Without the change the doc build fails as:
$ nix build -f nixos config.system.build.manual.manualHTML -L
...
nixos-manual-html> RuntimeError: heading in line 366 does not have an id
This splits a dev output to make the default output not depend on any
build dependencies anymore. This also avoids removing references from
pgxs' Makefile this way, which should, at least theoretically, be good
to build extensions via pgxs, making sure they use the same tooling.
ecpg is the "embedded SQL C preprocessor", which is certainly a dev
tool.
Most important, for closure size anyway, is to move pg_config to the dev
output, since it retains paths to all the other outputs.
The only thing with references to the dev output remaining is then the
postgres binary itself. It contains all the output paths, because it
shows those in the pg_config system view. There is no other way than
to nuke those references to avoid circular dependencies between outputs
- and blowing up closure size again.
This change adds services.pgbouncer.settings option as per [RFC 0042]
and deprecates other options that were previously used to generate
configuration file.
In addition to that, we also place the configuration file under
environment.etc to allow reloading configuration without service
restart.
[RFC 0042]: https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
When mysql starts up for the first time, the binary `mysql_install_db`
will run and try to set up the correct folder structure and permissions.
The very first step is to change the owner and group of the data
directory. This can fail in some cases, for example if `cfg.dataDir` is
something like `/mnt/mysql`:
```
Jul 31 15:24:35 junction systemd[1]: Starting MySQL Server...
Jul 31 15:24:36 junction mysql-pre-start[1346]: chown: changing ownership of '/mnt/mysql': Operation not permitted
Jul 31 15:24:36 junction mysql-pre-start[1309]: Cannot change ownership of the database directories to the 'mysql'
Jul 31 15:24:36 junction mysql-pre-start[1309]: user. Check that you have the necessary permissions and try again.
Jul 31 15:24:36 junction systemd[1]: mysql.service: Control process exited, code=exited, status=1/FAILURE
Jul 31 15:24:36 junction systemd[1]: mysql.service: Failed with result 'exit-code'.
Jul 31 15:24:36 junction systemd[1]: Failed to start MySQL Server.
```
This is because `/mnt` usually is owned by root.
To work around this issue, use `systemd.tmpfiles` to set the owner,
group and permissions. This will always work, and if the permissions are
already set as expected, mysql will not try to alter them again.
Done using `grep -rP 'description\s+=\s+"[^"]+[ ]";' | cut -d ':' -f 1 |
xargs -i nvim {}` and sorting the opened files by hand, avoiding
generated packages list
Upgrade default postgresql for stateVersion >=24.11.
This also rebuilds all packages linking against `libpq.so` to use
postgresql 16.
After re-reading https://www.postgresql.org/docs/16/release-16.html
I don't see any major risks about doing that.
Since https://github.com/redis/redis/pull/4001 included in 6.2.0
transparent hugepages works when being set to madvise which is the NixOS
and upstream recommended default.
> WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition.
> Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328.
> To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
The enableJIT = true case was fixed in #221851 or
e2fb651752 respectively.
However this did not take the case into consideration, when doing this:
services.postgresql = {
enable = true;
enableJIT = false;
package = pkgs.postgresql_15_jit;
};
If enableJIT is treated as the source of truth, then this should indeed
cause JIT to be disabled, which this commit does.
The main idea behind that was to be able to do more sophisticated
merging for stuff that goes into `postgresql.conf`:
`shared_preload_libraries` is a comma-separated list in a `types.str`
and thus not mergeable. With this change, the option accepts both a
comma-separated string xor a list of strings.
This can be implemented rather quick using `coercedTo` +
freeform modules. The interface still behaves equally, but it allows to
merge declarations for this option together.
One side-effect was that I had to change the `attrsOf (oneOf ...)` part into
a submodule to allow declaring options for certain things. While at it,
I decided to move `log_line_prefix` and `port` into this structure as
well.
This was proposed by abbradar in #150801, but left out of the follow up PR
#221851 by Ma27 to reduce the size of the diff. Compared to the initial
proposal this includes the callPackage call in the recursion, which avoids
breaking the withJIT/withoutJIT helpers.
In terms of nixpkgs, this is a pure refactor, no derivations change. However,
this makes downstream expressions like the following possible:
(postgresql.override { jitSupport = true; }).pkgs.postgis
This would have not worked before without passing another "this" argument,
which is error prone as can be seen in this example:
https://github.com/PostgREST/postgrest/pull/3222/files
This makes it less error-prone to use the llvm package in extensions, because
it will always match the package used by the postgresql derivation itself.
Previously, you could've accidentally used llvm instead of postgresql.llvm
with a different result.
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.
There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.
As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.
This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.
However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.
Due to this, we instead change the service's to `027`.
And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
