movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/taler: use the same dynamicUser for services

Browse source 
which makes managing the database much simpler.
This commit is contained in:
eljamm 2025-05-29 11:03:28 +02:00 committed by Valentin Gagarin
parent 5db5bd097c
commit 85b6430fac
3 changed files with 9 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nixos/modules/services/finance/taler/common.nix
View file

@ -51,7 +51,7 @@ in
(lib.genAttrs (map (n: "taler-${talerComponent}-${n}") services) (name: { (lib.genAttrs (map (n: "taler-${talerComponent}-${n}") services) (name: {
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
User = name; User = dbName;
Group = groupName; Group = groupName;
ExecStart = toString [ ExecStart = toString [
(lib.getExe' cfg.package name) (lib.getExe' cfg.package name)
@ -85,6 +85,7 @@ in
Type = "oneshot"; Type = "oneshot";
DynamicUser = true; DynamicUser = true;
User = dbName; User = dbName;
Group = groupName;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";
}; };
@ -116,7 +117,7 @@ in
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ dbName ]; ensureDatabases = [ dbName ];
ensureUsers = map (service: { name = "taler-${talerComponent}-${service}"; }) servicesDB ++ [ ensureUsers = [
{ {
name = dbName; name = dbName;
ensureDBOwnership = true; ensureDBOwnership = true;

22
nixos/modules/services/finance/taler/exchange.nix
View file

@ -133,24 +133,8 @@ in
after = [ "taler-exchange-httpd.service" ]; after = [ "taler-exchange-httpd.service" ];
}; };
# Taken from https://docs.taler.net/taler-exchange-manual.html#exchange-database-setup systemd.services."taler-${talerComponent}-dbinit".script = ''
# TODO: Why does aggregator need DELETE? ${lib.getExe' cfg.package "taler-exchange-dbinit"} -c ${configFile}
systemd.services."taler-${talerComponent}-dbinit".script = '';
let
deletePerm = name: lib.optionalString (name == "aggregator") ",DELETE";
dbScript = pkgs.writers.writeText "taler-exchange-db-permissions.sql" (
lib.pipe servicesDB [
(map (name: ''
GRANT SELECT,INSERT,UPDATE${deletePerm name} ON ALL TABLES IN SCHEMA exchange TO "taler-exchange-${name}";
GRANT USAGE ON ALL SEQUENCES IN SCHEMA exchange TO "taler-exchange-${name}";
''))
lib.concatStrings
]
);
in
''
${lib.getExe' cfg.package "taler-exchange-dbinit"} -c ${configFile}
psql -U taler-exchange-httpd -f ${dbScript}
'';
}; };
} }

19
nixos/modules/services/finance/taler/merchant.nix
View file

@ -90,21 +90,8 @@ in
path = [ cfg.package ]; path = [ cfg.package ];
}; };
systemd.services."taler-${talerComponent}-dbinit".script = systemd.services."taler-${talerComponent}-dbinit".script = ''
let ${lib.getExe' cfg.package "taler-merchant-dbinit"} -c ${configFile}
# NOTE: not documented, but is necessary '';
dbScript = pkgs.writers.writeText "taler-merchant-db-permissions.sql" (
lib.concatStrings (
map (name: ''
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA merchant TO "taler-merchant-${name}";
GRANT USAGE ON ALL SEQUENCES IN SCHEMA merchant TO "taler-merchant-${name}";
'') servicesDB
)
);
in
''
${lib.getExe' cfg.package "taler-merchant-dbinit"} -c ${configFile}
psql -U taler-${talerComponent}-httpd -f ${dbScript}
'';
}; };
} }