nixbld/rt: use psql peer authentication

nixbld-etc-nixos/configuration.nix

@@ -816,12 +816,19 @@ in
     siteUrl = "https://chat.m-labs.hk/";
     mutableConfig = true;
   };
-  services.postgresql.package = pkgs.postgresql_12;
   services.matterbridge = {
     enable = true;
     configPath = "/etc/nixos/secret/matterbridge.toml";
   };
- 
+
+  services.postgresql = {
+    package = pkgs.postgresql_12;
+    identMap =
+      ''
+      rt rt rt_user
+      '';
+  };
+
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     nix = super.nix.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];

nixbld-etc-nixos/rt.nix

@@ -19,14 +19,9 @@ let
       Set($Timezone, '${cfg.timeZone}');
 
       Set($DatabaseType, 'Pg');
-      Set($DatabaseHost, 'localhost');
-      Set($DatabaseUser, 'rt_user');
+      Set($DatabaseHost, '/run/postgresql');
+      Set($DatabaseUser, 'rt');
       Set($DatabaseName, 'rt5');
-      # Read database password from file
-      open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
-      my $dbpw = do { local $/; <$fh> };
-      $dbpw =~ s/^\s+|\s+$//g;
-      Set($DatabasePassword, $dbpw);
 
       # System (Logging)
       Set($LogToSTDERR, undef); # Don't log twice
@@ -154,13 +149,6 @@ in {
       type = str;
     };
 
-    dbPasswordFile = mkOption {
-      description = "File containing the database password";
-      type = str;
-      default = "/etc/nixos/secret/rtpasswd";
-      internal = true;
-    };
-
     domain = mkOption {
       description = "Which domain RT is running on";
       type = str;
@@ -245,8 +233,6 @@ in {
 
           PrivateNetwork = false;
           MemoryDenyWriteExecute = false;
-
-          ReadOnlyPaths = [ cfg.dbPasswordFile ];
         };
 
         environment = {