nixos/postgresql: support 0750 for data directory (#65245)

* nixos/postgresql: support 0750 for data directory

This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670.
My usecase was to be able to inspect PG datadir as wheel user.

PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.

For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.

Test/example is present too.

* postgresql: allow changing initidb arguments via module system

Closes https://github.com/NixOS/nixpkgs/issues/18829

+ some cleanups

* addressed review comments and some fixes

* whoops

* change groupAccess to tristate, to not force `chmod` on dataDir.

Making mask either 0700 or 0750 is too restrictive..

* WIP

* let's not support group mode for versions pre-11.

The only fix is to change mode to 0700 before start, because otherwise postgresql
doesn't start, and error is non-obvious.
This commit is contained in:
Danylo Hlynskyi 2020-02-14 20:51:20 +02:00 committed by GitHub
commit 5443eee47c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 8 deletions

View file

@ -20,7 +20,9 @@ let
listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
port = ${toString cfg.port}
${cfg.extraConfig}
'';
'';
groupAccessAvailable = versionAtLeast postgresql.version "11.0";
in
@ -88,6 +90,16 @@ in
'';
};
initdbArgs = mkOption {
type = with types; listOf str;
default = [];
example = [ "--data-checksums" "--allow-group-access" ];
description = ''
Additional arguments passed to <literal>initdb<literal> during data dir
initialisation.
'';
};
initialScript = mkOption {
type = types.nullOr types.path;
default = null;
@ -220,7 +232,7 @@ in
###### implementation
config = mkIf config.services.postgresql.enable {
config = mkIf cfg.enable {
services.postgresql.package =
# Note: when changing the default, make it conditional on
@ -232,8 +244,9 @@ in
else throw "postgresql_9_4 was removed, please upgrade your postgresql version.");
services.postgresql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
else "/var/db/postgresql");
mkDefault (if versionAtLeast config.system.stateVersion "17.09"
then "/var/lib/postgresql/${cfg.package.psqlSchema}"
else "/var/db/postgresql");
services.postgresql.authentication = mkAfter
''
@ -284,7 +297,7 @@ in
''
# Initialise the database.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
initdb -U ${cfg.superUser}
initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
@ -293,8 +306,12 @@ in
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
''}
${optionalString (!groupAccessAvailable) ''
# postgresql pre 11.0 doesn't start if state directory mode is group accessible
chmod 0700 "${cfg.dataDir}"
''}
exec postgres
exec postgres
'';
serviceConfig =
@ -303,7 +320,7 @@ in
Group = "postgres";
PermissionsStartOnly = true;
RuntimeDirectory = "postgresql";
Type = if lib.versionAtLeast cfg.package.version "9.6"
Type = if versionAtLeast cfg.package.version "9.6"
then "notify"
else "simple";
@ -352,5 +369,5 @@ in
};
meta.doc = ./postgresql.xml;
meta.maintainers = with lib.maintainers; [ thoughtpolice ];
meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
}

View file

@ -175,6 +175,9 @@ let
cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
'';
passthru.version = postgresql.version;
passthru.psqlSchema = postgresql.psqlSchema;
};
in self: {