From 8c35e34924c2264444ed59fe5c273d70d071981f Mon Sep 17 00:00:00 2001
From: Igor Pashev <pashev.igor@gmail.com>
Date: Tue, 4 Jun 2019 13:54:02 +0200
Subject: postgresql: automatically find keys (experimental)

---
 modules/apps/postgresql/default.nix | 39 ++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/modules/apps/postgresql/default.nix b/modules/apps/postgresql/default.nix
index 9d05b2d..e7eecaa 100644
--- a/modules/apps/postgresql/default.nix
+++ b/modules/apps/postgresql/default.nix
@@ -10,7 +10,7 @@ let
     mkDefault mkIf mkOption nameValuePair types ;
 
   inherit (types)
-    attrsOf lines listOf nullOr package path str submodule ;
+    attrsOf bool lines listOf nullOr package path str submodule ;
 
   concatNonEmpty = sep: list: concatStringsSep sep (filter (s: s != "") list);
   explicit = filterAttrs (n: v: n != "_module" && v != null);
@@ -20,9 +20,29 @@ let
 
   isFloat = x: match "^[0-9]+(\\.[0-9]+)?$" (toString x) != null;
 
+  mkKeys = name: opts: pkgs.runCommand "psql-${name}-keys.nix" {} ''
+    exec >$out
+
+    printf '['
+
+    ${pkgs.gnugrep}/bin/grep -oE '${config.nixsap.deployment.keyStore}/[^/]+\b' \
+    ${opts._configureFile} > keys || [ $? -eq 1 ]
+
+    while read -r key; do
+      printf ' "%s"' "$key"
+    done < keys
+
+    printf ' ]'
+
+    printf '%s: ' $out >&2
+    cat $out >&2
+  '';
+
   keyrings =
     let
-      ik = mapAttrsToList (_: i: { "${i.user}" = [ i.server.ssl_key_file ]; } ) instances;
+      # This requires read-write mode of evaluation:
+      keys = n: i: if i.extractKeys then import (mkKeys n i) else [];
+      ik = mapAttrsToList (n: i: { "${i.user}" = [ i.server.ssl_key_file ] ++ keys n i; } ) instances;
     in foldAttrs (l: r: l ++ r) [] ik;
 
   mkService = name: opts:
@@ -84,7 +104,7 @@ let
           done
           ${psql} -f ${./functions.pgsql}
           ${psql} -f ${create}
-          ${psql} -f ${pkgs.writeText "pgsql-${name}.sql" opts.configure}
+          ${psql} -f ${opts._configureFile}
         '';
 
       needConf = (opts.configure != "") || (opts.roles != []) || (opts.databases != []);
@@ -160,6 +180,19 @@ let
           ALTER DATABASE sproxy OWNER TO sproxy;
         '';
       };
+      _configureFile = mkOption {
+        readOnly = true;
+        internal = true;
+        default = pkgs.writeText "pgsql-${name}.sql" config.configure;
+      };
+      extractKeys = mkOption {
+        description = ''
+          Automatically extract secret keys from the configuration script.
+          Experimental.
+        '';
+        default = true;
+        type = bool;
+      };
       package = mkOption {
         description = "PostgreSQL package";
         type = package;
-- 
cgit v1.2.3