Unverified Commit f9340442 authored May 09, 2025 by Wolfgang Walther

nixos/hydra: avoid conflicts for local postgres ident map

The key change here is, that the match was on the hydra database only
previously, but is now limited to to the hydra role instead. This avoids
conflicts with rules that are created by other modules or downstream
users.

With this change, we can remove the additional "postgres postgres" line,
because the default pg_hba line will kick in again and allow the
postgres user access to the postgres role.

Renaming the map from hydra-users to hydra is for consistency, so that
all modules can define maps matching in name with the role they manage.

The change from ident to peer is just cosmetic, ident is only used for
TCP connections and falls back to peer anyway.

parent d4b3be98

nixos/modules/services/continuous-integration/hydra/default.nix

+5 −7

Original line number	Diff line number	Diff line
		@@ -564,16 +564,14 @@ in
		services.postgresql.enable = lib.mkIf haveLocalDB true;

		services.postgresql.identMap = lib.optionalString haveLocalDB ''
		hydra-users hydra hydra
		hydra-users hydra-queue-runner hydra
		hydra-users hydra-www hydra
		hydra-users root hydra
		# The postgres user is used to create the pg_trgm extension for the hydra database
		hydra-users postgres postgres
		hydra hydra hydra
		hydra hydra-queue-runner hydra
		hydra hydra-www hydra
		hydra root hydra
		'';

		services.postgresql.authentication = lib.optionalString haveLocalDB ''
		local hydra all ident map=hydra-users
		local all hydra peer map=hydra
		'';

		};

Admin message