let's not support group mode for versions pre-11.

The only fix is to change mode to 0700 before start, because otherwise postgresql
doesn't start, and error is non-obvious.

2 files changed, 7 insertions, 80 deletions

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 8bbbf2d31fc..f656e236b36 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -20,9 +20,9 @@ let
       listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
       port = ${toString cfg.port}
       ${cfg.extraConfig}
-    '';
+    ''; 
 
-    dirMode = if cfg.groupAccess == true then "0750" else "0700";
+  groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
 in
 
@@ -66,18 +66,6 @@ in
         '';
       };
 
-      groupAccess = mkOption {
-        type = with types; nullOr bool;
-        default = null;
-        description = ''
-          When true, allow read access for group (<literal>0750</literal> mask for data directory).
-          Supported only for PostgreSQL 11+.
-          </para><para>
-          When false, force a restrictive <literal>0700</literal> mask on data directory, so
-          PostgreSQL won't fail due to too permissive mask.
-        '';
-      };
-
       authentication = mkOption {
         type = types.lines;
         default = "";
@@ -105,7 +93,7 @@ in
       initdbArgs = mkOption {
         type = with types; listOf str;
         default = [];
-        example = [ "--data-checksums" ];
+        example = [ "--data-checksums" "--allow-group-access" ];
         description = ''
           Additional arguments passed to <literal>initdb<literal> during data dir
           initialisation.
@@ -246,14 +234,6 @@ in
 
   config = mkIf cfg.enable {
 
-    assertions = [
-      { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0";
-        message = ''
-          'groupAccess' is not available for PostgreSQL < 11.
-        '';
-      }
-    ];
-
     services.postgresql.package =
       # Note: when changing the default, make it conditional on
       # ‘system.stateVersion’ to maintain compatibility with existing
@@ -268,9 +248,6 @@ in
                   then "/var/lib/postgresql/${cfg.package.psqlSchema}"
                   else "/var/db/postgresql");
 
-    services.postgresql.initdbArgs =
-      mkBefore (optional (cfg.groupAccess == true) "--allow-group-access");
-
     services.postgresql.authentication = mkAfter
       ''
         # Generated file; do not edit!
@@ -310,7 +287,7 @@ in
           ''
             # Create data directory.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              mkdir -m ${dirMode} -p ${cfg.dataDir}
+              mkdir -m 0700 -p ${cfg.dataDir}
               rm -f ${cfg.dataDir}/*.conf
               chown -R postgres:postgres ${cfg.dataDir}
             fi
@@ -329,8 +306,9 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
-            ${optionalString (cfg.groupAccess != null) ''
-              chmod ${dirMode} "${cfg.dataDir}"
+            ${optionalString (!groupAccessAvailable) ''
+              # postgresql pre 11.0 doesn't start if state directory mode is group accessible
+              chmod 0700 "${cfg.dataDir}"
             ''}
 
             exec postgres
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index c36ce046efc..3201e22555e 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -86,56 +86,5 @@ let
 in
   (mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
     postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
-
-    postgresql_dirmode_change =
-      let dataDir = "/db";
-    in makeTest {
-      name = "postgresql_dirmode_change";
-      meta = with pkgs.stdenv.lib.maintainers; {
-        maintainers = [ danbst ];
-      };
-
-      machine = { config, lib, ...}:
-        {
-          services.postgresql.enable = true;
-          services.postgresql.package = pkgs.postgresql_10;
-          services.postgresql.dataDir = dataDir;
-
-          users.users.admin.isNormalUser = true;
-          users.users.admin.extraGroups = [ "postgres" ];
-
-          nesting.clone = [
-            {
-              systemd.services.postgresql.preStart = lib.mkAfter ''
-                chmod 0700 ${dataDir}
-              '';
-              systemd.services.postgresql.postStart = lib.mkAfter ''
-                chmod -R 750 ${dataDir}
-                ${pkgs.acl}/bin/setfacl -d -m g::r-x ${dataDir}
-              '';
-            }
-          ];
-        };
-    testScript = { nodes, ... }: let
-      c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
-    in ''
-      $machine->start;
-      $machine->waitForUnit("postgresql");
-      $machine->succeed("echo select 1 | sudo -u postgres psql");
-
-      # by default, mode is 0700
-      $machine->fail("sudo -u admin ls ${dataDir}");
-
-      $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
-      $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
-      $machine->succeed("systemctl restart postgresql"); # but we have to be sure
-                                                         # manual restart works too
-      $machine->waitForUnit("postgresql");
-      $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
-      $machine->succeed("sudo -u admin ls ${dataDir}");
-
-      $machine->shutdown;
-    '';
-    };
   }