diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 8bbbf2d31fc7..f656e236b369 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -20,9 +20,9 @@ let
listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
port = ${toString cfg.port}
${cfg.extraConfig}
- '';
+ '';
- dirMode = if cfg.groupAccess == true then "0750" else "0700";
+ groupAccessAvailable = versionAtLeast postgresql.version "11.0";
in
@@ -66,18 +66,6 @@ in
'';
};
- groupAccess = mkOption {
- type = with types; nullOr bool;
- default = null;
- description = ''
- When true, allow read access for group (0750 mask for data directory).
- Supported only for PostgreSQL 11+.
-
- When false, force a restrictive 0700 mask on data directory, so
- PostgreSQL won't fail due to too permissive mask.
- '';
- };
-
authentication = mkOption {
type = types.lines;
default = "";
@@ -105,7 +93,7 @@ in
initdbArgs = mkOption {
type = with types; listOf str;
default = [];
- example = [ "--data-checksums" ];
+ example = [ "--data-checksums" "--allow-group-access" ];
description = ''
Additional arguments passed to initdb during data dir
initialisation.
@@ -246,14 +234,6 @@ in
config = mkIf cfg.enable {
- assertions = [
- { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0";
- message = ''
- 'groupAccess' is not available for PostgreSQL < 11.
- '';
- }
- ];
-
services.postgresql.package =
# Note: when changing the default, make it conditional on
# ‘system.stateVersion’ to maintain compatibility with existing
@@ -268,9 +248,6 @@ in
then "/var/lib/postgresql/${cfg.package.psqlSchema}"
else "/var/db/postgresql");
- services.postgresql.initdbArgs =
- mkBefore (optional (cfg.groupAccess == true) "--allow-group-access");
-
services.postgresql.authentication = mkAfter
''
# Generated file; do not edit!
@@ -310,7 +287,7 @@ in
''
# Create data directory.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
- mkdir -m ${dirMode} -p ${cfg.dataDir}
+ mkdir -m 0700 -p ${cfg.dataDir}
rm -f ${cfg.dataDir}/*.conf
chown -R postgres:postgres ${cfg.dataDir}
fi
@@ -329,8 +306,9 @@ in
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
''}
- ${optionalString (cfg.groupAccess != null) ''
- chmod ${dirMode} "${cfg.dataDir}"
+ ${optionalString (!groupAccessAvailable) ''
+ # postgresql pre 11.0 doesn't start if state directory mode is group accessible
+ chmod 0700 "${cfg.dataDir}"
''}
exec postgres
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index c36ce046efcd..3201e22555ea 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -86,56 +86,5 @@ let
in
(mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
-
- postgresql_dirmode_change =
- let dataDir = "/db";
- in makeTest {
- name = "postgresql_dirmode_change";
- meta = with pkgs.stdenv.lib.maintainers; {
- maintainers = [ danbst ];
- };
-
- machine = { config, lib, ...}:
- {
- services.postgresql.enable = true;
- services.postgresql.package = pkgs.postgresql_10;
- services.postgresql.dataDir = dataDir;
-
- users.users.admin.isNormalUser = true;
- users.users.admin.extraGroups = [ "postgres" ];
-
- nesting.clone = [
- {
- systemd.services.postgresql.preStart = lib.mkAfter ''
- chmod 0700 ${dataDir}
- '';
- systemd.services.postgresql.postStart = lib.mkAfter ''
- chmod -R 750 ${dataDir}
- ${pkgs.acl}/bin/setfacl -d -m g::r-x ${dataDir}
- '';
- }
- ];
- };
- testScript = { nodes, ... }: let
- c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
- in ''
- $machine->start;
- $machine->waitForUnit("postgresql");
- $machine->succeed("echo select 1 | sudo -u postgres psql");
-
- # by default, mode is 0700
- $machine->fail("sudo -u admin ls ${dataDir}");
-
- $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
- $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
- $machine->succeed("systemctl restart postgresql"); # but we have to be sure
- # manual restart works too
- $machine->waitForUnit("postgresql");
- $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
- $machine->succeed("sudo -u admin ls ${dataDir}");
-
- $machine->shutdown;
- '';
- };
}