From 4190b4a48179d06ca5cdb97304da4b2cea60ad52 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Mon, 12 Dec 2022 14:17:57 +0800
Subject: [PATCH] hosts/plover: update PostgreSQL initial script

We're doing the secure schema usage pattern as recommended from the
documentation. Since it is an initial script that will only run once, I
think it is OK to override steps such as creating roles ahead.
---
 hosts/plover/default.nix | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 4a84ff8a..54c598e3 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -161,14 +161,17 @@ in
     # feature).
     initialScript =
       let
+        # This will be run once anyways so it is acceptable to create users
+        # "forcibly".
         perUserSchemas = lib.lists.map
-          (user: "CREATE SCHEMA ${user.name};")
+          (user: ''
+            CREATE USER ${user.name};
+            CREATE SCHEMA ${user.name} AUTHORIZATION ${user.name};
+          '')
           config.services.postgresql.ensureUsers;
-        script = pkgs.writeText "plover-initial-postgresql-script" ''
-          ${lib.concatStringsSep "\n" perUserSchemas}
-        '';
-      in
-      script;
+      in pkgs.writeText "plover-initial-postgresql-script" ''
+        ${lib.concatStringsSep "\n" perUserSchemas}
+      '';
 
     settings = {
       log_connections = true;