Move permissions setup for pgadmin to one-off service
This commit is contained in:
parent
a2ca482b0b
commit
997584dcd7
1 changed files with 44 additions and 13 deletions
|
|
@ -2,6 +2,7 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
databaseName = "nidus-sync";
|
||||||
dbUsername = "pgadmin";
|
dbUsername = "pgadmin";
|
||||||
cfg = config.myModules.pgadmin;
|
cfg = config.myModules.pgadmin;
|
||||||
group = "root";
|
group = "root";
|
||||||
|
|
@ -35,7 +36,7 @@ in {
|
||||||
# Pre-configure the database server
|
# Pre-configure the database server
|
||||||
Servers = {
|
Servers = {
|
||||||
"1" = {
|
"1" = {
|
||||||
Name = "Local nidus-sync";
|
Name = "Local ${databaseName}";
|
||||||
Group = "Servers";
|
Group = "Servers";
|
||||||
Host = "/run/postgresql"; # unix socket directory
|
Host = "/run/postgresql"; # unix socket directory
|
||||||
Port = 5432;
|
Port = 5432;
|
||||||
|
|
@ -52,20 +53,50 @@ in {
|
||||||
ensureClauses.login = true;
|
ensureClauses.login = true;
|
||||||
name = dbUsername;
|
name = dbUsername;
|
||||||
}];
|
}];
|
||||||
initialScript = pkgs.writeText "postgresql-init.sql" ''
|
};
|
||||||
|
systemd.services.pgadmin-setup-permissions = {
|
||||||
|
description = "Setup read-only permissions for pgadmin user";
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "postgres";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
script = ''
|
||||||
|
${config.services.postgresql.package}/bin/psql -d ${databaseName} << 'EOF'
|
||||||
-- Grant connection to database
|
-- Grant connection to database
|
||||||
GRANT CONNECT ON DATABASE "nidus-sync" TO ${dbUsername};
|
GRANT CONNECT ON DATABASE ${databaseName} TO pgadmin;
|
||||||
|
|
||||||
-- Connect to the database and grant schema usage
|
-- Dynamically grant permissions on all non-system schemas
|
||||||
\c nidus-sync
|
DO $$
|
||||||
GRANT USAGE ON SCHEMA public TO ${dbUsername};
|
DECLARE
|
||||||
|
schema_name text;
|
||||||
-- Grant SELECT on all existing tables
|
BEGIN
|
||||||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${dbUsername};
|
FOR schema_name IN
|
||||||
|
SELECT nspname
|
||||||
-- GRANT SELECT on all future tables
|
FROM pg_namespace
|
||||||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${dbUsername};
|
WHERE nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
|
||||||
|
AND nspname NOT LIKE 'pg_temp%'
|
||||||
|
AND nspname NOT LIKE 'pg_toast_temp%'
|
||||||
|
LOOP
|
||||||
|
EXECUTE format('GRANT USAGE ON SCHEMA %I TO pgadmin', schema_name);
|
||||||
|
EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO pgadmin', schema_name);
|
||||||
|
EXECUTE format('GRANT SELECT ON ALL SEQUENCES IN SCHEMA %I TO pgadmin', schema_name);
|
||||||
|
EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO pgadmin', schema_name);
|
||||||
|
END LOOP;
|
||||||
|
END $$;
|
||||||
|
EOF
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# This ensures the service runs again when you deploy changes
|
||||||
|
restartTriggers = [
|
||||||
|
config.services.postgresql.package
|
||||||
|
"${databaseName}"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
sops.secrets."pgadmin-initial-password-file" = {
|
sops.secrets."pgadmin-initial-password-file" = {
|
||||||
format = "yaml";
|
format = "yaml";
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue