diff options
author | danbst <abcz2.uprola@gmail.com> | 2020-02-14 19:16:34 +0200 |
---|---|---|
committer | danbst <abcz2.uprola@gmail.com> | 2020-02-14 19:16:34 +0200 |
commit | 84535e0a47bf97d6d7ea6ea3764d45baab93fde9 (patch) | |
tree | 33d1d64a909e86cd7303ffb3b796f0b54108d7b3 /nixos | |
parent | 2c77c5348784af220f5566b26c621aa254fd14a1 (diff) | |
download | nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar.gz nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar.bz2 nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar.lz nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar.xz nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.tar.zst nixpkgs-84535e0a47bf97d6d7ea6ea3764d45baab93fde9.zip |
let's not support group mode for versions pre-11.
The only fix is to change mode to 0700 before start, because otherwise postgresql doesn't start, and error is non-obvious.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 36 | ||||
-rw-r--r-- | nixos/tests/postgresql.nix | 51 |
2 files changed, 7 insertions, 80 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 8bbbf2d31fc..f656e236b36 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -20,9 +20,9 @@ let listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}' port = ${toString cfg.port} ${cfg.extraConfig} - ''; + ''; - dirMode = if cfg.groupAccess == true then "0750" else "0700"; + groupAccessAvailable = versionAtLeast postgresql.version "11.0"; in @@ -66,18 +66,6 @@ in ''; }; - groupAccess = mkOption { - type = with types; nullOr bool; - default = null; - description = '' - When true, allow read access for group (<literal>0750</literal> mask for data directory). - Supported only for PostgreSQL 11+. - </para><para> - When false, force a restrictive <literal>0700</literal> mask on data directory, so - PostgreSQL won't fail due to too permissive mask. - ''; - }; - authentication = mkOption { type = types.lines; default = ""; @@ -105,7 +93,7 @@ in initdbArgs = mkOption { type = with types; listOf str; default = []; - example = [ "--data-checksums" ]; + example = [ "--data-checksums" "--allow-group-access" ]; description = '' Additional arguments passed to <literal>initdb<literal> during data dir initialisation. @@ -246,14 +234,6 @@ in config = mkIf cfg.enable { - assertions = [ - { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0"; - message = '' - 'groupAccess' is not available for PostgreSQL < 11. - ''; - } - ]; - services.postgresql.package = # Note: when changing the default, make it conditional on # ‘system.stateVersion’ to maintain compatibility with existing @@ -268,9 +248,6 @@ in then "/var/lib/postgresql/${cfg.package.psqlSchema}" else "/var/db/postgresql"); - services.postgresql.initdbArgs = - mkBefore (optional (cfg.groupAccess == true) "--allow-group-access"); - services.postgresql.authentication = mkAfter '' # Generated file; do not edit! @@ -310,7 +287,7 @@ in '' # Create data directory. if ! test -e ${cfg.dataDir}/PG_VERSION; then - mkdir -m ${dirMode} -p ${cfg.dataDir} + mkdir -m 0700 -p ${cfg.dataDir} rm -f ${cfg.dataDir}/*.conf chown -R postgres:postgres ${cfg.dataDir} fi @@ -329,8 +306,9 @@ in ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \ "${cfg.dataDir}/recovery.conf" ''} - ${optionalString (cfg.groupAccess != null) '' - chmod ${dirMode} "${cfg.dataDir}" + ${optionalString (!groupAccessAvailable) '' + # postgresql pre 11.0 doesn't start if state directory mode is group accessible + chmod 0700 "${cfg.dataDir}" ''} exec postgres diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix index c36ce046efc..3201e22555e 100644 --- a/nixos/tests/postgresql.nix +++ b/nixos/tests/postgresql.nix @@ -86,56 +86,5 @@ let in (mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // { postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true; - - postgresql_dirmode_change = - let dataDir = "/db"; - in makeTest { - name = "postgresql_dirmode_change"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ danbst ]; - }; - - machine = { config, lib, ...}: - { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_10; - services.postgresql.dataDir = dataDir; - - users.users.admin.isNormalUser = true; - users.users.admin.extraGroups = [ "postgres" ]; - - nesting.clone = [ - { - systemd.services.postgresql.preStart = lib.mkAfter '' - chmod 0700 ${dataDir} - ''; - systemd.services.postgresql.postStart = lib.mkAfter '' - chmod -R 750 ${dataDir} - ${pkgs.acl}/bin/setfacl -d -m g::r-x ${dataDir} - ''; - } - ]; - }; - testScript = { nodes, ... }: let - c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1"; - in '' - $machine->start; - $machine->waitForUnit("postgresql"); - $machine->succeed("echo select 1 | sudo -u postgres psql"); - - # by default, mode is 0700 - $machine->fail("sudo -u admin ls ${dataDir}"); - - $machine->succeed("${c1}/bin/switch-to-configuration test >&2"); - $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted - $machine->succeed("systemctl restart postgresql"); # but we have to be sure - # manual restart works too - $machine->waitForUnit("postgresql"); - $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart - $machine->succeed("sudo -u admin ls ${dataDir}"); - - $machine->shutdown; - ''; - }; } |