Configure pg_hba.conf (#1)

* configure pg_hba * use new hbaConf option * use main services-flake; update process-compose-flake * use new services-flake API --------- Co-authored-by: Shivaraj <[email protected]>
nammayatri · Oct 15, 2023 · 806f6f1 · 806f6f1
1 parent 01a59da
commit 806f6f1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 14 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/process-compose.nix b/process-compose.nix
@@ -3,7 +3,7 @@ let
   srvname = "passetto";
   dbName = "passetto";
   userName = "passetto";
-  pgcfg = config.services.postgres;
+  pgcfg = config.services.postgres."${srvname}-db";
 in
 {
   options = {
@@ -27,15 +27,19 @@ in
       cfg = config.services.passetto;
     in
     lib.mkIf cfg.enable {
-      services.postgres = {
+      services.postgres."${srvname}-db" = {
         enable = true;
-        name = "${srvname}-db";
         listen_addresses = "127.0.0.1";
-        # TODO: Configure these (matching docker image behaviour)
-        # POSTGRES_HOST_AUTH_METHOD = "scram-sha-256";
-        # POSTGRES_INITDB_ARGS = "--auth=scram-sha-256";
-        # initdbArgs = ["--auth=scram-sha-256"];
-        initialScript = ''
+        hbaConf = [
+          # Equivalent to `POSTGRES_INITDB_ARGS = "--auth=scram-sha-256";`, sets the auth for all users
+          # connecting through unix sockets.
+          { type = "local"; database = "all"; user = "all"; address = ""; method = "scram-sha-256"; }
+          # Equivalent to `POSTGRES_HOST_AUTH_METHOD = "scram-sha-256";`, sets the auth for all users
+          # connecting through loopback ipv4/v6
+          { type = "host"; database = "all"; user = "all"; address = "127.0.0.1/32"; method = "scram-sha-256"; }
+          { type = "host"; database = "all"; user = "all"; address = "::1/128"; method = "scram-sha-256"; }
+        ];
+        initialScript.before = ''
           CREATE ROLE ${userName} SUPERUSER;
           ALTER ROLE ${userName} WITH LOGIN;
         '';