nixos/hydra: avoid conflicts for local postgres ident map

The key change here is, that the match was on the hydra database only previously, but is now limited to to the hydra role instead. This avoids conflicts with rules that are created by other modules or downstream users. With this change, we can remove the additional "postgres postgres" line, because the default pg_hba line will kick in again and allow the postgres user access to the postgres role. Renaming the map from hydra-users to hydra is for consistency, so that all modules can define maps matching in name with the role they manage. The change from ident to peer is just cosmetic, ident is only used for TCP connections and falls back to peer anyway.
2025-07-13 21:50:33 +03:00 · 2025-05-09 12:51:44 +02:00 · 2025-05-09 12:51:44 +02:00 · f934044282
commit f934044282
parent d4b3be9800
1 changed files with 5 additions and 7 deletions
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@ -564,16 +564,14 @@ in
    services.postgresql.enable = lib.mkIf haveLocalDB true;

    services.postgresql.identMap = lib.optionalString haveLocalDB ''
-      hydra-users hydra hydra
-      hydra-users hydra-queue-runner hydra
-      hydra-users hydra-www hydra
-      hydra-users root hydra
-      # The postgres user is used to create the pg_trgm extension for the hydra database
-      hydra-users postgres postgres
+      hydra hydra hydra
+      hydra hydra-queue-runner hydra
+      hydra hydra-www hydra
+      hydra root hydra
    '';

    services.postgresql.authentication = lib.optionalString haveLocalDB ''
-      local hydra all ident map=hydra-users
+      local all hydra peer map=hydra
    '';

  };