2014-04-14 16:26:48 +02:00
|
|
|
|
{
|
|
|
|
|
|
config,
|
|
|
|
|
|
lib,
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
...
|
|
|
|
|
|
}:
|
2009-12-03 12:20:24 +00:00
|
|
|
|
|
2007-12-03 04:48:31 +00:00
|
|
|
|
let
|
2024-05-01 12:25:24 +02:00
|
|
|
|
inherit (lib)
|
2024-11-10 17:08:59 +01:00
|
|
|
|
any
|
2024-05-01 12:25:24 +02:00
|
|
|
|
attrValues
|
|
|
|
|
|
concatMapStrings
|
|
|
|
|
|
concatStringsSep
|
|
|
|
|
|
const
|
|
|
|
|
|
elem
|
2024-09-29 20:43:30 +02:00
|
|
|
|
escapeShellArgs
|
2025-03-02 11:06:49 +01:00
|
|
|
|
filter
|
2024-05-01 12:25:24 +02:00
|
|
|
|
filterAttrs
|
2025-03-02 11:06:49 +01:00
|
|
|
|
getAttr
|
2024-11-10 17:08:59 +01:00
|
|
|
|
getName
|
2025-03-02 11:06:49 +01:00
|
|
|
|
hasPrefix
|
2024-05-01 12:25:24 +02:00
|
|
|
|
isString
|
|
|
|
|
|
literalExpression
|
|
|
|
|
|
mapAttrs
|
|
|
|
|
|
mapAttrsToList
|
|
|
|
|
|
mkAfter
|
|
|
|
|
|
mkBefore
|
|
|
|
|
|
mkDefault
|
|
|
|
|
|
mkEnableOption
|
|
|
|
|
|
mkIf
|
|
|
|
|
|
mkMerge
|
|
|
|
|
|
mkOption
|
|
|
|
|
|
mkPackageOption
|
|
|
|
|
|
mkRemovedOptionModule
|
|
|
|
|
|
mkRenamedOptionModule
|
|
|
|
|
|
optionalString
|
2025-03-02 11:06:49 +01:00
|
|
|
|
pipe
|
|
|
|
|
|
sortProperties
|
2024-05-01 12:25:24 +02:00
|
|
|
|
types
|
|
|
|
|
|
versionAtLeast
|
2024-11-02 16:52:02 +01:00
|
|
|
|
warn
|
2024-05-01 12:25:24 +02:00
|
|
|
|
;
|
2007-12-03 04:48:31 +00:00
|
|
|
|
|
2008-02-18 11:56:43 +00:00
|
|
|
|
cfg = config.services.postgresql;
|
|
|
|
|
|
|
2024-11-10 17:08:59 +01:00
|
|
|
|
# ensure that
|
|
|
|
|
|
# services.postgresql = {
|
|
|
|
|
|
# enableJIT = true;
|
|
|
|
|
|
# package = pkgs.postgresql_<major>;
|
|
|
|
|
|
# };
|
|
|
|
|
|
# works.
|
|
|
|
|
|
basePackage = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
|
|
|
|
|
|
|
|
|
|
|
|
postgresql = if cfg.extensions == [ ] then basePackage else basePackage.withPackages cfg.extensions;
|
2008-02-18 11:56:43 +00:00
|
|
|
|
|
2020-08-01 10:02:14 -04:00
|
|
|
|
toStr =
|
|
|
|
|
|
value:
|
|
|
|
|
|
if true == value then
|
|
|
|
|
|
"yes"
|
|
|
|
|
|
else if false == value then
|
|
|
|
|
|
"no"
|
|
|
|
|
|
else if isString value then
|
|
|
|
|
|
"'${lib.replaceStrings [ "'" ] [ "''" ] value}'"
|
2024-05-01 12:25:24 +02:00
|
|
|
|
else
|
|
|
|
|
|
builtins.toString value;
|
2020-08-01 10:02:14 -04:00
|
|
|
|
|
2009-12-02 17:18:25 +00:00
|
|
|
|
# The main PostgreSQL configuration file.
|
2024-03-17 11:54:30 +01:00
|
|
|
|
configFile = pkgs.writeTextDir "postgresql.conf" (
|
|
|
|
|
|
concatStringsSep "\n" (
|
|
|
|
|
|
mapAttrsToList (n: v: "${n} = ${toStr v}") (filterAttrs (const (x: x != null)) cfg.settings)
|
2024-12-10 20:26:33 +01:00
|
|
|
|
)
|
2024-03-17 11:54:30 +01:00
|
|
|
|
);
|
2020-07-11 12:00:00 +00:00
|
|
|
|
|
|
|
|
|
|
configFileCheck = pkgs.runCommand "postgresql-configfile-check" { } ''
|
|
|
|
|
|
${cfg.package}/bin/postgres -D${configFile} -C config_file >/dev/null
|
|
|
|
|
|
touch $out
|
|
|
|
|
|
'';
|
2009-12-02 17:18:25 +00:00
|
|
|
|
|
2024-05-01 12:38:57 +02:00
|
|
|
|
groupAccessAvailable = versionAtLeast cfg.finalPackage.version "11.0";
|
2019-07-22 02:57:16 +03:00
|
|
|
|
|
2024-11-10 17:08:59 +01:00
|
|
|
|
extensionNames = map getName postgresql.installedExtensions;
|
|
|
|
|
|
extensionInstalled = extension: elem extension extensionNames;
|
2007-12-03 04:48:31 +00:00
|
|
|
|
in
|
2008-02-18 11:56:43 +00:00
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
{
|
2020-08-01 10:02:14 -04:00
|
|
|
|
imports = [
|
|
|
|
|
|
(mkRemovedOptionModule [
|
|
|
|
|
|
"services"
|
|
|
|
|
|
"postgresql"
|
|
|
|
|
|
"extraConfig"
|
|
|
|
|
|
] "Use services.postgresql.settings instead.")
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2025-05-08 12:14:23 +02:00
|
|
|
|
(mkRemovedOptionModule [
|
|
|
|
|
|
"services"
|
|
|
|
|
|
"postgresql"
|
|
|
|
|
|
"recoveryConfig"
|
|
|
|
|
|
] "PostgreSQL v12+ doesn't support recovery.conf.")
|
|
|
|
|
|
|
2024-03-17 11:54:30 +01:00
|
|
|
|
(mkRenamedOptionModule
|
|
|
|
|
|
[ "services" "postgresql" "logLinePrefix" ]
|
|
|
|
|
|
[ "services" "postgresql" "settings" "log_line_prefix" ]
|
|
|
|
|
|
)
|
|
|
|
|
|
(mkRenamedOptionModule
|
|
|
|
|
|
[ "services" "postgresql" "port" ]
|
|
|
|
|
|
[ "services" "postgresql" "settings" "port" ]
|
|
|
|
|
|
)
|
2024-11-11 23:23:46 +01:00
|
|
|
|
(mkRenamedOptionModule
|
|
|
|
|
|
[ "services" "postgresql" "extraPlugins" ]
|
|
|
|
|
|
[ "services" "postgresql" "extensions" ]
|
|
|
|
|
|
)
|
2020-08-01 10:02:14 -04:00
|
|
|
|
];
|
2009-07-15 11:19:11 +00:00
|
|
|
|
|
|
|
|
|
|
###### interface
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
options = {
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
services.postgresql = {
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2020-05-07 10:59:07 +02:00
|
|
|
|
enable = mkEnableOption "PostgreSQL Server";
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2023-03-20 11:15:12 +01:00
|
|
|
|
enableJIT = mkEnableOption "JIT support";
|
|
|
|
|
|
|
2023-11-27 01:19:27 +01:00
|
|
|
|
package = mkPackageOption pkgs "postgresql" {
|
|
|
|
|
|
example = "postgresql_15";
|
2012-08-15 17:01:19 -04:00
|
|
|
|
};
|
|
|
|
|
|
|
2024-05-01 12:38:57 +02:00
|
|
|
|
finalPackage = mkOption {
|
|
|
|
|
|
type = types.package;
|
|
|
|
|
|
readOnly = true;
|
|
|
|
|
|
default = postgresql;
|
|
|
|
|
|
defaultText = "with config.services.postgresql; package.withPackages extensions";
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
The postgresql package that will effectively be used in the system.
|
|
|
|
|
|
It consists of the base package with plugins applied to it.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2025-03-02 11:06:49 +01:00
|
|
|
|
systemCallFilter = mkOption {
|
|
|
|
|
|
type = types.attrsOf (
|
|
|
|
|
|
types.coercedTo types.bool (enable: { inherit enable; }) (
|
|
|
|
|
|
types.submodule (
|
|
|
|
|
|
{ name, ... }:
|
|
|
|
|
|
{
|
|
|
|
|
|
options = {
|
|
|
|
|
|
enable = mkEnableOption "${name} in postgresql's syscall filter";
|
|
|
|
|
|
priority = mkOption {
|
|
|
|
|
|
default =
|
|
|
|
|
|
if hasPrefix "@" name then
|
|
|
|
|
|
500
|
|
|
|
|
|
else if hasPrefix "~@" name then
|
|
|
|
|
|
1000
|
|
|
|
|
|
else
|
|
|
|
|
|
1500;
|
|
|
|
|
|
defaultText = literalExpression ''
|
|
|
|
|
|
if hasPrefix "@" name then 500 else if hasPrefix "~@" name then 1000 else 1500
|
|
|
|
|
|
'';
|
|
|
|
|
|
type = types.int;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Set the priority of the system call filter setting. Later declarations
|
|
|
|
|
|
override earlier ones, e.g.
|
|
|
|
|
|
|
|
|
|
|
|
```ini
|
|
|
|
|
|
[Service]
|
|
|
|
|
|
SystemCallFilter=~read write
|
|
|
|
|
|
SystemCallFilter=write
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
results in a service where _only_ `read` is not allowed.
|
|
|
|
|
|
|
|
|
|
|
|
The ordering in the unit file is controlled by this option: the higher
|
|
|
|
|
|
the number, the later it will be added to the filterset.
|
|
|
|
|
|
|
|
|
|
|
|
By default, depending on the prefix a priority is assigned: usually, call-groups
|
|
|
|
|
|
(starting with `@`) are used to allow/deny a larger set of syscalls and later
|
|
|
|
|
|
on single syscalls are configured for exceptions. Hence, syscall groups
|
|
|
|
|
|
and negative groups are placed before individual syscalls by default.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
)
|
|
|
|
|
|
)
|
|
|
|
|
|
);
|
|
|
|
|
|
defaultText = literalExpression ''
|
|
|
|
|
|
{
|
|
|
|
|
|
"@system-service" = true;
|
|
|
|
|
|
"~@privileged" = true;
|
|
|
|
|
|
"~@resources" = true;
|
|
|
|
|
|
}
|
|
|
|
|
|
'';
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Configures the syscall filter for `postgresql.service`. The keys are
|
|
|
|
|
|
declarations for `SystemCallFilter` as described in {manpage}`systemd.exec(5)`.
|
|
|
|
|
|
|
|
|
|
|
|
The value is a boolean: `true` adds the attribute name to the syscall filter-set,
|
|
|
|
|
|
`false` doesn't. This is done to allow downstream configurations to turn off
|
|
|
|
|
|
restrictions made here. E.g. with
|
|
|
|
|
|
|
|
|
|
|
|
```nix
|
|
|
|
|
|
{
|
|
|
|
|
|
services.postgresql.systemCallFilter."~@resources" = false;
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
it's possible to remove the restriction on `@resources` (keep in mind that
|
|
|
|
|
|
`@system-service` implies `@resources`).
|
|
|
|
|
|
|
|
|
|
|
|
As described in the section for [](#opt-services.postgresql.systemCallFilter._name_.priority),
|
|
|
|
|
|
the ordering matters. Hence, it's also possible to specify customizations with
|
|
|
|
|
|
|
|
|
|
|
|
```nix
|
|
|
|
|
|
{
|
|
|
|
|
|
services.postgresql.systemCallFilter = {
|
|
|
|
|
|
"foobar" = { enable = true; priority = 23; };
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
[](#opt-services.postgresql.systemCallFilter._name_.enable) is the flag whether
|
|
|
|
|
|
or not it will be added to the `SystemCallFilter` of `postgresql.service`.
|
|
|
|
|
|
|
|
|
|
|
|
Settings with a higher priority are added after filter settings with a lower
|
|
|
|
|
|
priority. Hence, syscall groups with a higher priority can discard declarations
|
|
|
|
|
|
with a lower priority.
|
|
|
|
|
|
|
|
|
|
|
|
By default, syscall groups (i.e. attribute names starting with `@`) are added
|
|
|
|
|
|
_before_ negated groups (i.e. `~@` as prefix) _before_ syscall names
|
|
|
|
|
|
and negations.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2020-07-11 12:00:00 +00:00
|
|
|
|
checkConfig = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = true;
|
|
|
|
|
|
description = "Check the syntax of the configuration file at compile time";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
dataDir = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.path;
|
2021-10-03 18:06:03 +02:00
|
|
|
|
defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.postgresql.package.psqlSchema}"'';
|
2023-10-29 17:57:22 +01:00
|
|
|
|
example = "/var/lib/postgresql/15";
|
2009-07-15 11:19:11 +00:00
|
|
|
|
description = ''
|
2020-08-01 11:23:28 -04:00
|
|
|
|
The data directory for PostgreSQL. If left as the default value
|
|
|
|
|
|
this directory will automatically be created before the PostgreSQL server starts, otherwise
|
|
|
|
|
|
the sysadmin is responsible for ensuring the directory exists with appropriate ownership
|
|
|
|
|
|
and permissions.
|
2009-07-15 11:19:11 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
authentication = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.lines;
|
2012-03-19 16:49:13 +00:00
|
|
|
|
default = "";
|
2009-07-15 11:19:11 +00:00
|
|
|
|
description = ''
|
2020-10-31 00:35:19 -07:00
|
|
|
|
Defines how users authenticate themselves to the server. See the
|
|
|
|
|
|
[PostgreSQL documentation for pg_hba.conf](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html)
|
|
|
|
|
|
for details on the expected format of this option. By default,
|
|
|
|
|
|
peer based authentication will be used for users connecting
|
|
|
|
|
|
via the Unix socket, and md5 password authentication will be
|
|
|
|
|
|
used for users connecting via TCP. Any added rules will be
|
|
|
|
|
|
inserted above the default rules. If you'd like to replace the
|
2022-08-13 11:54:07 +02:00
|
|
|
|
default rules entirely, you can use `lib.mkForce` in your
|
2020-10-31 00:35:19 -07:00
|
|
|
|
module.
|
2009-07-15 11:19:11 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2009-12-02 17:18:25 +00:00
|
|
|
|
identMap = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.lines;
|
2009-12-02 17:18:25 +00:00
|
|
|
|
default = "";
|
2023-10-09 17:38:25 +02:00
|
|
|
|
example = ''
|
2023-08-17 19:21:16 +02:00
|
|
|
|
map-name-0 system-username-0 database-username-0
|
|
|
|
|
|
map-name-1 system-username-1 database-username-1
|
|
|
|
|
|
'';
|
2009-07-15 11:19:11 +00:00
|
|
|
|
description = ''
|
2009-12-02 17:18:25 +00:00
|
|
|
|
Defines the mapping from system users to database users.
|
2019-09-05 11:36:19 +10:00
|
|
|
|
|
2023-08-17 19:21:16 +02:00
|
|
|
|
See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html).
|
2025-05-05 10:31:21 +02:00
|
|
|
|
|
|
|
|
|
|
There is a default map "postgres" which is used for local peer authentication
|
|
|
|
|
|
as the postgres superuser role.
|
|
|
|
|
|
For example, to allow the root user to login as the postgres superuser, add:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
postgres root postgres
|
|
|
|
|
|
```
|
2009-07-15 11:19:11 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2019-07-24 23:34:21 +03:00
|
|
|
|
initdbArgs = mkOption {
|
2019-07-23 21:53:59 +03:00
|
|
|
|
type = with types; listOf str;
|
|
|
|
|
|
default = [ ];
|
2020-02-14 19:16:34 +02:00
|
|
|
|
example = [
|
|
|
|
|
|
"--data-checksums"
|
|
|
|
|
|
"--allow-group-access"
|
|
|
|
|
|
];
|
2019-07-23 21:53:59 +03:00
|
|
|
|
description = ''
|
2020-02-15 19:16:41 +01:00
|
|
|
|
Additional arguments passed to `initdb` during data dir
|
2019-07-23 21:53:59 +03:00
|
|
|
|
initialisation.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2013-07-14 05:01:48 +02:00
|
|
|
|
initialScript = mkOption {
|
|
|
|
|
|
type = types.nullOr types.path;
|
2013-10-30 17:37:45 +01:00
|
|
|
|
default = null;
|
2023-08-17 20:18:45 +02:00
|
|
|
|
example = literalExpression ''
|
|
|
|
|
|
pkgs.writeText "init-sql-script" '''
|
|
|
|
|
|
alter user postgres with password 'myPassword';
|
|
|
|
|
|
''';'';
|
|
|
|
|
|
|
2013-07-14 05:01:48 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
A file containing SQL statements to execute on first startup.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2019-02-24 21:33:16 -05:00
|
|
|
|
ensureDatabases = mkOption {
|
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
|
default = [ ];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Ensures that the specified databases exist.
|
|
|
|
|
|
This option will never delete existing databases, especially not when the value of this
|
|
|
|
|
|
option is changed. This means that databases created once through this option or
|
|
|
|
|
|
otherwise have to be removed manually.
|
|
|
|
|
|
'';
|
|
|
|
|
|
example = [
|
|
|
|
|
|
"gitea"
|
|
|
|
|
|
"nextcloud"
|
|
|
|
|
|
];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
ensureUsers = mkOption {
|
|
|
|
|
|
type = types.listOf (
|
|
|
|
|
|
types.submodule {
|
|
|
|
|
|
options = {
|
|
|
|
|
|
name = mkOption {
|
|
|
|
|
|
type = types.str;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Name of the user to ensure.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
2022-11-11 11:41:57 -05:00
|
|
|
|
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
ensureDBOwnership = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user ownership to a database with the same name.
|
|
|
|
|
|
This database must be defined manually in
|
|
|
|
|
|
[](#opt-services.postgresql.ensureDatabases).
|
2019-02-24 21:33:16 -05:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2022-11-11 11:41:57 -05:00
|
|
|
|
|
|
|
|
|
|
ensureClauses = mkOption {
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
An attrset of clauses to grant to the user. Under the hood this uses the
|
|
|
|
|
|
[ALTER USER syntax](https://www.postgresql.org/docs/current/sql-alteruser.html) for each attrName where
|
|
|
|
|
|
the attrValue is true in the attrSet:
|
|
|
|
|
|
`ALTER USER user.name WITH attrName`
|
|
|
|
|
|
'';
|
|
|
|
|
|
example = literalExpression ''
|
|
|
|
|
|
{
|
|
|
|
|
|
superuser = true;
|
|
|
|
|
|
createrole = true;
|
|
|
|
|
|
createdb = true;
|
|
|
|
|
|
}
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = { };
|
|
|
|
|
|
defaultText = lib.literalMD ''
|
2022-11-28 10:21:18 -05:00
|
|
|
|
The default, `null`, means that the user created will have the default permissions assigned by PostgreSQL. Subsequent server starts will not set or unset the clause, so imperative changes are preserved.
|
2022-11-11 11:41:57 -05:00
|
|
|
|
'';
|
|
|
|
|
|
type = types.submodule {
|
|
|
|
|
|
options =
|
|
|
|
|
|
let
|
|
|
|
|
|
defaultText = lib.literalMD ''
|
|
|
|
|
|
`null`: do not set. For newly created roles, use PostgreSQL's default. For existing roles, do not touch this clause.
|
|
|
|
|
|
'';
|
|
|
|
|
|
in
|
|
|
|
|
|
{
|
|
|
|
|
|
superuser = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, superuser permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A database superuser bypasses all permission checks,
|
|
|
|
|
|
except the right to log in. This is a dangerous privilege
|
|
|
|
|
|
and should not be used carelessly; it is best to do most
|
|
|
|
|
|
of your work as a role that is not a superuser. To create
|
|
|
|
|
|
a new database superuser, use CREATE ROLE name SUPERUSER.
|
|
|
|
|
|
You must do this as a role that is already a superuser.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
createrole = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, createrole permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A role must be explicitly given permission to create more
|
|
|
|
|
|
roles (except for superusers, since those bypass all
|
|
|
|
|
|
permission checks). To create such a role, use CREATE
|
|
|
|
|
|
ROLE name CREATEROLE. A role with CREATEROLE privilege
|
|
|
|
|
|
can alter and drop other roles, too, as well as grant or
|
|
|
|
|
|
revoke membership in them. However, to create, alter,
|
|
|
|
|
|
drop, or change membership of a superuser role, superuser
|
|
|
|
|
|
status is required; CREATEROLE is insufficient for that.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
createdb = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, createdb permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A role must be explicitly given permission to create
|
|
|
|
|
|
databases (except for superusers, since those bypass all
|
|
|
|
|
|
permission checks). To create such a role, use CREATE
|
|
|
|
|
|
ROLE name CREATEDB.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
"inherit" = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user created inherit permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A role is given permission to inherit the privileges of
|
|
|
|
|
|
roles it is a member of, by default. However, to create a
|
|
|
|
|
|
role without the permission, use CREATE ROLE name
|
|
|
|
|
|
NOINHERIT.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
login = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, login permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
Only roles that have the LOGIN attribute can be used as
|
|
|
|
|
|
the initial role name for a database connection. A role
|
|
|
|
|
|
with the LOGIN attribute can be considered the same as a
|
|
|
|
|
|
“database user”. To create a role with login privilege,
|
|
|
|
|
|
use either:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
CREATE ROLE name LOGIN; CREATE USER name;
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
(CREATE USER is equivalent to CREATE ROLE except that
|
|
|
|
|
|
CREATE USER includes LOGIN by default, while CREATE ROLE
|
|
|
|
|
|
does not.)
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
replication = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A role must explicitly be given permission to initiate
|
|
|
|
|
|
streaming replication (except for superusers, since those
|
|
|
|
|
|
bypass all permission checks). A role used for streaming
|
|
|
|
|
|
replication must have LOGIN permission as well. To create
|
|
|
|
|
|
such a role, use CREATE ROLE name REPLICATION LOGIN.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
|
|
|
|
|
};
|
|
|
|
|
|
bypassrls = mkOption {
|
|
|
|
|
|
type = types.nullOr types.bool;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
A role must be explicitly given permission to bypass
|
|
|
|
|
|
every row-level security (RLS) policy (except for
|
|
|
|
|
|
superusers, since those bypass all permission checks). To
|
|
|
|
|
|
create such a role, use CREATE ROLE name BYPASSRLS as a
|
|
|
|
|
|
superuser.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
|
|
|
|
|
|
'';
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
inherit defaultText;
|
2024-12-10 20:26:33 +01:00
|
|
|
|
};
|
2022-11-11 11:41:57 -05:00
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
2019-02-24 21:33:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
);
|
|
|
|
|
|
default = [ ];
|
|
|
|
|
|
description = ''
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
Ensures that the specified users exist.
|
2019-02-24 21:33:16 -05:00
|
|
|
|
The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the
|
|
|
|
|
|
same name only, and that without the need for a password.
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
This option will never delete existing users or remove DB ownership of databases
|
|
|
|
|
|
once granted with `ensureDBOwnership = true;`. This means that this must be
|
|
|
|
|
|
cleaned up manually when changing after changing the config in here.
|
2019-02-24 21:33:16 -05:00
|
|
|
|
'';
|
2021-10-03 18:06:03 +02:00
|
|
|
|
example = literalExpression ''
|
2019-02-24 21:33:16 -05:00
|
|
|
|
[
|
|
|
|
|
|
{
|
|
|
|
|
|
name = "nextcloud";
|
|
|
|
|
|
}
|
|
|
|
|
|
{
|
|
|
|
|
|
name = "superuser";
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
ensureDBOwnership = true;
|
2019-02-24 21:33:16 -05:00
|
|
|
|
}
|
|
|
|
|
|
]
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
enableTCPIP = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.bool;
|
2009-07-15 11:19:11 +00:00
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
2013-11-27 12:36:32 +01:00
|
|
|
|
Whether PostgreSQL should listen on all network interfaces.
|
|
|
|
|
|
If disabled, the database can only be accessed via its Unix
|
|
|
|
|
|
domain socket or via TCP connections to localhost.
|
2009-07-15 11:19:11 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2010-05-09 20:42:00 +00:00
|
|
|
|
|
2024-11-11 23:23:46 +01:00
|
|
|
|
extensions = mkOption {
|
2023-09-26 22:47:10 +02:00
|
|
|
|
type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
|
|
|
|
|
|
default = _: [ ];
|
|
|
|
|
|
example = literalExpression "ps: with ps; [ postgis pg_repack ]";
|
2010-05-09 20:42:00 +00:00
|
|
|
|
description = ''
|
2024-11-11 23:23:46 +01:00
|
|
|
|
List of PostgreSQL extensions to install.
|
2010-05-09 20:42:00 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2020-08-01 10:02:14 -04:00
|
|
|
|
settings = mkOption {
|
2024-03-17 11:54:30 +01:00
|
|
|
|
type =
|
|
|
|
|
|
with types;
|
|
|
|
|
|
submodule {
|
|
|
|
|
|
freeformType = attrsOf (oneOf [
|
|
|
|
|
|
bool
|
|
|
|
|
|
float
|
|
|
|
|
|
int
|
|
|
|
|
|
str
|
|
|
|
|
|
]);
|
|
|
|
|
|
options = {
|
|
|
|
|
|
shared_preload_libraries = mkOption {
|
2025-03-10 18:06:32 +01:00
|
|
|
|
type = nullOr (coercedTo (listOf str) (concatStringsSep ",") commas);
|
2024-03-17 11:54:30 +01:00
|
|
|
|
default = null;
|
|
|
|
|
|
example = literalExpression ''[ "auto_explain" "anon" ]'';
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
List of libraries to be preloaded.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
log_line_prefix = mkOption {
|
|
|
|
|
|
type = types.str;
|
|
|
|
|
|
default = "[%p] ";
|
|
|
|
|
|
example = "%m [%p] ";
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
A printf-style string that is output at the beginning of each log line.
|
|
|
|
|
|
Upstream default is `'%m [%p] '`, i.e. it includes the timestamp. We do
|
|
|
|
|
|
not include the timestamp, because journal has it anyway.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
port = mkOption {
|
|
|
|
|
|
type = types.port;
|
|
|
|
|
|
default = 5432;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
The port on which PostgreSQL listens.
|
|
|
|
|
|
'';
|
2024-12-10 20:26:33 +01:00
|
|
|
|
};
|
2024-03-17 11:54:30 +01:00
|
|
|
|
};
|
|
|
|
|
|
};
|
2020-08-01 10:02:14 -04:00
|
|
|
|
default = { };
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
PostgreSQL configuration. Refer to
|
2023-09-26 22:49:27 +02:00
|
|
|
|
<https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
|
2020-08-01 10:02:14 -04:00
|
|
|
|
for an overview of `postgresql.conf`.
|
|
|
|
|
|
|
|
|
|
|
|
::: {.note}
|
|
|
|
|
|
String values will automatically be enclosed in single quotes. Single quotes will be
|
|
|
|
|
|
escaped with two single quotes as described by the upstream documentation linked above.
|
2022-08-30 02:30:04 +02:00
|
|
|
|
:::
|
2020-08-01 10:02:14 -04:00
|
|
|
|
'';
|
2021-10-03 18:06:03 +02:00
|
|
|
|
example = literalExpression ''
|
2020-08-01 10:02:14 -04:00
|
|
|
|
{
|
|
|
|
|
|
log_connections = true;
|
|
|
|
|
|
log_statement = "all";
|
2023-07-27 11:48:25 +02:00
|
|
|
|
logging_collector = true;
|
|
|
|
|
|
log_disconnections = true;
|
2020-08-01 10:02:14 -04:00
|
|
|
|
log_destination = lib.mkForce "syslog";
|
|
|
|
|
|
}
|
|
|
|
|
|
'';
|
2011-06-27 10:15:26 +00:00
|
|
|
|
};
|
2013-07-14 05:04:10 +02:00
|
|
|
|
|
2017-09-02 21:23:56 +02:00
|
|
|
|
superUser = mkOption {
|
|
|
|
|
|
type = types.str;
|
2020-08-12 21:06:31 -04:00
|
|
|
|
default = "postgres";
|
2017-09-02 21:23:56 +02:00
|
|
|
|
internal = true;
|
2020-08-12 21:06:31 -04:00
|
|
|
|
readOnly = true;
|
2017-09-02 21:23:56 +02:00
|
|
|
|
description = ''
|
2020-08-12 21:06:31 -04:00
|
|
|
|
PostgreSQL superuser account to use for various operations. Internal since changing
|
|
|
|
|
|
this value would lead to breakage while setting up databases.
|
2017-09-02 21:23:56 +02:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2009-07-15 11:19:11 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
};
|
2008-02-18 11:56:43 +00:00
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
|
###### implementation
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2019-07-23 21:53:59 +03:00
|
|
|
|
config = mkIf cfg.enable {
|
2009-07-15 11:19:11 +00:00
|
|
|
|
|
2023-11-13 17:11:06 +01:00
|
|
|
|
assertions = map (
|
|
|
|
|
|
{ name, ensureDBOwnership, ... }:
|
2020-08-01 10:02:14 -04:00
|
|
|
|
{
|
|
|
|
|
|
assertion = ensureDBOwnership -> elem name cfg.ensureDatabases;
|
2023-11-13 17:11:06 +01:00
|
|
|
|
message = ''
|
2020-08-01 10:02:14 -04:00
|
|
|
|
For each database user defined with `services.postgresql.ensureUsers` and
|
2023-03-20 11:15:12 +01:00
|
|
|
|
`ensureDBOwnership = true;`, a database with the same name must be defined
|
|
|
|
|
|
in `services.postgresql.ensureDatabases`.
|
2020-08-01 10:02:14 -04:00
|
|
|
|
|
2024-11-02 16:52:02 +01:00
|
|
|
|
Offender: ${name} has not been found among databases.
|
|
|
|
|
|
'';
|
2024-12-10 20:26:33 +01:00
|
|
|
|
}
|
2023-11-13 17:11:06 +01:00
|
|
|
|
) cfg.ensureUsers;
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-07-24 10:43:02 +02:00
|
|
|
|
services.postgresql.settings = {
|
|
|
|
|
|
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
|
2020-08-01 10:02:14 -04:00
|
|
|
|
ident_file = "${pkgs.writeText "pg_ident.conf" cfg.identMap}";
|
|
|
|
|
|
log_destination = "stderr";
|
|
|
|
|
|
listen_addresses = if cfg.enableTCPIP then "*" else "localhost";
|
2023-03-20 11:15:12 +01:00
|
|
|
|
jit = mkDefault (if cfg.enableJIT then "on" else "off");
|
2024-12-10 20:26:33 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
2021-12-03 01:00:48 +01:00
|
|
|
|
services.postgresql.package =
|
2024-12-10 20:26:33 +01:00
|
|
|
|
let
|
2024-07-24 10:43:02 +02:00
|
|
|
|
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
mkWarn =
|
|
|
|
|
|
ver:
|
|
|
|
|
|
warn ''
|
2024-07-24 10:43:02 +02:00
|
|
|
|
The postgresql package is not pinned and selected automatically by
|
2024-11-16 20:59:04 -05:00
|
|
|
|
`system.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
|
2024-11-02 16:52:02 +01:00
|
|
|
|
oldest postgresql version available and thus the next that will be
|
|
|
|
|
|
removed when EOL on the next stable cycle.
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-11-02 16:52:02 +01:00
|
|
|
|
See also https://endoflife.date/postgresql
|
2024-12-10 20:26:33 +01:00
|
|
|
|
'';
|
|
|
|
|
|
base =
|
2024-07-24 10:43:02 +02:00
|
|
|
|
if versionAtLeast config.system.stateVersion "24.11" then
|
|
|
|
|
|
pkgs.postgresql_16
|
|
|
|
|
|
else if versionAtLeast config.system.stateVersion "23.11" then
|
2023-09-09 18:11:51 +01:00
|
|
|
|
pkgs.postgresql_15
|
|
|
|
|
|
else if versionAtLeast config.system.stateVersion "22.05" then
|
2024-11-02 16:52:02 +01:00
|
|
|
|
pkgs.postgresql_14
|
|
|
|
|
|
else if versionAtLeast config.system.stateVersion "21.11" then
|
|
|
|
|
|
mkWarn "13" pkgs.postgresql_13
|
2023-10-29 17:57:22 +01:00
|
|
|
|
else if versionAtLeast config.system.stateVersion "20.03" then
|
|
|
|
|
|
mkThrow "11"
|
2023-03-20 11:15:12 +01:00
|
|
|
|
else if versionAtLeast config.system.stateVersion "17.09" then
|
|
|
|
|
|
mkThrow "9_6"
|
|
|
|
|
|
else
|
|
|
|
|
|
mkThrow "9_5";
|
2021-12-03 01:00:48 +01:00
|
|
|
|
in
|
2015-07-27 20:26:19 +02:00
|
|
|
|
# Note: when changing the default, make it conditional on
|
2018-07-25 23:22:54 +03:00
|
|
|
|
# ‘system.stateVersion’ to maintain compatibility with existing
|
2015-07-27 20:26:19 +02:00
|
|
|
|
# systems!
|
2023-03-20 11:15:12 +01:00
|
|
|
|
mkDefault (if cfg.enableJIT then base.withJIT else base);
|
2017-05-30 22:05:39 +02:00
|
|
|
|
|
2020-08-01 10:44:17 -04:00
|
|
|
|
services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}";
|
2019-07-23 21:53:59 +03:00
|
|
|
|
|
2023-08-17 19:19:54 +02:00
|
|
|
|
services.postgresql.authentication = mkMerge [
|
|
|
|
|
|
(mkBefore "# Generated file; do not edit!")
|
|
|
|
|
|
(mkAfter ''
|
|
|
|
|
|
# default value of services.postgresql.authentication
|
2025-05-05 10:31:21 +02:00
|
|
|
|
local all postgres peer map=postgres
|
2020-02-16 06:55:35 +09:00
|
|
|
|
local all all peer
|
2012-03-19 16:49:13 +00:00
|
|
|
|
host all all 127.0.0.1/32 md5
|
|
|
|
|
|
host all all ::1/128 md5
|
2023-08-17 19:19:54 +02:00
|
|
|
|
'')
|
|
|
|
|
|
];
|
2012-08-06 11:45:59 -04:00
|
|
|
|
|
2025-05-05 10:31:21 +02:00
|
|
|
|
# The default allows to login with the same database username as the current system user.
|
|
|
|
|
|
# This is the default for peer authentication without a map, but needs to be made explicit
|
|
|
|
|
|
# once a map is used.
|
|
|
|
|
|
services.postgresql.identMap = mkAfter ''
|
|
|
|
|
|
postgres postgres postgres
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
2025-03-02 11:06:49 +01:00
|
|
|
|
services.postgresql.systemCallFilter = mkMerge [
|
|
|
|
|
|
(mapAttrs (const mkDefault) {
|
|
|
|
|
|
"@system-service" = true;
|
|
|
|
|
|
"~@privileged" = true;
|
|
|
|
|
|
"~@resources" = true;
|
|
|
|
|
|
})
|
|
|
|
|
|
(mkIf (any extensionInstalled [ "plv8" ]) {
|
|
|
|
|
|
"@pkey" = true;
|
|
|
|
|
|
})
|
|
|
|
|
|
(mkIf (any extensionInstalled [ "citus" ]) {
|
|
|
|
|
|
"getpriority" = true;
|
|
|
|
|
|
"setpriority" = true;
|
|
|
|
|
|
})
|
|
|
|
|
|
];
|
|
|
|
|
|
|
2018-06-30 01:58:35 +02:00
|
|
|
|
users.users.postgres = {
|
2009-03-06 12:27:02 +00:00
|
|
|
|
name = "postgres";
|
2013-08-23 11:33:24 +02:00
|
|
|
|
uid = config.ids.uids.postgres;
|
|
|
|
|
|
group = "postgres";
|
2009-03-06 12:27:02 +00:00
|
|
|
|
description = "PostgreSQL server user";
|
2018-09-26 12:11:28 +01:00
|
|
|
|
home = "${cfg.dataDir}";
|
|
|
|
|
|
useDefaultShell = true;
|
2009-07-15 11:19:11 +00:00
|
|
|
|
};
|
2009-03-06 12:27:02 +00:00
|
|
|
|
|
2018-06-30 01:58:35 +02:00
|
|
|
|
users.groups.postgres.gid = config.ids.gids.postgres;
|
2009-03-06 12:27:02 +00:00
|
|
|
|
|
2024-05-01 12:38:57 +02:00
|
|
|
|
environment.systemPackages = [ cfg.finalPackage ];
|
2009-03-06 12:27:02 +00:00
|
|
|
|
|
2019-08-07 14:17:36 +03:00
|
|
|
|
environment.pathsToLink = [
|
|
|
|
|
|
"/share/postgresql"
|
|
|
|
|
|
];
|
|
|
|
|
|
|
2023-05-11 18:42:17 +02:00
|
|
|
|
system.checks = lib.optional (
|
|
|
|
|
|
cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform
|
|
|
|
|
|
) configFileCheck;
|
2020-07-11 12:00:00 +00:00
|
|
|
|
|
2013-01-16 12:33:18 +01:00
|
|
|
|
systemd.services.postgresql = {
|
2012-12-18 13:40:04 +01:00
|
|
|
|
description = "PostgreSQL Server";
|
2009-03-06 12:27:02 +00:00
|
|
|
|
|
2012-08-14 18:15:37 -04:00
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2012-12-18 13:40:04 +01:00
|
|
|
|
after = [ "network.target" ];
|
2009-03-06 12:27:02 +00:00
|
|
|
|
|
2013-04-22 18:56:19 +02:00
|
|
|
|
environment.PGDATA = cfg.dataDir;
|
2009-11-06 22:56:47 +00:00
|
|
|
|
|
2024-05-01 12:38:57 +02:00
|
|
|
|
path = [ cfg.finalPackage ];
|
2012-03-19 16:49:13 +00:00
|
|
|
|
|
2009-10-12 17:09:38 +00:00
|
|
|
|
preStart = ''
|
2015-07-02 00:08:02 -07:00
|
|
|
|
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
2020-08-01 11:39:18 -04:00
|
|
|
|
# Cleanup the data directory.
|
2016-02-09 03:07:23 +03:00
|
|
|
|
rm -f ${cfg.dataDir}/*.conf
|
2009-12-02 17:18:25 +00:00
|
|
|
|
|
2020-08-01 11:39:18 -04:00
|
|
|
|
# Initialise the database.
|
2024-09-29 20:43:30 +02:00
|
|
|
|
initdb -U ${cfg.superUser} ${escapeShellArgs cfg.initdbArgs}
|
2020-08-01 11:39:18 -04:00
|
|
|
|
|
2016-02-09 03:07:23 +03:00
|
|
|
|
# See postStart!
|
|
|
|
|
|
touch "${cfg.dataDir}/.first_startup"
|
|
|
|
|
|
fi
|
2020-08-01 11:39:18 -04:00
|
|
|
|
|
2020-07-11 12:00:00 +00:00
|
|
|
|
ln -sfn "${configFile}/postgresql.conf" "${cfg.dataDir}/postgresql.conf"
|
2016-02-09 03:07:23 +03:00
|
|
|
|
'';
|
2009-11-06 23:37:31 +00:00
|
|
|
|
|
2020-08-12 21:12:24 -04:00
|
|
|
|
# Wait for PostgreSQL to be ready to accept connections.
|
|
|
|
|
|
postStart =
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
''
|
2022-11-11 11:41:57 -05:00
|
|
|
|
PSQL="psql --port=${builtins.toString cfg.settings.port}"
|
2020-08-12 21:12:24 -04:00
|
|
|
|
|
2012-03-19 16:49:13 +00:00
|
|
|
|
while ! $PSQL -d postgres -c "" 2> /dev/null; do
|
2024-11-10 17:08:59 +01:00
|
|
|
|
if ! kill -0 "$MAINPID"; then exit 1; fi
|
2024-09-27 19:24:59 +02:00
|
|
|
|
sleep 0.1
|
|
|
|
|
|
done
|
2012-10-01 16:47:54 -04:00
|
|
|
|
|
2020-08-12 21:12:24 -04:00
|
|
|
|
if test -e "${cfg.dataDir}/.first_startup"; then
|
|
|
|
|
|
${optionalString (cfg.initialScript != null) ''
|
|
|
|
|
|
$PSQL -f "${cfg.initialScript}" -d postgres
|
2024-12-10 20:26:33 +01:00
|
|
|
|
''}
|
2020-08-12 21:12:24 -04:00
|
|
|
|
rm -f "${cfg.dataDir}/.first_startup"
|
2024-12-10 20:26:33 +01:00
|
|
|
|
fi
|
|
|
|
|
|
''
|
2020-08-12 21:12:24 -04:00
|
|
|
|
+ optionalString (cfg.ensureDatabases != [ ]) ''
|
|
|
|
|
|
${concatMapStrings (database: ''
|
|
|
|
|
|
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
|
|
|
|
|
|
'') cfg.ensureDatabases}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
''
|
|
|
|
|
|
+ ''
|
2020-08-12 21:12:24 -04:00
|
|
|
|
${concatMapStrings (
|
2024-12-10 20:26:33 +01:00
|
|
|
|
user:
|
|
|
|
|
|
let
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
dbOwnershipStmt = optionalString user.ensureDBOwnership ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
clauseSqlStatements = attrValues (mapAttrs (n: v: if v then n else "no${n}") filteredClauses);
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2022-11-11 11:41:57 -05:00
|
|
|
|
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
|
2024-12-10 20:26:33 +01:00
|
|
|
|
in
|
|
|
|
|
|
''
|
2022-11-11 11:41:57 -05:00
|
|
|
|
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
|
|
|
|
|
|
${userClauses}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 12:50:09 +01:00
|
|
|
|
${dbOwnershipStmt}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
''
|
2023-11-13 17:11:06 +01:00
|
|
|
|
) cfg.ensureUsers}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
'';
|
|
|
|
|
|
|
2020-08-01 11:23:28 -04:00
|
|
|
|
serviceConfig = mkMerge [
|
2024-12-10 20:26:33 +01:00
|
|
|
|
{
|
2016-02-09 03:07:23 +03:00
|
|
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
2012-10-01 16:47:54 -04:00
|
|
|
|
User = "postgres";
|
|
|
|
|
|
Group = "postgres";
|
2019-03-15 04:52:35 +01:00
|
|
|
|
RuntimeDirectory = "postgresql";
|
2019-07-24 23:34:21 +03:00
|
|
|
|
Type = if versionAtLeast cfg.package.version "9.6" then "notify" else "simple";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2012-10-01 16:47:54 -04:00
|
|
|
|
# Shut down Postgres using SIGINT ("Fast Shutdown mode"). See
|
2023-10-30 21:41:44 +01:00
|
|
|
|
# https://www.postgresql.org/docs/current/server-shutdown.html
|
2012-10-01 16:27:42 -04:00
|
|
|
|
KillSignal = "SIGINT";
|
2014-04-18 17:32:24 +02:00
|
|
|
|
KillMode = "mixed";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2012-03-19 16:49:13 +00:00
|
|
|
|
# Give Postgres a decent amount of time to clean up after
|
2012-08-06 11:45:59 -04:00
|
|
|
|
# receiving systemd's SIGINT.
|
2013-05-07 14:59:08 +02:00
|
|
|
|
TimeoutSec = 120;
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-05-01 12:38:57 +02:00
|
|
|
|
ExecStart = "${cfg.finalPackage}/bin/postgres";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-09-27 19:24:59 +02:00
|
|
|
|
# Hardening
|
|
|
|
|
|
CapabilityBoundingSet = [ "" ];
|
|
|
|
|
|
DevicePolicy = "closed";
|
2024-09-30 17:23:10 +02:00
|
|
|
|
PrivateTmp = true;
|
2024-09-27 19:24:59 +02:00
|
|
|
|
ProtectHome = true;
|
|
|
|
|
|
ProtectSystem = "strict";
|
2024-11-10 17:08:59 +01:00
|
|
|
|
MemoryDenyWriteExecute = lib.mkDefault (
|
|
|
|
|
|
cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ])
|
2024-12-10 20:26:33 +01:00
|
|
|
|
);
|
2024-09-27 19:24:59 +02:00
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
|
PrivateDevices = true;
|
2024-09-30 17:23:10 +02:00
|
|
|
|
PrivateMounts = true;
|
2024-09-27 19:24:59 +02:00
|
|
|
|
ProcSubset = "pid";
|
|
|
|
|
|
ProtectClock = true;
|
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
|
ProtectHostname = true;
|
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
|
ProtectProc = "invisible";
|
|
|
|
|
|
RemoveIPC = true;
|
|
|
|
|
|
RestrictAddressFamilies = [
|
|
|
|
|
|
"AF_INET"
|
|
|
|
|
|
"AF_INET6"
|
|
|
|
|
|
"AF_NETLINK" # used for network interface enumeration
|
|
|
|
|
|
"AF_UNIX"
|
2024-12-10 20:26:33 +01:00
|
|
|
|
];
|
2024-09-27 19:24:59 +02:00
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
|
SystemCallArchitectures = "native";
|
2025-03-02 11:06:49 +01:00
|
|
|
|
SystemCallFilter = pipe cfg.systemCallFilter [
|
|
|
|
|
|
(mapAttrsToList (name: v: v // { inherit name; }))
|
|
|
|
|
|
(filter (getAttr "enable"))
|
|
|
|
|
|
sortProperties
|
|
|
|
|
|
(map (getAttr "name"))
|
|
|
|
|
|
];
|
2024-09-27 19:24:59 +02:00
|
|
|
|
UMask = if groupAccessAvailable then "0027" else "0077";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
}
|
2025-01-08 16:05:38 +01:00
|
|
|
|
(mkIf (cfg.dataDir != "/var/lib/postgresql/${cfg.package.psqlSchema}") {
|
|
|
|
|
|
# The user provides their own data directory
|
2024-09-27 19:24:59 +02:00
|
|
|
|
ReadWritePaths = [ cfg.dataDir ];
|
2024-12-10 20:26:33 +01:00
|
|
|
|
})
|
2020-08-01 11:23:28 -04:00
|
|
|
|
(mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
|
2025-01-08 16:05:38 +01:00
|
|
|
|
# Provision the default data directory
|
2020-08-01 11:23:28 -04:00
|
|
|
|
StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";
|
|
|
|
|
|
StateDirectoryMode = if groupAccessAvailable then "0750" else "0700";
|
2024-12-10 20:26:33 +01:00
|
|
|
|
})
|
|
|
|
|
|
];
|
|
|
|
|
|
|
2012-10-01 16:53:13 -04:00
|
|
|
|
unitConfig.RequiresMountsFor = "${cfg.dataDir}";
|
2009-10-12 17:09:38 +00:00
|
|
|
|
};
|
2009-03-06 12:27:02 +00:00
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
|
2023-01-25 00:33:40 +01:00
|
|
|
|
meta.doc = ./postgresql.md;
|
2019-07-22 02:57:16 +03:00
|
|
|
|
meta.maintainers = with lib.maintainers; [
|
|
|
|
|
|
thoughtpolice
|
|
|
|
|
|
danbst
|
|
|
|
|
|
];
|
2007-12-03 04:48:31 +00:00
|
|
|
|
}
|