diff options
-rw-r--r-- | modules/apps/postgresql/default.nix | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/modules/apps/postgresql/default.nix b/modules/apps/postgresql/default.nix index 9d05b2d..e7eecaa 100644 --- a/modules/apps/postgresql/default.nix +++ b/modules/apps/postgresql/default.nix @@ -10,7 +10,7 @@ let mkDefault mkIf mkOption nameValuePair types ; inherit (types) - attrsOf lines listOf nullOr package path str submodule ; + attrsOf bool lines listOf nullOr package path str submodule ; concatNonEmpty = sep: list: concatStringsSep sep (filter (s: s != "") list); explicit = filterAttrs (n: v: n != "_module" && v != null); @@ -20,9 +20,29 @@ let isFloat = x: match "^[0-9]+(\\.[0-9]+)?$" (toString x) != null; + mkKeys = name: opts: pkgs.runCommand "psql-${name}-keys.nix" {} '' + exec >$out + + printf '[' + + ${pkgs.gnugrep}/bin/grep -oE '${config.nixsap.deployment.keyStore}/[^/]+\b' \ + ${opts._configureFile} > keys || [ $? -eq 1 ] + + while read -r key; do + printf ' "%s"' "$key" + done < keys + + printf ' ]' + + printf '%s: ' $out >&2 + cat $out >&2 + ''; + keyrings = let - ik = mapAttrsToList (_: i: { "${i.user}" = [ i.server.ssl_key_file ]; } ) instances; + # This requires read-write mode of evaluation: + keys = n: i: if i.extractKeys then import (mkKeys n i) else []; + ik = mapAttrsToList (n: i: { "${i.user}" = [ i.server.ssl_key_file ] ++ keys n i; } ) instances; in foldAttrs (l: r: l ++ r) [] ik; mkService = name: opts: @@ -84,7 +104,7 @@ let done ${psql} -f ${./functions.pgsql} ${psql} -f ${create} - ${psql} -f ${pkgs.writeText "pgsql-${name}.sql" opts.configure} + ${psql} -f ${opts._configureFile} ''; needConf = (opts.configure != "") || (opts.roles != []) || (opts.databases != []); @@ -160,6 +180,19 @@ let ALTER DATABASE sproxy OWNER TO sproxy; ''; }; + _configureFile = mkOption { + readOnly = true; + internal = true; + default = pkgs.writeText "pgsql-${name}.sql" config.configure; + }; + extractKeys = mkOption { + description = '' + Automatically extract secret keys from the configuration script. + Experimental. + ''; + default = true; + type = bool; + }; package = mkOption { description = "PostgreSQL package"; type = package; |