Merge pull request #308700 from tie/pgbouncer-settings

- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.

- `services.pgbouncer` systemd service is configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings) according to the NixOS RFC 0042.

- `teleport` has been upgraded from major version 15 to major version 16.

  Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)

  and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).

        message = ''

          PgBouncer exporter needs either connectionStringFile or connectionString configured"

        '';

    } {

      assertion = cfg.pgbouncer.enable -> (

        config.services.pgbouncer.ignoreStartupParameters != null && builtins.match ".*extra_float_digits.*" config.services.pgbouncer.ignoreStartupParameters != null

        );

        message = ''

          Prometheus PgBouncer exporter requires including `extra_float_digits` in services.pgbouncer.ignoreStartupParameters

          Example:

          services.pgbouncer.ignoreStartupParameters = extra_float_digits;

          See https://github.com/prometheus-community/pgbouncer_exporter#pgbouncer-configuration

        '';

    } {

      assertion = cfg.sql.enable -> (

        (cfg.sql.configFile == null) != (cfg.sql.configuration == null)

          config.services.prometheus.exporters.pgbouncer.connectionString is insecure. Use connectionStringFile instead.

        ''

      )

      (mkIf

        (cfg.pgbouncer.enable && config.services.pgbouncer.authType != "any") ''

          Admin user (with password or passwordless) MUST exist in the services.pgbouncer.authFile if authType other than any is used.

        ''

      )

    ] ++ config.services.prometheus.exporters.warnings;

  }]  ++ [(mkIf config.services.prometheus.exporters.rtl_433.enable {

    hardware.rtl-sdr.enable = mkDefault true;

  cfg = config.services.prometheus.exporters.pgbouncer;

  inherit (lib)

    mkOption

    mkPackageOption

    types

    optionals

    optionalString

    getExe

    getExe'

    escapeShellArg

    escapeShellArgs

    concatStringsSep

    ;

in

{

  port = 9127;

  extraOpts = {

    package = mkPackageOption pkgs "prometheus-pgbouncer-exporter" { };

    telemetryPath = mkOption {

      type = types.str;

        NOTE: You MUST keep pgbouncer as database name (special internal db)!!!

        NOTE: Admin user (with password or passwordless) MUST exist

        in the services.pgbouncer.authFile if authType other than any is used.

        NOTE: ignore_startup_parameters MUST contain "extra_float_digits".

        NOTE: Admin user (with password or passwordless) MUST exist in the

        auth_file if auth_type other than "any" is used.

        WARNING: this secret is stored in the world-readable Nix store!

        Use {option}`connectionStringFile` instead.

        NOTE: You MUST keep pgbouncer as database name (special internal db)!!!

        NOTE: Admin user (with password or passwordless) MUST exist

        in the services.pgbouncer.authFile if authType other than any is used.

        NOTE: ignore_startup_parameters MUST contain "extra_float_digits".

        NOTE: Admin user (with password or passwordless) MUST exist in the

        auth_file if auth_type other than "any" is used.

        {option}`connectionStringFile` takes precedence over {option}`connectionString`

      '';

  serviceOpts = {

    after = [ "pgbouncer.service" ];

      serviceConfig = let

      startScript = pkgs.writeShellScriptBin "pgbouncer-start" "${concatStringsSep " " ([

            "${pkgs.prometheus-pgbouncer-exporter}/bin/pgbouncer_exporter"

    script = optionalString (cfg.connectionStringFile != null) ''

      connectionString=$(${escapeShellArgs [

        (getExe' pkgs.coreutils "cat") "--" cfg.connectionStringFile

      ]})

    '' + concatStringsSep " " ([

      "exec -- ${escapeShellArg (getExe cfg.package)}"

      "--web.listen-address ${cfg.listenAddress}:${toString cfg.port}"

            "--pgBouncer.connectionString ${if cfg.connectionStringFile != null then

            "$(head -n1 ${cfg.connectionStringFile})" else "${escapeShellArg cfg.connectionString}"}"

          ]

            ++ optionals (cfg.telemetryPath != null) [

      "--pgBouncer.connectionString ${if cfg.connectionStringFile != null

          then "\"$connectionString\""

          else "${escapeShellArg cfg.connectionString}"}"

    ] ++ optionals (cfg.telemetryPath != null) [

      "--web.telemetry-path ${escapeShellArg cfg.telemetryPath}"

          ]

            ++ optionals (cfg.pidFile != null) [

            "--pgBouncer.pid-file= ${escapeShellArg cfg.pidFile}"

          ]

            ++ optionals (cfg.logLevel != null) [

    ] ++ optionals (cfg.pidFile != null) [

      "--pgBouncer.pid-file ${escapeShellArg cfg.pidFile}"

    ] ++ optionals (cfg.logLevel != null) [

      "--log.level ${escapeShellArg cfg.logLevel}"

          ]

            ++ optionals (cfg.logFormat != null) [

    ] ++ optionals (cfg.logFormat != null) [

      "--log.format ${escapeShellArg cfg.logFormat}"

          ]

            ++ optionals (cfg.webSystemdSocket != false) [

    ] ++ optionals (cfg.webSystemdSocket != false) [

      "--web.systemd-socket ${escapeShellArg cfg.webSystemdSocket}"

          ]

            ++ optionals (cfg.webConfigFile != null) [

    ] ++ optionals (cfg.webConfigFile != null) [

      "--web.config.file ${escapeShellArg cfg.webConfigFile}"

          ]

            ++ cfg.extraFlags)}";

      in

      {

        ExecStart = "${startScript}/bin/pgbouncer-start";

      };

    ] ++ cfg.extraFlags);

    serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];

  };

}

import ./make-test-python.nix ({ pkgs, ... } :

let

  testAuthFile = pkgs.writeTextFile {

    name = "authFile";

    text = ''

      "testuser" "testpass"

    '';

  };

in

{

import ./make-test-python.nix ({ lib, pkgs, ... }: {

  name = "pgbouncer";

  meta = with pkgs.lib.maintainers; {

  meta = with lib.maintainers; {

    maintainers = [ _1000101 ];

  };

  nodes = {

    one = { config, pkgs, ... }: {

  nodes = {

    one = { pkgs, ... }: {

      systemd.services.postgresql = {

        postStart = ''

          ${pkgs.postgresql}/bin/psql -U postgres -c "ALTER ROLE testuser WITH LOGIN PASSWORD 'testpass'";

        postgresql = {

          enable = true;

          ensureDatabases = [ "testdb" ];

          ensureUsers = [

          {

            name = "testuser";

          }];

          ensureUsers = [{ name = "testuser"; }];

          authentication = ''

            local testdb testuser scram-sha-256

          '';

        pgbouncer = {

          enable = true;

          listenAddress = "localhost";

          databases = { test = "host=/run/postgresql/ port=5432 auth_user=testuser dbname=testdb"; };

          authType = "scram-sha-256";

          authFile = testAuthFile;

          openFirewall = true;

          settings = {

            pgbouncer = {

              listen_addr = "localhost";

              auth_type = "scram-sha-256";

              auth_file = builtins.toFile "pgbouncer-users.txt" ''

                "testuser" "testpass"

              '';

            };

            databases = {

              test = "host=/run/postgresql port=5432 auth_user=testuser dbname=testdb";

            };

          };

        };

      };

    };