nixos/taler: use the same dynamicUser for services

which makes managing the database much simpler.
2025-06-09 19:13:26 +03:00 · 2025-05-29 11:03:28 +02:00 · 2025-05-29 11:03:28 +02:00 · 85b6430fac
commit 85b6430fac
parent 5db5bd097c
3 changed files with 9 additions and 37 deletions
--- a/nixos/modules/services/finance/taler/common.nix
+++ b/nixos/modules/services/finance/taler/common.nix
@ -51,7 +51,7 @@ in
      (lib.genAttrs (map (n: "taler-${talerComponent}-${n}") services) (name: {
        serviceConfig = {
          DynamicUser = true;
-          User = name;
+          User = dbName;
          Group = groupName;
          ExecStart = toString [
            (lib.getExe' cfg.package name)
@ -85,6 +85,7 @@ in
            Type = "oneshot";
            DynamicUser = true;
            User = dbName;
+            Group = groupName;
            Restart = "on-failure";
            RestartSec = "5s";
          };
@ -116,7 +117,7 @@ in
    services.postgresql = {
      enable = true;
      ensureDatabases = [ dbName ];
-      ensureUsers = map (service: { name = "taler-${talerComponent}-${service}"; }) servicesDB ++ [
+      ensureUsers = [
        {
          name = dbName;
          ensureDBOwnership = true;
--- a/nixos/modules/services/finance/taler/exchange.nix
+++ b/nixos/modules/services/finance/taler/exchange.nix
@ -133,24 +133,8 @@ in
      after = [ "taler-exchange-httpd.service" ];
    };

-    # Taken from https://docs.taler.net/taler-exchange-manual.html#exchange-database-setup
-    # TODO: Why does aggregator need DELETE?
-    systemd.services."taler-${talerComponent}-dbinit".script =
-      let
-        deletePerm = name: lib.optionalString (name == "aggregator") ",DELETE";
-        dbScript = pkgs.writers.writeText "taler-exchange-db-permissions.sql" (
-          lib.pipe servicesDB [
-            (map (name: ''
-              GRANT SELECT,INSERT,UPDATE${deletePerm name} ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-${name}";
-              GRANT USAGE ON ALL SEQUENCES IN SCHEMA exchange TO "taler-exchange-${name}";
-            ''))
-            lib.concatStrings
-          ]
-        );
-      in
-      ''
-        ${lib.getExe' cfg.package "taler-exchange-dbinit"} -c ${configFile}
-        psql -U taler-exchange-httpd -f ${dbScript}
-      '';
+    systemd.services."taler-${talerComponent}-dbinit".script = ''
+      ${lib.getExe' cfg.package "taler-exchange-dbinit"} -c ${configFile}
+    '';
  };
 }
--- a/nixos/modules/services/finance/taler/merchant.nix
+++ b/nixos/modules/services/finance/taler/merchant.nix
@ -90,21 +90,8 @@ in
      path = [ cfg.package ];
    };

-    systemd.services."taler-${talerComponent}-dbinit".script =
-      let
-        # NOTE: not documented, but is necessary
-        dbScript = pkgs.writers.writeText "taler-merchant-db-permissions.sql" (
-          lib.concatStrings (
-            map (name: ''
-              GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA merchant TO "taler-merchant-${name}";
-              GRANT USAGE ON ALL SEQUENCES IN SCHEMA merchant TO "taler-merchant-${name}";
-            '') servicesDB
-          )
-        );
-      in
-      ''
-        ${lib.getExe' cfg.package "taler-merchant-dbinit"} -c ${configFile}
-        psql -U taler-${talerComponent}-httpd -f ${dbScript}
-      '';
+    systemd.services."taler-${talerComponent}-dbinit".script = ''
+      ${lib.getExe' cfg.package "taler-merchant-dbinit"} -c ${configFile}
+    '';
  };
 }