139 lines
3.5 KiB
Nix
139 lines
3.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
catLines = builtins.concatStringsSep "\n";
|
|
|
|
userOpts = { config, ... }: {
|
|
options = {
|
|
passwd = mkOption {
|
|
type = types.str;
|
|
description = ''
|
|
The password of a given user.
|
|
'';
|
|
};
|
|
|
|
databases = mkOption {
|
|
type = types.attrsOf types.lines;
|
|
default = {};
|
|
description = ''
|
|
A list of databases to which this user should have access.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
grantDatabaseAccess = username: database: ''
|
|
GRANT CONNECT ON DATABASE ${database} TO USER ${username};
|
|
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA ${database} TO USER ${username};
|
|
'';
|
|
|
|
createUserSql = username: userOpts: ''
|
|
CREATE ROLE ${username} ENCRYPTED PASSWORD ${userOpts.passwd};
|
|
${catLines (map (grantDatabaseAccess username) userOpts.databases)}
|
|
'';
|
|
|
|
createDatabaseSql = database: dbOpts: ''
|
|
CREATE DATABASE ${database};
|
|
USE ${database};
|
|
'';
|
|
|
|
dataPath = /srv + ("/" + config.networking.hostName);
|
|
|
|
in {
|
|
|
|
options = {
|
|
fudo.postgresql = {
|
|
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable the PostgreSQL server for Fudo services.
|
|
'';
|
|
};
|
|
|
|
databases = mkOption {
|
|
type = types.attrsOf types.lines;
|
|
default = {};
|
|
description = ''
|
|
A map of database_name => database_defn.
|
|
'';
|
|
};
|
|
|
|
users = mkOption {
|
|
type = with types; attrsOf (submodule userOpts);
|
|
default = {};
|
|
description = ''
|
|
A map of user_name => { user_attributes }.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# config = mkIf config.fudo.postgresql.enable
|
|
|
|
# environment = {
|
|
|
|
# systemPackages = with pkgs; [
|
|
# postgresql_11_gssapi
|
|
# ];
|
|
|
|
# etc = {
|
|
# "postgresql/private/privkey.pem" = {
|
|
# mode = "0400";
|
|
# user = "postgres";
|
|
# group = "postgres";
|
|
# source = dataPath + "/certs/private/privkey.pem";
|
|
# };
|
|
|
|
# "postgresql/cert.pem" = {
|
|
# mode = "0444";
|
|
# user = "postgres";
|
|
# group = "postgres";
|
|
# source = dataPath + "/certs/cert.pem";
|
|
# };
|
|
|
|
# "postgresql/private/postgres.keytab" = {
|
|
# mode = "0400";
|
|
# user = "postgres";
|
|
# group = "postgres";
|
|
# source = dataPath + "/keytabs/postgres.keytab";
|
|
# };
|
|
# };
|
|
# };
|
|
|
|
# services.postgresql = {
|
|
# enable = true;
|
|
# package = pkgs.postgresql_11_gssapi;
|
|
# enableTCPIP = true;
|
|
|
|
# extraConfig = ''
|
|
# krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
|
|
|
|
# ssl = true
|
|
# ssl_cert_file = '/etc/postgresql/cert.pem'
|
|
# ssl_key_file = '/etc/postgresql/private/privkey.pem'
|
|
# '';
|
|
|
|
# authentication = ''
|
|
# local all all ident
|
|
|
|
# # host-local
|
|
# host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
|
|
# host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
|
|
|
|
# # local network
|
|
# host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
|
|
# host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
|
|
# '';
|
|
|
|
# initialScript = pkgs.writeText "backend-initscript" ''
|
|
# ${catLines (map createUserSql fudo.postgresql.users)}
|
|
# ${catLines (map createDatabaseSql fudo.postgresql.databases)}
|
|
# '';
|
|
# };
|
|
}
|