In the case that the user wants to provide a custom data directory, we
need to grant `ReadWritePaths` for that directory. Previously this would
not happen when `/var/lib/postgresql` was used, because the condition
was not in fact checking for the default data directory, creating a gap
in then if-else scenario.
Fixes: #371680
(cherry picked from commit 4d0f802848)
It was brought up that the restricted file-system access breaks
tablespaces[1]. I'd argue that this is the desired behavior, the whole
point of the hardening is the lock the service down and I don't consider
tablespaces common enough to elevate privileges again. Especially since
the workaround is trivial as shown in the diff.
For completeness sake, this adds the necessary `ReadWritePaths` change
to the postgresql section of the manual.
This also adds a small correction about the state of
`ensurePermissions`.
[1] https://github.com/NixOS/nixpkgs/pull/344925#issuecomment-2521188907
(cherry picked from commit 51a6938a44)
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
--argstr baseRev 0128fbb0a5
result/bin/apply-formatting $NIXPKGS_PATH
Commit e14483d6a6 fixed a bug in the `ini`
type with `listsAsDuplicatedKeys = true;`: multiple list declarations
weren't merged, but latter declarations shadowed the former without any
error.
The fix brought another issue to surface however: before, the
`plugin-load-add` declaration in the MySQL test shadowed the
`auth_socket.so` setting in the module. But now the attempt
to merge a list and a single declaration breaks because of
`types.either` seeing a mix of declarations from the left
AND right type.
Turning the `plugin-load-add` in the module into a list triggers the
correct merging behavior and thus fixes the evaluation error (and
merging behavior of `plugin-load-add`)!
This wasn't an issue for mysql itself (empty `plugin-load-add` in the
test) and neither for mariadb (the `auth_socket.so` isn't added for
this).
(cherry picked from commit c055f6bc0a)
Commit bfb9d1825d added RFC42 support
which is a good thing in general, but this implementation has the
following flaws:
* `services.pgbouncer.logFile` was not renamed to `[...].log_file`, but
to `[...].logfile`. Also the use of `mkRenamedOptionModule` is
inappropriate here because the two options are not equivalent: the old
option took a path relative to the home directory, the new an absolute
path.
* Using `mkRenamedOptionModule` with options that don't exist (but are
keys in a freeform attr-set or an `attrsOf X`), you get the following
error when referencing an option you didn't declare:
error: evaluation aborted with the following error message: 'Renaming error: option `services.pgbouncer.settings.pgbouncer.listen_port' does not exist.'
This error is pretty bad because it's not actionable for an end-user of
the module. A possible use-case is doing
networking.firewall.allowedTCPPorts = [ config.services.pgbouncer.listenPort ];
without specifying a custom listen port. This is an example of why you
want to keep options, they already contain defaults and you can re-use
those defaults in other parts of your system configuration.
I decided to re-add a bunch of options where I figured that it's
either useful to be able to address those in the NixOS configuration
or having documentation directly in the options' reference in the
NixOS manual.
I didn't add all options, I'll leave that to the maintainers of
pgbouncer.
(cherry picked from commit 2995b3825e)
By matching on the package names of the plugins passed into the package
we can relax the systemd unit hardening as needed.
(cherry picked from commit d370af0785)
This will be EOL at the end of November, so there's little reason to
keep it in 24.11[1]. As discussed, we'd like to keep it for as long as
possible to make sure there's a state in nixpkgs that has the latest
minor of postgresql_12 available with the most recent CVEs fixed for
people who cannot upgrade[2].
This aspect has been made explicit in the manual now for the next .11
release.
During the discussions it has been brought up that if people just do
`services.postgresql.enable = true;` and let the code decide the
postgresql version based on `system.stateVersion`, there's a chance that
such EOL dates will be missed. To make this harder, a warning will now
be raised when using the stateVersion-condition and the oldest still
available major is selected.
Additionally regrouped the postgresql things in the release notes to
make sure these are all shown consecutively. Otherwise it's a little
hard to keep track of all the changes made to postgresql in 24.11.
[1] https://endoflife.date/postgresql
[2] https://github.com/NixOS/nixpkgs/pull/353158#issuecomment-2453056692
(cherry picked from commit 0b3eef7441)
The test breaks like this otherwise:
machine # WARNING: error during JITing: Permission denied
machine # [ 14.012280] postgres[913]: [913] WARNING: error during JITing: Permission denied
machine # ERROR: failed to look up symbol "evalexpr_0_1": Failed to materialize symbols: { (main, { evalexpr_0_1, evalexpr_0_0 }) }
previously if you set the "user" option and did not create a group
account with the same name the module would create a service that would
fail to start.
with this change:
- the module is more explicit about this behaviour
- you can configure the group directly, so that you're not forced to a
particular user/group structure
- you can read the group name used by the redis service. this is useful
for giving other services permission to use the redis socket.
The issue was that the old test-case used `/tmp` to share data. Using
`JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is
recreated when a service gets stopped/started which is the case here, so
the wals were still lost.
To keep the test building with `PrivateTmp=yes`, create a dedicated
directory in `/var/cache` with tmpfiles and allow the hardened
`postgresql.service` to access it via `ReadWritePaths`.
Factor out part of the provisioning script into a
wait-until-service-is-ready script, and put it unconditionally in
front of ExecStartPost=, so that services that depend on influxdb2 are
not started until influxdb2 responds to requests.
Fixes https://github.com/NixOS/nixpkgs/issues/317017 ("Scrutiny tries to start before influxdb has started")
