nixos/postgresql: improve local peer authentication with default map

This allows to easily map allowed database roles to system users.
2025-06-13 05:05:29 +03:00 · 2025-05-05 10:31:21 +02:00 · 2025-05-05 10:31:21 +02:00 · 3d29b7d3a2
commit 3d29b7d3a2
parent f934044282
4 changed files with 58 additions and 1 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -274,6 +274,14 @@ in
          Defines the mapping from system users to database users.

          See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html).
+
+          There is a default map "postgres" which is used for local peer authentication
+          as the postgres superuser role.
+          For example, to allow the root user to login as the postgres superuser, add:
+
+          ```
+          postgres root postgres
+          ```
        '';
      };

@ -674,12 +682,20 @@ in
      (mkBefore "# Generated file; do not edit!")
      (mkAfter ''
        # default value of services.postgresql.authentication
+        local all postgres         peer map=postgres
        local all all              peer
        host  all all 127.0.0.1/32 md5
        host  all all ::1/128      md5
      '')
    ];

+    # The default allows to login with the same database username as the current system user.
+    # This is the default for peer authentication without a map, but needs to be made explicit
+    # once a map is used.
+    services.postgresql.identMap = mkAfter ''
+      postgres postgres postgres
+    '';
+
    services.postgresql.systemCallFilter = mkMerge [
      (mapAttrs (const mkDefault) {
        "@system-service" = true;