nixos/postgresql: support 0750 for data directory

This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too.
2025-07-09 12:05:50 +03:00 · 2019-07-22 02:57:16 +03:00 · 2019-07-22 02:57:16 +03:00 · 92a015d35d
commit 92a015d35d
parent 104f8a0e1a
3 changed files with 104 additions and 5 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -38,6 +38,8 @@ let
      ${cfg.extraConfig}
    '';

+    dirMode = if cfg.groupAccess then "0750" else "0700";
+
 in

 {
@ -80,6 +82,23 @@ in
        '';
      };

+      groupAccess = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Allow read access for group (0750 mask for data directory).
+          Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
+          support starting server with 0750 mask, but a workaround like
+          <programlisting>
+          systemd.services.postgresql.postStart = lib.mkAfter '''
+            chmod 750 ''${config.services.postgresql.dataDir}
+          ''';
+          </programlisting>
+          may be used instead.
+        '';
+      };
+
      authentication = mkOption {
        type = types.lines;
        default = "";
@ -240,6 +259,14 @@ in

  config = mkIf config.services.postgresql.enable {

+    assertions = [
+      { assertion = cfg.groupAccess -> builtins.compareVersions cfg.package.version "11.0" >= 0;
+        message = ''
+          'groupAccess' is not available for PostgreSQL < 11.
+        '';
+      }
+    ];
+
    services.postgresql.package =
      # Note: when changing the default, make it conditional on
      # ‘system.stateVersion’ to maintain compatibility with existing
@ -287,9 +314,9 @@ in
          ''
            # Create data directory.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              mkdir -m 0700 -p ${cfg.dataDir}
+              mkdir -m ${dirMode} -p ${cfg.dataDir}
              rm -f ${cfg.dataDir}/*.conf
-              chown -R postgres:postgres ${cfg.dataDir}
+              chown -R postgres ${cfg.dataDir}
            fi
          ''; # */

@ -297,7 +324,9 @@ in
          ''
            # Initialise the database.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser}
+              initdb -U ${cfg.superUser} ${
+                lib.optionalString cfg.groupAccess "--allow-group-access"
+              }
              # See postStart!
              touch "${cfg.dataDir}/.first_startup"
            fi
@ -306,8 +335,9 @@ in
              ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                "${cfg.dataDir}/recovery.conf"
            ''}
+            chmod ${dirMode} "${cfg.dataDir}"

-             exec postgres
+            exec postgres
          '';

        serviceConfig =
@ -365,5 +395,5 @@ in
  };

  meta.doc = ./postgresql.xml;
-  meta.maintainers = with lib.maintainers; [ thoughtpolice ];
+  meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
 }