pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / databases / pgmanage.nix
at 18.09-beta 6.2 kB view raw
1{ lib, pkgs, config, ... } : 2 3with lib; 4 5let 6 cfg = config.services.pgmanage; 7 8 confFile = pkgs.writeTextFile { 9 name = "pgmanage.conf"; 10 text = '' 11 connection_file = ${pgmanageConnectionsFile} 12 13 allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections} 14 15 pgmanage_port = ${toString cfg.port} 16 17 super_only = ${builtins.toJSON cfg.superOnly} 18 19 ${optionalString (!isNull cfg.loginGroup) "login_group = ${cfg.loginGroup}"} 20 21 login_timeout = ${toString cfg.loginTimeout} 22 23 web_root = ${cfg.package}/etc/pgmanage/web_root 24 25 sql_root = ${cfg.sqlRoot} 26 27 ${optionalString (!isNull cfg.tls) '' 28 tls_cert = ${cfg.tls.cert} 29 tls_key = ${cfg.tls.key} 30 ''} 31 32 log_level = ${cfg.logLevel} 33 ''; 34 }; 35 36 pgmanageConnectionsFile = pkgs.writeTextFile { 37 name = "pgmanage-connections.conf"; 38 text = concatStringsSep "\n" 39 (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections); 40 }; 41 42 pgmanage = "pgmanage"; 43 44in { 45 46 options.services.pgmanage = { 47 enable = mkEnableOption "PostgreSQL Administration for the web"; 48 49 package = mkOption { 50 type = types.package; 51 default = pkgs.pgmanage; 52 defaultText = "pkgs.pgmanage"; 53 description = '' 54 The pgmanage package to use. 55 ''; 56 }; 57 58 connections = mkOption { 59 type = types.attrsOf types.str; 60 default = {}; 61 example = { 62 "nuc-server" = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 63 "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 64 }; 65 description = '' 66 pgmanage requires at least one PostgreSQL server be defined. 67 </para><para> 68 Detailed information about PostgreSQL connection strings is available at: 69 <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/> 70 </para><para> 71 Note that you should not specify your user name or password. That 72 information will be entered on the login screen. If you specify a 73 username or password, it will be removed by pgmanage before attempting to 74 connect to a database. 75 ''; 76 }; 77 78 allowCustomConnections = mkOption { 79 type = types.bool; 80 default = false; 81 description = '' 82 This tells pgmanage whether or not to allow anyone to use a custom 83 connection from the login screen. 84 ''; 85 }; 86 87 port = mkOption { 88 type = types.int; 89 default = 8080; 90 description = '' 91 This tells pgmanage what port to listen on for browser requests. 92 ''; 93 }; 94 95 localOnly = mkOption { 96 type = types.bool; 97 default = true; 98 description = '' 99 This tells pgmanage whether or not to set the listening socket to local 100 addresses only. 101 ''; 102 }; 103 104 superOnly = mkOption { 105 type = types.bool; 106 default = true; 107 description = '' 108 This tells pgmanage whether or not to only allow super users to 109 login. The recommended value is true and will restrict users who are not 110 super users from logging in to any PostgreSQL instance through 111 pgmanage. Note that a connection will be made to PostgreSQL in order to 112 test if the user is a superuser. 113 ''; 114 }; 115 116 loginGroup = mkOption { 117 type = types.nullOr types.str; 118 default = null; 119 description = '' 120 This tells pgmanage to only allow users in a certain PostgreSQL group to 121 login to pgmanage. Note that a connection will be made to PostgreSQL in 122 order to test if the user is a member of the login group. 123 ''; 124 }; 125 126 loginTimeout = mkOption { 127 type = types.int; 128 default = 3600; 129 description = '' 130 Number of seconds of inactivity before user is automatically logged 131 out. 132 ''; 133 }; 134 135 sqlRoot = mkOption { 136 type = types.str; 137 default = "/var/lib/pgmanage"; 138 description = '' 139 This tells pgmanage where to put the SQL file history. All tabs are saved 140 to this location so that if you get disconnected from pgmanage you 141 don't lose your work. 142 ''; 143 }; 144 145 tls = mkOption { 146 type = types.nullOr (types.submodule { 147 options = { 148 cert = mkOption { 149 type = types.str; 150 description = "TLS certificate"; 151 }; 152 key = mkOption { 153 type = types.str; 154 description = "TLS key"; 155 }; 156 }; 157 }); 158 default = null; 159 description = '' 160 These options tell pgmanage where the TLS Certificate and Key files 161 reside. If you use these options then you'll only be able to access 162 pgmanage through a secure TLS connection. These options are only 163 necessary if you wish to connect directly to pgmanage using a secure TLS 164 connection. As an alternative, you can set up pgmanage in a reverse proxy 165 configuration. This allows your web server to terminate the secure 166 connection and pass on the request to pgmanage. You can find help to set 167 up this configuration in: 168 <link xlink:href="https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md"/> 169 ''; 170 }; 171 172 logLevel = mkOption { 173 type = types.enum ["error" "warn" "notice" "info"]; 174 default = "error"; 175 description = '' 176 Verbosity of logs 177 ''; 178 }; 179 }; 180 181 config = mkIf cfg.enable { 182 systemd.services.pgmanage = { 183 description = "pgmanage - PostgreSQL Administration for the web"; 184 wants = [ "postgresql.service" ]; 185 after = [ "postgresql.service" ]; 186 wantedBy = [ "multi-user.target" ]; 187 serviceConfig = { 188 User = pgmanage; 189 Group = pgmanage; 190 ExecStart = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" + 191 optionalString cfg.localOnly " --local-only=true"; 192 }; 193 }; 194 users = { 195 users."${pgmanage}" = { 196 name = pgmanage; 197 group = pgmanage; 198 home = cfg.sqlRoot; 199 createHome = true; 200 }; 201 groups."${pgmanage}" = { 202 name = pgmanage; 203 }; 204 }; 205 }; 206}