commit 3d29b7d3a2082c0b4d7b1ef0c5b4ae436eb0e48c · pyrox.dev/nixpkgs

nixos/doc/manual/redirects.json

···

       1286
        
         "module-services-postgres-initializing-extra-permissions-service-user-oneshot": [

     

       1287
        
           "index.html#module-services-postgres-initializing-extra-permissions-service-user-oneshot"

     

       1288
        
         ],

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       1289
        
         "module-services-postgres-upgrading": [

     

       1290
        
           "index.html#module-services-postgres-upgrading"

     

       1291
        
         ],

···

       1286
        
         "module-services-postgres-initializing-extra-permissions-service-user-oneshot": [

     

       1287
        
           "index.html#module-services-postgres-initializing-extra-permissions-service-user-oneshot"

     

       1288
        
         ],

     

       1289
       +
         "module-services-postgres-authentication": [

     

       1290
       +
           "index.html#module-services-postgres-authentication"

     

       1291
       +
         ],

     

       1292
       +
         "module-services-postgres-authentication-user-mapping": [

     

       1293
       +
           "index.html#module-services-postgres-authentication-user-mapping"

     

       1294
       +
         ],

     

       1295
        
         "module-services-postgres-upgrading": [

     

       1296
        
           "index.html#module-services-postgres-upgrading"

     

       1297
        
         ],

+32

nixos/modules/services/databases/postgresql.md

···

       170
        
         }

     

       171
        
       ```

     

       172
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       173
        
       ## Upgrading {#module-services-postgres-upgrading}

     

       174
        
       

     

       175
        
       ::: {.note}

···

       170
        
         }

     

       171
        
       ```

     

       172
        
       

     

       173
       +
       ## Authentication {#module-services-postgres-authentication}

     

       174
       +
       

     

       175
       +
       Local connections are made through unix sockets by default and support [peer authentication](https://www.postgresql.org/docs/current/auth-peer.html).

     

       176
       +
       This allows system users to login with database roles of the same name.

     

       177
       +
       For example, the `postgres` system user is allowed to login with the database role `postgres`.

     

       178
       +
       

     

       179
       +
       System users and database roles might not always match.

     

       180
       +
       In this case, to allow access for a service, you can create a [user name map](https://www.postgresql.org/docs/current/auth-username-maps.html) between system roles and an existing database role.

     

       181
       +
       

     

       182
       +
       ### User Mapping {#module-services-postgres-authentication-user-mapping}

     

       183
       +
       

     

       184
       +
       Assume that your app creates a role `admin` and you want the `root` user to be able to login with it.

     

       185
       +
       You can then use [](#opt-services.postgresql.identMap) to define the map and [](#opt-services.postgresql.authentication) to enable it:

     

       186
       +
       

     

       187
       +
       ```nix

     

       188
       +
       services.postgresql = {

     

       189
       +
         identMap = ''

     

       190
       +
           admin root admin

     

       191
       +
         '';

     

       192
       +
         authentication = ''

     

       193
       +
           local all admin peer map=admin

     

       194
       +
         '';

     

       195
       +
       }

     

       196
       +
       ```

     

       197
       +
       

     

       198
       +
       ::: {.warning}

     

       199
       +
       To avoid conflicts with other modules, you should never apply a map to `all` roles.

     

       200
       +
       Because PostgreSQL will stop on the first matching line in `pg_hba.conf`, a line matching all roles would lock out other services.

     

       201
       +
       Each module should only manage user maps for the database roles that belong to this module.

     

       202
       +
       Best practice is to name the map after the database role it manages to avoid name conflicts.

     

       203
       +
       :::

     

       204
       +
       

     

       205
        
       ## Upgrading {#module-services-postgres-upgrading}

     

       206
        
       

     

       207
        
       ::: {.note}

+16

nixos/modules/services/databases/postgresql.nix

···

       274
        
                 Defines the mapping from system users to database users.

     

       275
        
       

     

       276
        
                 See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html).

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       277
        
               '';

     

       278
        
             };

     

       279
        
       

     
···

       674
        
             (mkBefore "# Generated file; do not edit!")

     

       675
        
             (mkAfter ''

     

       676
        
               # default value of services.postgresql.authentication

     

       0
        
       
     

       677
        
               local all all              peer

     

       678
        
               host  all all 127.0.0.1/32 md5

     

       679
        
               host  all all ::1/128      md5

     

       680
        
             '')

     

       681
        
           ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       682
        
       

     

       683
        
           services.postgresql.systemCallFilter = mkMerge [

     

       684
        
             (mapAttrs (const mkDefault) {

···

       274
        
                 Defines the mapping from system users to database users.

     

       275
        
       

     

       276
        
                 See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html).

     

       277
       +
       

     

       278
       +
                 There is a default map "postgres" which is used for local peer authentication

     

       279
       +
                 as the postgres superuser role.

     

       280
       +
                 For example, to allow the root user to login as the postgres superuser, add:

     

       281
       +
       

     

       282
       +
                 ```

     

       283
       +
                 postgres root postgres

     

       284
       +
                 ```

     

       285
        
               '';

     

       286
        
             };

     

       287
        
       

     
···

       682
        
             (mkBefore "# Generated file; do not edit!")

     

       683
        
             (mkAfter ''

     

       684
        
               # default value of services.postgresql.authentication

     

       685
       +
               local all postgres         peer map=postgres

     

       686
        
               local all all              peer

     

       687
        
               host  all all 127.0.0.1/32 md5

     

       688
        
               host  all all ::1/128      md5

     

       689
        
             '')

     

       690
        
           ];

     

       691
       +
       

     

       692
       +
           # The default allows to login with the same database username as the current system user.

     

       693
       +
           # This is the default for peer authentication without a map, but needs to be made explicit

     

       694
       +
           # once a map is used.

     

       695
       +
           services.postgresql.identMap = mkAfter ''

     

       696
       +
             postgres postgres postgres

     

       697
       +
           '';

     

       698
        
       

     

       699
        
           services.postgresql.systemCallFilter = mkMerge [

     

       700
        
             (mapAttrs (const mkDefault) {

+4 -1

nixos/tests/postgresql/postgresql.nix

···

       54
        
                 services.postgresql = {

     

       55
        
                   inherit package;

     

       56
        
                   enable = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       57
        
                   # TODO(@Ma27) split this off into its own VM test and move a few other

     

       58
        
                   # extension tests to use postgresqlTestExtension.

     

       59
        
                   extensions = ps: with ps; [ plv8 ];

     
···

       73
        
               in

     

       74
        
               ''

     

       75
        
                 def check_count(statement, lines):

     

       76
       -
                     return 'test $(sudo -u postgres psql postgres -tAc "{}"|wc -l) -eq {}'.format(

     

       77
        
                         statement, lines

     

       78
        
                     )

     

       79

···

       54
        
                 services.postgresql = {

     

       55
        
                   inherit package;

     

       56
        
                   enable = true;

     

       57
       +
                   identMap = ''

     

       58
       +
                     postgres root postgres

     

       59
       +
                   '';

     

       60
        
                   # TODO(@Ma27) split this off into its own VM test and move a few other

     

       61
        
                   # extension tests to use postgresqlTestExtension.

     

       62
        
                   extensions = ps: with ps; [ plv8 ];

     
···

       76
        
               in

     

       77
        
               ''

     

       78
        
                 def check_count(statement, lines):

     

       79
       +
                     return 'test $(psql -U postgres postgres -tAc "{}"|wc -l) -eq {}'.format(

     

       80
        
                         statement, lines

     

       81
        
                     )

     

       82