diff options
Diffstat (limited to 'nixos/modules/services/databases/postgresql.nix')
| -rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 95 |
1 files changed, 71 insertions, 24 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 0acaf0fd00a..a9067d5974a 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -55,7 +55,7 @@ in package = mkOption { type = types.package; - example = literalExpression "pkgs.postgresql_11"; + example = literalExpression "pkgs.postgresql_15"; description = lib.mdDoc '' PostgreSQL package to use. ''; @@ -78,7 +78,7 @@ in dataDir = mkOption { type = types.path; defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.postgresql.package.psqlSchema}"''; - example = "/var/lib/postgresql/11"; + example = "/var/lib/postgresql/15"; description = lib.mdDoc '' The data directory for PostgreSQL. If left as the default value this directory will automatically be created before the PostgreSQL server starts, otherwise @@ -106,12 +106,14 @@ in identMap = mkOption { type = types.lines; default = ""; + example = '' + map-name-0 system-username-0 database-username-0 + map-name-1 system-username-1 database-username-1 + ''; description = lib.mdDoc '' Defines the mapping from system users to database users. - The general form is: - - map-name system-username database-username + See the [auth doc](https://postgresql.org/docs/current/auth-username-maps.html). ''; }; @@ -128,6 +130,11 @@ in initialScript = mkOption { type = types.nullOr types.path; default = null; + example = literalExpression '' + pkgs.writeText "init-sql-script" ''' + alter user postgres with password 'myPassword'; + ''';''; + description = lib.mdDoc '' A file containing SQL statements to execute on first startup. ''; @@ -161,7 +168,12 @@ in ensurePermissions = mkOption { type = types.attrsOf types.str; default = {}; + visible = false; # This option has been deprecated. description = lib.mdDoc '' + This option is DEPRECATED and should not be used in nixpkgs anymore, + use `ensureDBOwnership` instead. It can also break with newer + versions of PostgreSQL (≥ 15). + Permissions to ensure for the user, specified as an attribute set. The attribute names specify the database and tables to grant the permissions for. The attribute values specify the permissions to grant. You may specify one or @@ -180,6 +192,16 @@ in ''; }; + ensureDBOwnership = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Grants the user ownership to a database with the same name. + This database must be defined manually in + [](#opt-services.postgresql.ensureDatabases). + ''; + }; + ensureClauses = mkOption { description = lib.mdDoc '' An attrset of clauses to grant to the user. Under the hood this uses the @@ -331,26 +353,21 @@ in }); default = []; description = lib.mdDoc '' - Ensures that the specified users exist and have at least the ensured permissions. + Ensures that the specified users exist. The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the same name only, and that without the need for a password. - This option will never delete existing users or remove permissions, especially not when the value of this - option is changed. This means that users created and permissions assigned once through this option or - otherwise have to be removed manually. + This option will never delete existing users or remove DB ownership of databases + once granted with `ensureDBOwnership = true;`. This means that this must be + cleaned up manually when changing after changing the config in here. ''; example = literalExpression '' [ { name = "nextcloud"; - ensurePermissions = { - "DATABASE nextcloud" = "ALL PRIVILEGES"; - }; } { name = "superuser"; - ensurePermissions = { - "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ] ''; @@ -380,7 +397,7 @@ in extraPlugins = mkOption { type = types.listOf types.path; default = []; - example = literalExpression "with pkgs.postgresql_11.pkgs; [ postgis pg_repack ]"; + example = literalExpression "with pkgs.postgresql_15.pkgs; [ postgis pg_repack ]"; description = lib.mdDoc '' List of PostgreSQL plugins. PostgreSQL version for each plugin should match version for `services.postgresql.package` value. @@ -392,7 +409,7 @@ in default = {}; description = lib.mdDoc '' PostgreSQL configuration. Refer to - <https://www.postgresql.org/docs/11/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> + <https://www.postgresql.org/docs/15/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE> for an overview of `postgresql.conf`. ::: {.note} @@ -438,6 +455,27 @@ in config = mkIf cfg.enable { + assertions = map ({ name, ensureDBOwnership, ... }: { + assertion = ensureDBOwnership -> builtins.elem name cfg.ensureDatabases; + message = '' + For each database user defined with `services.postgresql.ensureUsers` and + `ensureDBOwnership = true;`, a database with the same name must be defined + in `services.postgresql.ensureDatabases`. + + Offender: ${name} has not been found among databases. + ''; + }) cfg.ensureUsers; + # `ensurePermissions` is now deprecated, let's avoid it. + warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) " + `services.postgresql.*.ensurePermissions` is used in your expressions, + this option is known to be broken with newer PostgreSQL versions, + consider migrating to `services.postgresql.*.ensureDBOwnership` or + consult the release notes or manual for more migration guidelines. + + This option will be removed in NixOS 24.05 unless it sees significant + maintenance improvements. + "; + services.postgresql.settings = { hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}"; @@ -451,9 +489,10 @@ in services.postgresql.package = let mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version."; - base = if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14 + base = if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15 + else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14 else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13 - else if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11 + else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11" else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6" else mkThrow "9_5"; in @@ -464,13 +503,16 @@ in services.postgresql.dataDir = mkDefault "/var/lib/postgresql/${cfg.package.psqlSchema}"; - services.postgresql.authentication = mkAfter + services.postgresql.authentication = mkMerge [ + (mkBefore "# Generated file; do not edit!") + (mkAfter '' - # Generated file; do not edit! + # default value of services.postgresql.authentication local all all peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 - ''; + '') + ]; users.users.postgres = { name = "postgres"; @@ -545,12 +587,15 @@ in ${ concatMapStrings (user: - let + let userPermissions = concatStringsSep "\n" (mapAttrsToList (database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') user.ensurePermissions ); + dbOwnershipStmt = optionalString + user.ensureDBOwnership + ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' ''; filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses; @@ -561,6 +606,8 @@ in $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' ${userPermissions} ${userClauses} + + ${dbOwnershipStmt} '' ) cfg.ensureUsers @@ -577,7 +624,7 @@ in else "simple"; # Shut down Postgres using SIGINT ("Fast Shutdown mode"). See - # http://www.postgresql.org/docs/current/static/server-shutdown.html + # https://www.postgresql.org/docs/current/server-shutdown.html KillSignal = "SIGINT"; KillMode = "mixed"; |