| blob | fe3d1b5bfb9dbc9cbc6fac1615d03d15fd195dda |
1 { lib, pkgs, config, ... } :
2 let
3 cfg = config.services.pgmanage;
5 confFile = pkgs.writeTextFile {
6 name = "pgmanage.conf";
7 text = ''
8 connection_file = ${pgmanageConnectionsFile}
10 allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
12 pgmanage_port = ${toString cfg.port}
14 super_only = ${builtins.toJSON cfg.superOnly}
16 ${lib.optionalString (cfg.loginGroup != null) "login_group = ${cfg.loginGroup}"}
18 login_timeout = ${toString cfg.loginTimeout}
20 web_root = ${cfg.package}/etc/pgmanage/web_root
22 sql_root = ${cfg.sqlRoot}
24 ${lib.optionalString (cfg.tls != null) ''
25 tls_cert = ${cfg.tls.cert}
26 tls_key = ${cfg.tls.key}
27 ''}
29 log_level = ${cfg.logLevel}
30 '';
31 };
33 pgmanageConnectionsFile = pkgs.writeTextFile {
34 name = "pgmanage-connections.conf";
35 text = lib.concatStringsSep "\n"
36 (lib.mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
37 };
39 pgmanage = "pgmanage";
41 in {
43 options.services.pgmanage = {
44 enable = lib.mkEnableOption "PostgreSQL Administration for the web";
46 package = lib.mkPackageOption pkgs "pgmanage" { };
48 connections = lib.mkOption {
49 type = lib.types.attrsOf lib.types.str;
50 default = {};
51 example = {
52 nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres";
53 mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
54 };
55 description = ''
56 pgmanage requires at least one PostgreSQL server be defined.
58 Detailed information about PostgreSQL connection strings is available at:
59 <https://www.postgresql.org/docs/current/libpq-connect.html>
61 Note that you should not specify your user name or password. That
62 information will be entered on the login screen. If you specify a
63 username or password, it will be removed by pgmanage before attempting to
64 connect to a database.
65 '';
66 };
68 allowCustomConnections = lib.mkOption {
69 type = lib.types.bool;
70 default = false;
71 description = ''
72 This tells pgmanage whether or not to allow anyone to use a custom
73 connection from the login screen.
74 '';
75 };
77 port = lib.mkOption {
78 type = lib.types.port;
79 default = 8080;
80 description = ''
81 This tells pgmanage what port to listen on for browser requests.
82 '';
83 };
85 localOnly = lib.mkOption {
86 type = lib.types.bool;
87 default = true;
88 description = ''
89 This tells pgmanage whether or not to set the listening socket to local
90 addresses only.
91 '';
92 };
94 superOnly = lib.mkOption {
95 type = lib.types.bool;
96 default = true;
97 description = ''
98 This tells pgmanage whether or not to only allow super users to
99 login. The recommended value is true and will restrict users who are not
100 super users from logging in to any PostgreSQL instance through
101 pgmanage. Note that a connection will be made to PostgreSQL in order to
102 test if the user is a superuser.
103 '';
104 };
106 loginGroup = lib.mkOption {
107 type = lib.types.nullOr lib.types.str;
108 default = null;
109 description = ''
110 This tells pgmanage to only allow users in a certain PostgreSQL group to
111 login to pgmanage. Note that a connection will be made to PostgreSQL in
112 order to test if the user is a member of the login group.
113 '';
114 };
116 loginTimeout = lib.mkOption {
117 type = lib.types.int;
118 default = 3600;
119 description = ''
120 Number of seconds of inactivity before user is automatically logged
121 out.
122 '';
123 };
125 sqlRoot = lib.mkOption {
126 type = lib.types.str;
127 default = "/var/lib/pgmanage";
128 description = ''
129 This tells pgmanage where to put the SQL file history. All tabs are saved
130 to this location so that if you get disconnected from pgmanage you
131 don't lose your work.
132 '';
133 };
135 tls = lib.mkOption {
136 type = lib.types.nullOr (lib.types.submodule {
137 options = {
138 cert = lib.mkOption {
139 type = lib.types.str;
140 description = "TLS certificate";
141 };
142 key = lib.mkOption {
143 type = lib.types.str;
144 description = "TLS key";
145 };
146 };
147 });
148 default = null;
149 description = ''
150 These options tell pgmanage where the TLS Certificate and Key files
151 reside. If you use these options then you'll only be able to access
152 pgmanage through a secure TLS connection. These options are only
153 necessary if you wish to connect directly to pgmanage using a secure TLS
154 connection. As an alternative, you can set up pgmanage in a reverse proxy
155 configuration. This allows your web server to terminate the secure
156 connection and pass on the request to pgmanage. You can find help to set
157 up this configuration in:
158 <https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md>
159 '';
160 };
162 logLevel = lib.mkOption {
163 type = lib.types.enum ["error" "warn" "notice" "info"];
164 default = "error";
165 description = ''
166 Verbosity of logs
167 '';
168 };
169 };
171 config = lib.mkIf cfg.enable {
172 systemd.services.pgmanage = {
173 description = "pgmanage - PostgreSQL Administration for the web";
174 wants = [ "postgresql.service" ];
175 after = [ "postgresql.service" ];
176 wantedBy = [ "multi-user.target" ];
177 serviceConfig = {
178 User = pgmanage;
179 Group = pgmanage;
180 ExecStart = "${cfg.package}/sbin/pgmanage -c ${confFile}" +
181 lib.optionalString cfg.localOnly " --local-only=true";
182 };
183 };
184 users = {
185 users.${pgmanage} = {
186 name = pgmanage;
187 group = pgmanage;
188 home = cfg.sqlRoot;
189 createHome = true;
190 isSystemUser = true;
191 };
192 groups.${pgmanage} = {
193 name = pgmanage;
194 };
195 };
196 };
197 }