nixos/postgresql: add ensureUsers.*.passwordFile option

nixos/modules/services/databases/postgresql.nix

@@ -189,6 +189,24 @@ in
               '';
             };
 
+            passwordFile = mkOption {
+              type = with lib.types; nullOr (str // {
+                # We don't want users to be able to pass a path literal here but
+                # it should look like a path.
+                check = it: lib.isString it && lib.types.path.check it;
+              });
+              example = "/run/keys/db_user_pw";
+              default = null;
+              description = ''
+                The path to a file containing a password that is to be set as the user's PASSWORD field.
+
+                A path must be given because Nix strings would be exposed in Nix store through the .drv files. You must
+                not pass a path literal either for the same reason. The path must therefore be represented as a string.
+
+                Note that the contents of this file are stripped of newlines and that surrounding whitespace is trimmed.
+              '';
+            };
+
             ensureClauses = mkOption {
               description = ''
                 An attrset of clauses to grant to the user. Under the hood this uses the
@@ -586,13 +604,27 @@ in
                     user.ensureDBOwnership
                     ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
 
+                  setPW =
+                    pkgs.writeText
+                    "set-pw.sql"
+                    # You can't use prepared statements for ALTER ROLE, we must wrap it in a procedure
+                    ''
+                      DO $$
+                      DECLARE password TEXT;
+                      BEGIN
+                        password := trim(both from replace(pg_read_file('${user.passwordFile}'), E'\n', '''));
+                        EXECUTE 'ALTER ROLE "${user.name}" WITH PASSWORD' || quote_literal(password);
+                      END $$;
+                    '';
+
                   filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
 
                   clauseSqlStatements = attrValues (mapAttrs (n: v: if v then n else "no${n}") filteredClauses);
 
                   userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
                 in ''
                   $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
+                  ${lib.optionalString (user.passwordFile != null) "$PSQL -tAf ${setPW}"}
                   ${userClauses}
 
                   ${dbOwnershipStmt}

nixos/tests/postgresql.nix

@@ -32,6 +32,15 @@ let
         services.postgresql = {
           enable = true;
           package = postgresql-package;
+          enableTCPIP = true;
+          ensureDatabases = [ "pw-user" ];
+          ensureUsers = [
+            {
+              name = "pw-user";
+              passwordFile = pkgs.writeText "password" "password";
+              ensureDBOwnership = true;
+            }
+          ];
         };
 
         services.postgresqlBackup = {
@@ -71,6 +80,14 @@ let
       machine.fail(check_count("SELECT * FROM sth;", 4))
       machine.succeed(check_count("SELECT xpath('/test/text()', doc) FROM xmltest;", 1))
 
+      with subtest("Connection with user password works correctly"):
+          machine.succeed(
+              "sudo -u postgres PGPASSWORD=password psql -h localhost -U pw-user -tc '\c'"
+          )
+          machine.fail(
+              "sudo -u postgres PGPASSWORD=wrong-password psql -h localhost -U pw-user -tc '\c'"
+          )
+
       with subtest("Backup service works"):
           machine.succeed(
               "systemctl start ${backupService}.service",