movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

treewide: format all inactive Nix files

Browse source 
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build a08b3a4d19.tar.gz \
      --argstr baseRev b32a094368
    result/bin/apply-formatting $NIXPKGS_PATH
This commit is contained in:
Silvan Mosberger 2024-12-10 20:26:33 +01:00
parent b32a094368
commit 4f0dadbf38
21293 changed files with 701351 additions and 428307 deletions
Download patch file Download diff file Expand all files Collapse all files

799
nixos/modules/services/databases/postgresql.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
@ -39,24 +44,29 @@ let
# package = pkgs.postgresql_<major>;
# };
# works.
basePackage = if cfg.enableJIT
then cfg.package.withJIT
else cfg.package.withoutJIT;
basePackage = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
postgresql = if cfg.extensions == []
then basePackage
else basePackage.withPackages cfg.extensions;
postgresql = if cfg.extensions == [ ] then basePackage else basePackage.withPackages cfg.extensions;
toStr = value:
if true == value then "yes"
else if false == value then "no"
else if isString value then "'${lib.replaceStrings ["'"] ["''"] value}'"
else builtins.toString value;
toStr =
value:
if true == value then
"yes"
else if false == value then
"no"
else if isString value then
"'${lib.replaceStrings [ "'" ] [ "''" ] value}'"
else
builtins.toString value;
# The main PostgreSQL configuration file.
configFile = pkgs.writeTextDir "postgresql.conf" (concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") (filterAttrs (const (x: x != null)) cfg.settings)));
configFile = pkgs.writeTextDir "postgresql.conf" (
concatStringsSep "\n" (
mapAttrsToList (n: v: "${n} = ${toStr v}") (filterAttrs (const (x: x != null)) cfg.settings)
)
);
configFileCheck = pkgs.runCommand "postgresql-configfile-check" {} ''
configFileCheck = pkgs.runCommand "postgresql-configfile-check" { } ''
${cfg.package}/bin/postgres -D${configFile} -C config_file >/dev/null
touch $out
'';
@ -69,11 +79,24 @@ in
{
imports = [
(mkRemovedOptionModule [ "services" "postgresql" "extraConfig" ] "Use services.postgresql.settings instead.")
(mkRemovedOptionModule [
"services"
"postgresql"
"extraConfig"
] "Use services.postgresql.settings instead.")
(mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
(mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
(mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
(mkRenamedOptionModule
[ "services" "postgresql" "logLinePrefix" ]
[ "services" "postgresql" "settings" "log_line_prefix" ]
)
(mkRenamedOptionModule
[ "services" "postgresql" "port" ]
[ "services" "postgresql" "settings" "port" ]
)
(mkRenamedOptionModule
[ "services" "postgresql" "extraPlugins" ]
[ "services" "postgresql" "extensions" ]
)
];
###### interface
@ -140,8 +163,11 @@ in
initdbArgs = mkOption {
type = with types; listOf str;
default = [];
example = [ "--data-checksums" "--allow-group-access" ];
default = [ ];
example = [
"--data-checksums"
"--allow-group-access"
];
description = ''
Additional arguments passed to `initdb` during data dir
initialisation.
@ -163,7 +189,7 @@ in
ensureDatabases = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
description = ''
Ensures that the specified databases exist.
This option will never delete existing databases, especially not when the value of this
@ -177,175 +203,179 @@ in
};
ensureUsers = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
Name of the user to ensure.
'';
};
type = types.listOf (
types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
Name of the user to ensure.
'';
};
ensureDBOwnership = mkOption {
type = types.bool;
default = false;
description = ''
Grants the user ownership to a database with the same name.
This database must be defined manually in
[](#opt-services.postgresql.ensureDatabases).
'';
};
ensureDBOwnership = mkOption {
type = types.bool;
default = false;
description = ''
Grants the user ownership to a database with the same name.
This database must be defined manually in
[](#opt-services.postgresql.ensureDatabases).
'';
};
ensureClauses = mkOption {
description = ''
An attrset of clauses to grant to the user. Under the hood this uses the
[ALTER USER syntax](https://www.postgresql.org/docs/current/sql-alteruser.html) for each attrName where
the attrValue is true in the attrSet:
`ALTER USER user.name WITH attrName`
'';
example = literalExpression ''
{
superuser = true;
createrole = true;
createdb = true;
}
'';
default = {};
defaultText = lib.literalMD ''
The default, `null`, means that the user created will have the default permissions assigned by PostgreSQL. Subsequent server starts will not set or unset the clause, so imperative changes are preserved.
'';
type = types.submodule {
options = let
defaultText = lib.literalMD ''
`null`: do not set. For newly created roles, use PostgreSQL's default. For existing roles, do not touch this clause.
'';
in {
superuser = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, superuser permissions. From the postgres docs:
ensureClauses = mkOption {
description = ''
An attrset of clauses to grant to the user. Under the hood this uses the
[ALTER USER syntax](https://www.postgresql.org/docs/current/sql-alteruser.html) for each attrName where
the attrValue is true in the attrSet:
`ALTER USER user.name WITH attrName`
'';
example = literalExpression ''
{
superuser = true;
createrole = true;
createdb = true;
}
'';
default = { };
defaultText = lib.literalMD ''
The default, `null`, means that the user created will have the default permissions assigned by PostgreSQL. Subsequent server starts will not set or unset the clause, so imperative changes are preserved.
'';
type = types.submodule {
options =
let
defaultText = lib.literalMD ''
`null`: do not set. For newly created roles, use PostgreSQL's default. For existing roles, do not touch this clause.
'';
in
{
superuser = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, superuser permissions. From the postgres docs:
A database superuser bypasses all permission checks,
except the right to log in. This is a dangerous privilege
and should not be used carelessly; it is best to do most
of your work as a role that is not a superuser. To create
a new database superuser, use CREATE ROLE name SUPERUSER.
You must do this as a role that is already a superuser.
A database superuser bypasses all permission checks,
except the right to log in. This is a dangerous privilege
and should not be used carelessly; it is best to do most
of your work as a role that is not a superuser. To create
a new database superuser, use CREATE ROLE name SUPERUSER.
You must do this as a role that is already a superuser.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
createrole = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, createrole permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
createrole = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, createrole permissions. From the postgres docs:
A role must be explicitly given permission to create more
roles (except for superusers, since those bypass all
permission checks). To create such a role, use CREATE
ROLE name CREATEROLE. A role with CREATEROLE privilege
can alter and drop other roles, too, as well as grant or
revoke membership in them. However, to create, alter,
drop, or change membership of a superuser role, superuser
status is required; CREATEROLE is insufficient for that.
A role must be explicitly given permission to create more
roles (except for superusers, since those bypass all
permission checks). To create such a role, use CREATE
ROLE name CREATEROLE. A role with CREATEROLE privilege
can alter and drop other roles, too, as well as grant or
revoke membership in them. However, to create, alter,
drop, or change membership of a superuser role, superuser
status is required; CREATEROLE is insufficient for that.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
createdb = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, createdb permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
createdb = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, createdb permissions. From the postgres docs:
A role must be explicitly given permission to create
databases (except for superusers, since those bypass all
permission checks). To create such a role, use CREATE
ROLE name CREATEDB.
A role must be explicitly given permission to create
databases (except for superusers, since those bypass all
permission checks). To create such a role, use CREATE
ROLE name CREATEDB.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
"inherit" = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user created inherit permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
"inherit" = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user created inherit permissions. From the postgres docs:
A role is given permission to inherit the privileges of
roles it is a member of, by default. However, to create a
role without the permission, use CREATE ROLE name
NOINHERIT.
A role is given permission to inherit the privileges of
roles it is a member of, by default. However, to create a
role without the permission, use CREATE ROLE name
NOINHERIT.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
login = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, login permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
login = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, login permissions. From the postgres docs:
Only roles that have the LOGIN attribute can be used as
the initial role name for a database connection. A role
with the LOGIN attribute can be considered the same as a
database user. To create a role with login privilege,
use either:
Only roles that have the LOGIN attribute can be used as
the initial role name for a database connection. A role
with the LOGIN attribute can be considered the same as a
database user. To create a role with login privilege,
use either:
CREATE ROLE name LOGIN; CREATE USER name;
CREATE ROLE name LOGIN; CREATE USER name;
(CREATE USER is equivalent to CREATE ROLE except that
CREATE USER includes LOGIN by default, while CREATE ROLE
does not.)
(CREATE USER is equivalent to CREATE ROLE except that
CREATE USER includes LOGIN by default, while CREATE ROLE
does not.)
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
replication = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
replication = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
A role must explicitly be given permission to initiate
streaming replication (except for superusers, since those
bypass all permission checks). A role used for streaming
replication must have LOGIN permission as well. To create
such a role, use CREATE ROLE name REPLICATION LOGIN.
A role must explicitly be given permission to initiate
streaming replication (except for superusers, since those
bypass all permission checks). A role used for streaming
replication must have LOGIN permission as well. To create
such a role, use CREATE ROLE name REPLICATION LOGIN.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
bypassrls = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
bypassrls = mkOption {
type = types.nullOr types.bool;
description = ''
Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:
A role must be explicitly given permission to bypass
every row-level security (RLS) policy (except for
superusers, since those bypass all permission checks). To
create such a role, use CREATE ROLE name BYPASSRLS as a
superuser.
A role must be explicitly given permission to bypass
every row-level security (RLS) policy (except for
superusers, since those bypass all permission checks). To
create such a role, use CREATE ROLE name BYPASSRLS as a
superuser.
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
More information on postgres roles can be found [here](https://www.postgresql.org/docs/current/role-attributes.html)
'';
default = null;
inherit defaultText;
};
};
};
};
};
};
});
default = [];
}
);
default = [ ];
description = ''
Ensures that the specified users exist.
The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the
@ -379,7 +409,7 @@ in
extensions = mkOption {
type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
default = _: [];
default = _: [ ];
example = literalExpression "ps: with ps; [ postgis pg_repack ]";
description = ''
List of PostgreSQL extensions to install.
@ -387,39 +417,46 @@ in
};
settings = mkOption {
type = with types; submodule {
freeformType = attrsOf (oneOf [ bool float int str ]);
options = {
shared_preload_libraries = mkOption {
type = nullOr (coercedTo (listOf str) (concatStringsSep ", ") str);
default = null;
example = literalExpression ''[ "auto_explain" "anon" ]'';
description = ''
List of libraries to be preloaded.
'';
};
type =
with types;
submodule {
freeformType = attrsOf (oneOf [
bool
float
int
str
]);
options = {
shared_preload_libraries = mkOption {
type = nullOr (coercedTo (listOf str) (concatStringsSep ", ") str);
default = null;
example = literalExpression ''[ "auto_explain" "anon" ]'';
description = ''
List of libraries to be preloaded.
'';
};
log_line_prefix = mkOption {
type = types.str;
default = "[%p] ";
example = "%m [%p] ";
description = ''
A printf-style string that is output at the beginning of each log line.
Upstream default is `'%m [%p] '`, i.e. it includes the timestamp. We do
not include the timestamp, because journal has it anyway.
'';
};
log_line_prefix = mkOption {
type = types.str;
default = "[%p] ";
example = "%m [%p] ";
description = ''
A printf-style string that is output at the beginning of each log line.
Upstream default is `'%m [%p] '`, i.e. it includes the timestamp. We do
not include the timestamp, because journal has it anyway.
'';
};
port = mkOption {
type = types.port;
default = 5432;
description = ''
The port on which PostgreSQL listens.
'';
port = mkOption {
type = types.port;
default = 5432;
description = ''
The port on which PostgreSQL listens.
'';
};
};
};
};
default = {};
default = { };
description = ''
PostgreSQL configuration. Refer to
<https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
@ -458,54 +495,66 @@ in
PostgreSQL superuser account to use for various operations. Internal since changing
this value would lead to breakage while setting up databases.
'';
};
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions = map ({ name, ensureDBOwnership, ... }: {
assertion = ensureDBOwnership -> elem name cfg.ensureDatabases;
message = ''
For each database user defined with `services.postgresql.ensureUsers` and
`ensureDBOwnership = true;`, a database with the same name must be defined
in `services.postgresql.ensureDatabases`.
Offender: ${name} has not been found among databases.
'';
}) cfg.ensureUsers;
services.postgresql.settings =
assertions = map (
{ name, ensureDBOwnership, ... }:
{
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
ident_file = "${pkgs.writeText "pg_ident.conf" cfg.identMap}";
log_destination = "stderr";
listen_addresses = if cfg.enableTCPIP then "*" else "localhost";
jit = mkDefault (if cfg.enableJIT then "on" else "off");
};
assertion = ensureDBOwnership -> elem name cfg.ensureDatabases;
message = ''
For each database user defined with `services.postgresql.ensureUsers` and
`ensureDBOwnership = true;`, a database with the same name must be defined
in `services.postgresql.ensureDatabases`.
services.postgresql.package = let
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
mkWarn = ver: warn ''
The postgresql package is not pinned and selected automatically by
`system.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
oldest postgresql version available and thus the next that will be
removed when EOL on the next stable cycle.
See also https://endoflife.date/postgresql
Offender: ${name} has not been found among databases.
'';
base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
else mkThrow "9_5";
in
}
) cfg.ensureUsers;
services.postgresql.settings = {
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
ident_file = "${pkgs.writeText "pg_ident.conf" cfg.identMap}";
log_destination = "stderr";
listen_addresses = if cfg.enableTCPIP then "*" else "localhost";
jit = mkDefault (if cfg.enableJIT then "on" else "off");
};
services.postgresql.package =
let
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
mkWarn =
ver:
warn ''
The postgresql package is not pinned and selected automatically by
`system.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
oldest postgresql version available and thus the next that will be
removed when EOL on the next stable cycle.
See also https://endoflife.date/postgresql
'';
base =
if versionAtLeast config.system.stateVersion "24.11" then
pkgs.postgresql_16
else if versionAtLeast config.system.stateVersion "23.11" then
pkgs.postgresql_15
else if versionAtLeast config.system.stateVersion "22.05" then
pkgs.postgresql_14
else if versionAtLeast config.system.stateVersion "21.11" then
mkWarn "13" pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "20.03" then
mkThrow "11"
else if versionAtLeast config.system.stateVersion "17.09" then
mkThrow "9_6"
else
mkThrow "9_5";
in
# Note: when changing the default, make it conditional on
# system.stateVersion to maintain compatibility with existing
# systems!
@ -515,8 +564,7 @@ in
services.postgresql.authentication = mkMerge [
(mkBefore "# Generated file; do not edit!")
(mkAfter
''
(mkAfter ''
# default value of services.postgresql.authentication
local all all peer
host all all 127.0.0.1/32 md5
@ -524,172 +572,173 @@ in
'')
];
users.users.postgres =
{ name = "postgres";
uid = config.ids.uids.postgres;
group = "postgres";
description = "PostgreSQL server user";
home = "${cfg.dataDir}";
useDefaultShell = true;
};
users.users.postgres = {
name = "postgres";
uid = config.ids.uids.postgres;
group = "postgres";
description = "PostgreSQL server user";
home = "${cfg.dataDir}";
useDefaultShell = true;
};
users.groups.postgres.gid = config.ids.gids.postgres;
environment.systemPackages = [ postgresql ];
environment.pathsToLink = [
"/share/postgresql"
"/share/postgresql"
];
system.checks = lib.optional (cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) configFileCheck;
system.checks = lib.optional (
cfg.checkConfig && pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform
) configFileCheck;
systemd.services.postgresql =
{ description = "PostgreSQL Server";
systemd.services.postgresql = {
description = "PostgreSQL Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment.PGDATA = cfg.dataDir;
environment.PGDATA = cfg.dataDir;
path = [ postgresql ];
path = [ postgresql ];
preStart =
''
if ! test -e ${cfg.dataDir}/PG_VERSION; then
# Cleanup the data directory.
rm -f ${cfg.dataDir}/*.conf
preStart = ''
if ! test -e ${cfg.dataDir}/PG_VERSION; then
# Cleanup the data directory.
rm -f ${cfg.dataDir}/*.conf
# Initialise the database.
initdb -U ${cfg.superUser} ${escapeShellArgs cfg.initdbArgs}
# Initialise the database.
initdb -U ${cfg.superUser} ${escapeShellArgs cfg.initdbArgs}
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
ln -sfn "${configFile}/postgresql.conf" "${cfg.dataDir}/postgresql.conf"
${optionalString (cfg.recoveryConfig != null) ''
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
ln -sfn "${configFile}/postgresql.conf" "${cfg.dataDir}/postgresql.conf"
${optionalString (cfg.recoveryConfig != null) ''
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
''}
'';
# Wait for PostgreSQL to be ready to accept connections.
postStart =
''
PSQL="psql --port=${builtins.toString cfg.settings.port}"
while ! $PSQL -d postgres -c "" 2> /dev/null; do
if ! kill -0 "$MAINPID"; then exit 1; fi
sleep 0.1
done
if test -e "${cfg.dataDir}/.first_startup"; then
${optionalString (cfg.initialScript != null) ''
$PSQL -f "${cfg.initialScript}" -d postgres
''}
'';
rm -f "${cfg.dataDir}/.first_startup"
fi
''
+ optionalString (cfg.ensureDatabases != [ ]) ''
${concatMapStrings (database: ''
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
'') cfg.ensureDatabases}
''
+ ''
${concatMapStrings (
user:
let
dbOwnershipStmt = optionalString user.ensureDBOwnership ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
# Wait for PostgreSQL to be ready to accept connections.
postStart =
''
PSQL="psql --port=${builtins.toString cfg.settings.port}"
filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
while ! $PSQL -d postgres -c "" 2> /dev/null; do
if ! kill -0 "$MAINPID"; then exit 1; fi
sleep 0.1
done
clauseSqlStatements = attrValues (mapAttrs (n: v: if v then n else "no${n}") filteredClauses);
if test -e "${cfg.dataDir}/.first_startup"; then
${optionalString (cfg.initialScript != null) ''
$PSQL -f "${cfg.initialScript}" -d postgres
''}
rm -f "${cfg.dataDir}/.first_startup"
fi
'' + optionalString (cfg.ensureDatabases != []) ''
${concatMapStrings (database: ''
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
'') cfg.ensureDatabases}
'' + ''
${
concatMapStrings
(user:
let
dbOwnershipStmt = optionalString
user.ensureDBOwnership
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
in
''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userClauses}
filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
${dbOwnershipStmt}
''
) cfg.ensureUsers}
'';
clauseSqlStatements = attrValues (mapAttrs (n: v: if v then n else "no${n}") filteredClauses);
serviceConfig = mkMerge [
{
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "postgres";
Group = "postgres";
RuntimeDirectory = "postgresql";
Type = if versionAtLeast cfg.package.version "9.6" then "notify" else "simple";
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
in ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userClauses}
# Shut down Postgres using SIGINT ("Fast Shutdown mode"). See
# https://www.postgresql.org/docs/current/server-shutdown.html
KillSignal = "SIGINT";
KillMode = "mixed";
${dbOwnershipStmt}
''
)
cfg.ensureUsers
}
'';
# Give Postgres a decent amount of time to clean up after
# receiving systemd's SIGINT.
TimeoutSec = 120;
serviceConfig = mkMerge [
{ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "postgres";
Group = "postgres";
RuntimeDirectory = "postgresql";
Type = if versionAtLeast cfg.package.version "9.6"
then "notify"
else "simple";
ExecStart = "${postgresql}/bin/postgres";
# Shut down Postgres using SIGINT ("Fast Shutdown mode"). See
# https://www.postgresql.org/docs/current/server-shutdown.html
KillSignal = "SIGINT";
KillMode = "mixed";
# Hardening
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (
cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ])
);
NoNewPrivileges = true;
LockPersonality = true;
PrivateDevices = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK" # used for network interface enumeration
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
] ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {
ReadWritePaths = [ cfg.dataDir ];
})
(mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";
StateDirectoryMode = if groupAccessAvailable then "0750" else "0700";
})
];
# Give Postgres a decent amount of time to clean up after
# receiving systemd's SIGINT.
TimeoutSec = 120;
ExecStart = "${postgresql}/bin/postgres";
# Hardening
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
NoNewPrivileges = true;
LockPersonality = true;
PrivateDevices = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK" # used for network interface enumeration
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter =
[
"@system-service"
"~@privileged @resources"
]
++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {
ReadWritePaths = [ cfg.dataDir ];
})
(mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";
StateDirectoryMode = if groupAccessAvailable then "0750" else "0700";
})
];
unitConfig.RequiresMountsFor = "${cfg.dataDir}";
};
unitConfig.RequiresMountsFor = "${cfg.dataDir}";
};
};
meta.doc = ./postgresql.md;
meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
meta.maintainers = with lib.maintainers; [
thoughtpolice
danbst
];
}