nixos/postgresql: escape initdbArgs

It doesn't look correct that this isn't the case already.
2025-06-10 19:55:41 +03:00 · 2024-09-29 20:43:30 +02:00 · 2024-09-29 20:43:30 +02:00 · 11d1f8776c
commit 11d1f8776c
parent 0e78dc369c
3 changed files with 6 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -569,6 +569,8 @@

 - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).

+- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
+
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
  should be changed to using *runner authentication tokens* by configuring
--- a/nixos/modules/services/databases/postgresql.md
+++ b/nixos/modules/services/databases/postgresql.md
@ -187,7 +187,7 @@ $ nix-instantiate --eval -A postgresql_13.psqlSchema
 ```
 For an upgrade, a script like this can be used to simplify the process:
 ```nix
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  environment.systemPackages = [
    (let
@ -211,7 +211,7 @@ For an upgrade, a script like this can be used to simplify the process:

      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
      cd "$NEWDATA"
-      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${builtins.concatStringsSep " " cfg.initdbArgs}
+      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}

      sudo -u postgres $NEWBIN/pg_upgrade \
        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -7,6 +7,7 @@ let
    concatStringsSep
    const
    elem
+    escapeShellArgs
    filterAttrs
    isString
    literalExpression
@ -545,7 +546,7 @@ in
              rm -f ${cfg.dataDir}/*.conf

              # Initialise the database.
-              initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
+              initdb -U ${cfg.superUser} ${escapeShellArgs cfg.initdbArgs}

              # See postStart!
              touch "${cfg.dataDir}/.first_startup"