feat(clickhouse): support grants in users.xml

learn-anything · Oct 19, 2024 · 48f224c · 48f224c
1 parent 88fbea5
commit 48f224c
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/nixos-modules/clickhouse.nix b/nixos-modules/clickhouse.nix
@@ -113,30 +113,31 @@ let
           description = "Quota for user.";
         };
         access_management = lib.mkOption {
-          type = types.bool;
+          type = types.nullOr types.bool;
           default = false;
           example = true;
           description = "Allow the user to create other users and grant rights to them";
         };
         named_collection_control = lib.mkOption {
-          type = types.bool;
+          type = types.nullOr types.bool;
           default = false;
           example = true;
           description = "Allow the user to manipulate named collections";
         };
         allow_databases = lib.mkOption {
-          type = types.listOf types.str;
+          type = types.nullOr (types.listOf types.str);
           default = [ name ];
         };
-        grants = {
-          # TODO
+        grants = lib.mkOption {
+          type = types.nullOr (types.listOf types.str);
+          default = null;
         };
       };
     }
   );
 in
 {
-  disabledModules = ["${nixpkgs}/nixos/modules/services/databases/clickhouse.nix"];
+  disabledModules = [ "${nixpkgs}/nixos/modules/services/databases/clickhouse.nix" ];
   options = {
     services.clickhouse = {
       enable = lib.mkEnableOption "ClickHouse database server";
@@ -188,6 +189,21 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = [
+      (
+        let
+          badUsers = lib.filterAttrs (
+            _: x:
+            x.grants != null
+            && (x.access_management != null || x.named_collection_control != null || x.allow_databases != null)
+          ) cfg.users.users;
+        in
+        {
+          assertion = badUsers == { };
+          message = "`grants` can not be used with `access_management` `named_collection_control` and `allow_databases` (users: ${lib.concatStringsSep ", " (lib.attrNames badUsers)})";
+        }
+      )
+    ];
     users.users.clickhouse = {
       name = "clickhouse";
       uid = config.ids.uids.clickhouse;