper-script}";
|
ExecStart = password-wrapper-script;
|
||||||
};
|
};
|
||||||
partOf = [ cfg.systemd-target ];
|
partOf = [ cfg.systemd-target ];
|
||||||
};
|
};
|
||||||
@ -393,19 +397,29 @@ in {
|
|||||||
postgresql-finalizer = {
|
postgresql-finalizer = {
|
||||||
requires = [ "postgresql.service" ];
|
requires = [ "postgresql.service" ];
|
||||||
after = [ "postgresql.service" "postgresql-password-setter.service" ];
|
after = [ "postgresql.service" "postgresql-password-setter.service" ];
|
||||||
partOf = [ "postgresql.target" ];
|
partOf = [ cfg.systemd-target ];
|
||||||
wantedBy = [ "postgresql.service" ];
|
wantedBy = [ "postgresql.service" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = config.services.postgresql.superUser;
|
User = config.services.postgresql.superUser;
|
||||||
ExecStart = let
|
ExecStart = let
|
||||||
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
|
enableExtensionsClause = concatStrings
|
||||||
|
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases);
|
||||||
|
|
||||||
|
grantMasterAccessSql = db: user: ''
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${user};
|
||||||
|
\c ${db} postgres
|
||||||
|
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO ${user};
|
||||||
|
\c postgres postgres
|
||||||
|
'';
|
||||||
|
|
||||||
|
grantMasterAccess = concatStrings (mapAttrsToList (database: opts:
|
||||||
|
concatStrings (map (grantMasterAccessSql database) opts.users))
|
||||||
|
cfg.databases);
|
||||||
|
|
||||||
extra-settings-sql = pkgs.writeText "settings.sql" ''
|
extra-settings-sql = pkgs.writeText "settings.sql" ''
|
||||||
${join-lines
|
${enableExtensionsClause}
|
||||||
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases)}
|
|
||||||
|
|
||||||
${concatStringsSep "\n" (map allow-user-login
|
${grantMasterAccess}
|
||||||
(mapAttrsToList (key: val: key) cfg.users))}
|
|
||||||
|
|
||||||
${usersAccessSql cfg.users}
|
${usersAccessSql cfg.users}
|
||||||
'';
|
'';
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user