pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / databases / pgmanage.nix
at 25.11-pre 6.1 kB view raw
1{ 2 lib, 3 pkgs, 4 config, 5 ... 6}: 7let 8 cfg = config.services.pgmanage; 9 10 confFile = pkgs.writeTextFile { 11 name = "pgmanage.conf"; 12 text = '' 13 connection_file = ${pgmanageConnectionsFile} 14 15 allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections} 16 17 pgmanage_port = ${toString cfg.port} 18 19 super_only = ${builtins.toJSON cfg.superOnly} 20 21 ${lib.optionalString (cfg.loginGroup != null) "login_group = ${cfg.loginGroup}"} 22 23 login_timeout = ${toString cfg.loginTimeout} 24 25 web_root = ${cfg.package}/etc/pgmanage/web_root 26 27 sql_root = ${cfg.sqlRoot} 28 29 ${lib.optionalString (cfg.tls != null) '' 30 tls_cert = ${cfg.tls.cert} 31 tls_key = ${cfg.tls.key} 32 ''} 33 34 log_level = ${cfg.logLevel} 35 ''; 36 }; 37 38 pgmanageConnectionsFile = pkgs.writeTextFile { 39 name = "pgmanage-connections.conf"; 40 text = lib.concatStringsSep "\n" ( 41 lib.mapAttrsToList (name: conn: "${name}: ${conn}") cfg.connections 42 ); 43 }; 44 45 pgmanage = "pgmanage"; 46 47in 48{ 49 50 options.services.pgmanage = { 51 enable = lib.mkEnableOption "PostgreSQL Administration for the web"; 52 53 package = lib.mkPackageOption pkgs "pgmanage" { }; 54 55 connections = lib.mkOption { 56 type = lib.types.attrsOf lib.types.str; 57 default = { }; 58 example = { 59 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; 60 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; 61 }; 62 description = '' 63 pgmanage requires at least one PostgreSQL server be defined. 64 65 Detailed information about PostgreSQL connection strings is available at: 66 <https://www.postgresql.org/docs/current/libpq-connect.html> 67 68 Note that you should not specify your user name or password. That 69 information will be entered on the login screen. If you specify a 70 username or password, it will be removed by pgmanage before attempting to 71 connect to a database. 72 ''; 73 }; 74 75 allowCustomConnections = lib.mkOption { 76 type = lib.types.bool; 77 default = false; 78 description = '' 79 This tells pgmanage whether or not to allow anyone to use a custom 80 connection from the login screen. 81 ''; 82 }; 83 84 port = lib.mkOption { 85 type = lib.types.port; 86 default = 8080; 87 description = '' 88 This tells pgmanage what port to listen on for browser requests. 89 ''; 90 }; 91 92 localOnly = lib.mkOption { 93 type = lib.types.bool; 94 default = true; 95 description = '' 96 This tells pgmanage whether or not to set the listening socket to local 97 addresses only. 98 ''; 99 }; 100 101 superOnly = lib.mkOption { 102 type = lib.types.bool; 103 default = true; 104 description = '' 105 This tells pgmanage whether or not to only allow super users to 106 login. The recommended value is true and will restrict users who are not 107 super users from logging in to any PostgreSQL instance through 108 pgmanage. Note that a connection will be made to PostgreSQL in order to 109 test if the user is a superuser. 110 ''; 111 }; 112 113 loginGroup = lib.mkOption { 114 type = lib.types.nullOr lib.types.str; 115 default = null; 116 description = '' 117 This tells pgmanage to only allow users in a certain PostgreSQL group to 118 login to pgmanage. Note that a connection will be made to PostgreSQL in 119 order to test if the user is a member of the login group. 120 ''; 121 }; 122 123 loginTimeout = lib.mkOption { 124 type = lib.types.int; 125 default = 3600; 126 description = '' 127 Number of seconds of inactivity before user is automatically logged 128 out. 129 ''; 130 }; 131 132 sqlRoot = lib.mkOption { 133 type = lib.types.str; 134 default = "/var/lib/pgmanage"; 135 description = '' 136 This tells pgmanage where to put the SQL file history. All tabs are saved 137 to this location so that if you get disconnected from pgmanage you 138 don't lose your work. 139 ''; 140 }; 141 142 tls = lib.mkOption { 143 type = lib.types.nullOr ( 144 lib.types.submodule { 145 options = { 146 cert = lib.mkOption { 147 type = lib.types.str; 148 description = "TLS certificate"; 149 }; 150 key = lib.mkOption { 151 type = lib.types.str; 152 description = "TLS key"; 153 }; 154 }; 155 } 156 ); 157 default = null; 158 description = '' 159 These options tell pgmanage where the TLS Certificate and Key files 160 reside. If you use these options then you'll only be able to access 161 pgmanage through a secure TLS connection. These options are only 162 necessary if you wish to connect directly to pgmanage using a secure TLS 163 connection. As an alternative, you can set up pgmanage in a reverse proxy 164 configuration. This allows your web server to terminate the secure 165 connection and pass on the request to pgmanage. You can find help to set 166 up this configuration in: 167 <https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md> 168 ''; 169 }; 170 171 logLevel = lib.mkOption { 172 type = lib.types.enum [ 173 "error" 174 "warn" 175 "notice" 176 "info" 177 ]; 178 default = "error"; 179 description = '' 180 Verbosity of logs 181 ''; 182 }; 183 }; 184 185 config = lib.mkIf cfg.enable { 186 systemd.services.pgmanage = { 187 description = "pgmanage - PostgreSQL Administration for the web"; 188 wants = [ "postgresql.service" ]; 189 after = [ "postgresql.service" ]; 190 wantedBy = [ "multi-user.target" ]; 191 serviceConfig = { 192 User = pgmanage; 193 Group = pgmanage; 194 ExecStart = 195 "${cfg.package}/sbin/pgmanage -c ${confFile}" 196 + lib.optionalString cfg.localOnly " --local-only=true"; 197 }; 198 }; 199 users = { 200 users.${pgmanage} = { 201 name = pgmanage; 202 group = pgmanage; 203 home = cfg.sqlRoot; 204 createHome = true; 205 isSystemUser = true; 206 }; 207 groups.${pgmanage} = { 208 name = pgmanage; 209 }; 210 }; 211 }; 212}