nixos/postgresql: enable private /tmp & private mounts; fix wal-receiver test

The issue was that the old test-case used `/tmp` to share data. Using `JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is recreated when a service gets stopped/started which is the case here, so the wals were still lost. To keep the test building with `PrivateTmp=yes`, create a dedicated directory in `/var/cache` with tmpfiles and allow the hardened `postgresql.service` to access it via `ReadWritePaths`.
2025-06-10 19:55:41 +03:00 · 2024-09-30 17:23:10 +02:00 · 2024-09-30 17:23:10 +02:00 · f800d8e42b
commit f800d8e42b
parent 2ebffcc4c7
2 changed files with 9 additions and 4 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -627,14 +627,14 @@ in
            # Hardening
            CapabilityBoundingSet = [ "" ];
            DevicePolicy = "closed";
-            PrivateTmp = false; #breaks wal-receiver test
+            PrivateTmp = true;
            ProtectHome = true;
            ProtectSystem = "strict";
            MemoryDenyWriteExecute = true;
            NoNewPrivileges = true;
            LockPersonality = true;
            PrivateDevices = true;
-            PrivateMounts = false; # breaks wal-receiver test
+            PrivateMounts = true;
            ProcSubset = "pid";
            ProtectClock = true;
            ProtectControlGroups = true;