From f62c9b5e4d6ffe315fd8496d35e3f51873317cf7 Mon Sep 17 00:00:00 2001 From: shivaraj-bh Date: Mon, 3 Jul 2023 00:31:45 +0530 Subject: [PATCH 1/4] configure pg_hba --- flake.lock | 7 ++++--- flake.nix | 2 +- process-compose.nix | 13 +++++++++---- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 54d8883..5f9c09b 100644 --- a/flake.lock +++ b/flake.lock @@ -93,15 +93,16 @@ }, "services-flake": { "locked": { - "lastModified": 1687385027, - "narHash": "sha256-xah/ZMc4tG38aYF1HFSPGOTgpQBgrP+1uuhymTUZy9U=", + "lastModified": 1688323892, + "narHash": "sha256-6uxVzUQmPymnUojp9tVMm5/pjf0kHV4QJpaoOUubHa8=", "owner": "juspay", "repo": "services-flake", - "rev": "46a4ca9869808650efe88e04dd10e4ec53c30009", + "rev": "aa293c78d2a45927ed35877ce3cdaffd1c77ebec", "type": "github" }, "original": { "owner": "juspay", + "ref": "postgres/pgHba", "repo": "services-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 3d3c887..fce1b78 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ haskell-flake.url = "github:srid/haskell-flake"; process-compose-flake.url = "github:Platonic-Systems/process-compose-flake"; - services-flake.url = "github:juspay/services-flake"; + services-flake.url = "github:juspay/services-flake/postgres/pgHba"; }; outputs = inputs@{ nixpkgs, flake-parts, ... }: flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: { diff --git a/process-compose.nix b/process-compose.nix index bd9a280..3eca89c 100644 --- a/process-compose.nix +++ b/process-compose.nix @@ -31,10 +31,15 @@ in enable = true; name = "${srvname}-db"; listen_addresses = "127.0.0.1"; - # TODO: Configure these (matching docker image behaviour) - # POSTGRES_HOST_AUTH_METHOD = "scram-sha-256"; - # POSTGRES_INITDB_ARGS = "--auth=scram-sha-256"; - # initdbArgs = ["--auth=scram-sha-256"]; + pgHbaConf = [ + # Equivalent to `POSTGRES_INITDB_ARGS = "--auth=scram-sha-256";`, sets the auth for all users + # connecting through unix sockets. + { type = "local"; database = "all"; user = "all"; address = ""; method = "scram-sha-256"; } + # Equivalent to `POSTGRES_HOST_AUTH_METHOD = "scram-sha-256";`, sets the auth for all users + # connecting through loopback ipv4/v6 + { type = "host"; database = "all"; user = "all"; address = "127.0.0.1/32"; method = "scram-sha-256"; } + { type = "host"; database = "all"; user = "all"; address = "::1/128"; method = "scram-sha-256"; } + ]; initialScript = '' CREATE ROLE ${userName} SUPERUSER; ALTER ROLE ${userName} WITH LOGIN; From 0c3643361cb1f29cc8f3a6740aaf513919e208e8 Mon Sep 17 00:00:00 2001 From: shivaraj-bh Date: Mon, 3 Jul 2023 13:08:03 +0530 Subject: [PATCH 2/4] use new hbaConf option --- flake.lock | 6 +++--- process-compose.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 5f9c09b..ff85775 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "services-flake": { "locked": { - "lastModified": 1688323892, - "narHash": "sha256-6uxVzUQmPymnUojp9tVMm5/pjf0kHV4QJpaoOUubHa8=", + "lastModified": 1688369741, + "narHash": "sha256-OoADSkUNpxSbGBh0SGd5okGG4445AZR26dPK3rDvQpE=", "owner": "juspay", "repo": "services-flake", - "rev": "aa293c78d2a45927ed35877ce3cdaffd1c77ebec", + "rev": "1be0ded9b68f691bbb8ed652259545dc4391f6a1", "type": "github" }, "original": { diff --git a/process-compose.nix b/process-compose.nix index 3eca89c..eeb3aff 100644 --- a/process-compose.nix +++ b/process-compose.nix @@ -31,7 +31,7 @@ in enable = true; name = "${srvname}-db"; listen_addresses = "127.0.0.1"; - pgHbaConf = [ + hbaConf = [ # Equivalent to `POSTGRES_INITDB_ARGS = "--auth=scram-sha-256";`, sets the auth for all users # connecting through unix sockets. { type = "local"; database = "all"; user = "all"; address = ""; method = "scram-sha-256"; } From e25808039d9aeb22a8fa25b5491da45c9e57e3b5 Mon Sep 17 00:00:00 2001 From: Shivaraj Date: Sun, 15 Oct 2023 20:49:59 +0530 Subject: [PATCH 3/4] use main services-flake; update process-compose-flake --- flake.lock | 13 ++++++------- flake.nix | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index ff85775..09fe3d7 100644 --- a/flake.lock +++ b/flake.lock @@ -69,11 +69,11 @@ }, "process-compose-flake": { "locked": { - "lastModified": 1687298948, - "narHash": "sha256-7Lu4/odCkkwrzR8Mo+3D+URv4oLap8WWLESzi/75eb0=", + "lastModified": 1695992918, + "narHash": "sha256-5tHNbk0ldLUjAqKRZog/3asiVvkD51VGK9TvwzUBs38=", "owner": "Platonic-Systems", "repo": "process-compose-flake", - "rev": "5bdb90b85642901cf9a5dccfe8c907091c261604", + "rev": "1ebecb83f15736f5d4ae3feb01a8391977dd71da", "type": "github" }, "original": { @@ -93,16 +93,15 @@ }, "services-flake": { "locked": { - "lastModified": 1688369741, - "narHash": "sha256-OoADSkUNpxSbGBh0SGd5okGG4445AZR26dPK3rDvQpE=", + "lastModified": 1696703188, + "narHash": "sha256-nX6n4/BNeTzVaPMhEKeKHociyAJh9vo4F2W5UoY/ffM=", "owner": "juspay", "repo": "services-flake", - "rev": "1be0ded9b68f691bbb8ed652259545dc4391f6a1", + "rev": "c56d39116cbe835229e26171c8405cd311be067f", "type": "github" }, "original": { "owner": "juspay", - "ref": "postgres/pgHba", "repo": "services-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index fce1b78..3d3c887 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ haskell-flake.url = "github:srid/haskell-flake"; process-compose-flake.url = "github:Platonic-Systems/process-compose-flake"; - services-flake.url = "github:juspay/services-flake/postgres/pgHba"; + services-flake.url = "github:juspay/services-flake"; }; outputs = inputs@{ nixpkgs, flake-parts, ... }: flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: { From 6f9ada7975f86523b9946c7d79bf0e918d259ed8 Mon Sep 17 00:00:00 2001 From: Shivaraj Date: Sun, 15 Oct 2023 20:50:10 +0530 Subject: [PATCH 4/4] use new services-flake API --- process-compose.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/process-compose.nix b/process-compose.nix index eeb3aff..5e3c7fc 100644 --- a/process-compose.nix +++ b/process-compose.nix @@ -3,7 +3,7 @@ let srvname = "passetto"; dbName = "passetto"; userName = "passetto"; - pgcfg = config.services.postgres; + pgcfg = config.services.postgres."${srvname}-db"; in { options = { @@ -27,9 +27,8 @@ in cfg = config.services.passetto; in lib.mkIf cfg.enable { - services.postgres = { + services.postgres."${srvname}-db" = { enable = true; - name = "${srvname}-db"; listen_addresses = "127.0.0.1"; hbaConf = [ # Equivalent to `POSTGRES_INITDB_ARGS = "--auth=scram-sha-256";`, sets the auth for all users @@ -40,7 +39,7 @@ in { type = "host"; database = "all"; user = "all"; address = "127.0.0.1/32"; method = "scram-sha-256"; } { type = "host"; database = "all"; user = "all"; address = "::1/128"; method = "scram-sha-256"; } ]; - initialScript = '' + initialScript.before = '' CREATE ROLE ${userName} SUPERUSER; ALTER ROLE ${userName} WITH LOGIN; '';