nixos/modules/services/databases/pgmanage.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / databases / pgmanage.nix
at 18.03-beta 6.7 kB view raw
  1{ lib, pkgs, config, ... } :
  2
  3with lib;
  4
  5let
  6  cfg = config.services.pgmanage;
  7
  8  confFile = pkgs.writeTextFile {
  9    name = "pgmanage.conf";
 10    text =  ''
 11      connection_file = ${pgmanageConnectionsFile}
 12
 13      allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
 14
 15      pgmanage_port = ${toString cfg.port}
 16
 17      super_only = ${builtins.toJSON cfg.superOnly}
 18
 19      ${optionalString (!isNull cfg.loginGroup) "login_group = ${cfg.loginGroup}"}
 20
 21      login_timeout = ${toString cfg.loginTimeout}
 22
 23      web_root = ${cfg.package}/etc/pgmanage/web_root
 24
 25      data_root = ${cfg.dataRoot}
 26
 27      ${optionalString (!isNull cfg.tls) ''
 28      tls_cert = ${cfg.tls.cert}
 29      tls_key = ${cfg.tls.key}
 30      ''}
 31
 32      log_level = ${cfg.logLevel}
 33    '';
 34  };
 35
 36  pgmanageConnectionsFile = pkgs.writeTextFile {
 37    name = "pgmanage-connections.conf";
 38    text = concatStringsSep "\n"
 39      (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
 40  };
 41
 42  pgmanage = "pgmanage";
 43
 44  pgmanageOptions = {
 45    enable = mkEnableOption "PostgreSQL Administration for the web";
 46
 47    package = mkOption {
 48      type = types.package;
 49      default = pkgs.pgmanage;
 50      defaultText = "pkgs.pgmanage";
 51      description = ''
 52        The pgmanage package to use.
 53      '';
 54    };
 55
 56    connections = mkOption {
 57      type = types.attrsOf types.str;
 58      default = {};
 59      example = {
 60        "nuc-server"  = "hostaddr=192.168.0.100 port=5432 dbname=postgres";
 61        "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
 62      };
 63      description = ''
 64        pgmanage requires at least one PostgreSQL server be defined.
 65        </para><para>
 66        Detailed information about PostgreSQL connection strings is available at:
 67        <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
 68        </para><para>
 69        Note that you should not specify your user name or password. That
 70        information will be entered on the login screen. If you specify a
 71        username or password, it will be removed by pgmanage before attempting to
 72        connect to a database.
 73      '';
 74    };
 75
 76    allowCustomConnections = mkOption {
 77      type = types.bool;
 78      default = false;
 79      description = ''
 80        This tells pgmanage whether or not to allow anyone to use a custom
 81        connection from the login screen.
 82      '';
 83    };
 84
 85    port = mkOption {
 86      type = types.int;
 87      default = 8080;
 88      description = ''
 89        This tells pgmanage what port to listen on for browser requests.
 90      '';
 91    };
 92
 93    localOnly = mkOption {
 94      type = types.bool;
 95      default = true;
 96      description = ''
 97        This tells pgmanage whether or not to set the listening socket to local
 98        addresses only.
 99      '';
100    };
101
102    superOnly = mkOption {
103      type = types.bool;
104      default = true;
105      description = ''
106        This tells pgmanage whether or not to only allow super users to
107        login. The recommended value is true and will restrict users who are not
108        super users from logging in to any PostgreSQL instance through
109        pgmanage. Note that a connection will be made to PostgreSQL in order to
110        test if the user is a superuser.
111      '';
112    };
113
114    loginGroup = mkOption {
115      type = types.nullOr types.str;
116      default = null;
117      description = ''
118        This tells pgmanage to only allow users in a certain PostgreSQL group to
119        login to pgmanage. Note that a connection will be made to PostgreSQL in
120        order to test if the user is a member of the login group.
121      '';
122    };
123
124    loginTimeout = mkOption {
125      type = types.int;
126      default = 3600;
127      description = ''
128        Number of seconds of inactivity before user is automatically logged
129        out.
130      '';
131    };
132
133    dataRoot = mkOption {
134      type = types.str;
135      default = "/var/lib/pgmanage";
136      description = ''
137        This tells pgmanage where to put the SQL file history. All tabs are saved
138        to this location so that if you get disconnected from pgmanage you
139        don't lose your work.
140      '';
141    };
142
143    tls = mkOption {
144      type = types.nullOr (types.submodule {
145        options = {
146          cert = mkOption {
147            type = types.str;
148            description = "TLS certificate";
149          };
150          key = mkOption {
151            type = types.str;
152            description = "TLS key";
153          };
154        };
155      });
156      default = null;
157      description = ''
158        These options tell pgmanage where the TLS Certificate and Key files
159        reside. If you use these options then you'll only be able to access
160        pgmanage through a secure TLS connection. These options are only
161        necessary if you wish to connect directly to pgmanage using a secure TLS
162        connection. As an alternative, you can set up pgmanage in a reverse proxy
163        configuration. This allows your web server to terminate the secure
164        connection and pass on the request to pgmanage. You can find help to set
165        up this configuration in:
166        <link xlink:href="https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md"/>
167      '';
168    };
169
170    logLevel = mkOption {
171      type = types.enum ["error" "warn" "notice" "info"];
172      default = "error";
173      description = ''
174        Verbosity of logs
175      '';
176    };
177  };
178
179
180in {
181
182  options.services.pgmanage = pgmanageOptions;
183
184  # This is deprecated and should be removed for NixOS-18.03.
185  options.services.postage = pgmanageOptions;
186
187  config = mkMerge [
188    { assertions = [
189        { assertion = !config.services.postage.enable;
190          message =
191            "services.postage is deprecated in favour of pgmanage. " +
192            "They have the same options so just substitute postage for pgmanage." ;
193        }
194      ];
195    }
196    (mkIf cfg.enable {
197      systemd.services.pgmanage = {
198        description = "pgmanage - PostgreSQL Administration for the web";
199        wants    = [ "postgresql.service" ];
200        after    = [ "postgresql.service" ];
201        wantedBy = [ "multi-user.target" ];
202        serviceConfig = {
203          User         = pgmanage;
204          Group        = pgmanage;
205          ExecStart    = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" +
206                         optionalString cfg.localOnly " --local-only=true";
207        };
208      };
209      users = {
210        users."${pgmanage}" = {
211          name  = pgmanage;
212          group = pgmanage;
213          home  = cfg.dataRoot;
214          createHome = true;
215        };
216        groups."${pgmanage}" = {
217          name = pgmanage;
218        };
219      };
220    })
221  ];
222}