nixos/postgresql: support 0750 for data directory (#65245)

* nixos/postgresql: support 0750 for data directory This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too. * postgresql: allow changing initidb arguments via module system Closes https://github.com/NixOS/nixpkgs/issues/18829 + some cleanups * addressed review comments and some fixes * whoops * change groupAccess to tristate, to not force `chmod` on dataDir. Making mask either 0700 or 0750 is too restrictive.. * WIP * let's not support group mode for versions pre-11. The only fix is to change mode to 0700 before start, because otherwise postgresql doesn't start, and error is non-obvious.
author: Danylo Hlynskyi <abcz2.uprola@gmail.com> 2020-02-14 20:51:20 +0200
committer: GitHub <noreply@github.com> 2020-02-14 20:51:20 +0200
commit: 5443eee47c0f90da8a9d13296ba30771aed179e1 (patch)
tree: 05db1f6f8e5a933fbdebd740979b533682bf5085 /nixos/modules
parent: c8d53312a59b7ca75cd064da9fb06f27d23459e0 (diff)
parent: 84535e0a47bf97d6d7ea6ea3764d45baab93fde9 (diff)
1 files changed, 25 insertions, 8 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index c8fdd89d0d8f..f656e236b369 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -20,7 +20,9 @@ let
       listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
       port = ${toString cfg.port}
       ${cfg.extraConfig}
-    '';
+    ''; 
+
+  groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
 in
 
@@ -88,6 +90,16 @@ in
         '';
       };
 
+      initdbArgs = mkOption {
+        type = with types; listOf str;
+        default = [];
+        example = [ "--data-checksums" "--allow-group-access" ];
+        description = ''
+          Additional arguments passed to <literal>initdb<literal> during data dir
+          initialisation.
+        '';
+      };
+
       initialScript = mkOption {
         type = types.nullOr types.path;
         default = null;
@@ -220,7 +232,7 @@ in
 
   ###### implementation
 
-  config = mkIf config.services.postgresql.enable {
+  config = mkIf cfg.enable {
 
     services.postgresql.package =
       # Note: when changing the default, make it conditional on
@@ -232,8 +244,9 @@ in
             else throw "postgresql_9_4 was removed, please upgrade your postgresql version.");
 
     services.postgresql.dataDir =
-      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
-                 else "/var/db/postgresql");
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09"
+                  then "/var/lib/postgresql/${cfg.package.psqlSchema}"
+                  else "/var/db/postgresql");
 
     services.postgresql.authentication = mkAfter
       ''
@@ -284,7 +297,7 @@ in
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser}
+              initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
               # See postStart!
               touch "${cfg.dataDir}/.first_startup"
             fi
@@ -293,8 +306,12 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
+            ${optionalString (!groupAccessAvailable) ''
+              # postgresql pre 11.0 doesn't start if state directory mode is group accessible
+              chmod 0700 "${cfg.dataDir}"
+            ''}
 
-             exec postgres
+            exec postgres
           '';
 
         serviceConfig =
@@ -303,7 +320,7 @@ in
             Group = "postgres";
             PermissionsStartOnly = true;
             RuntimeDirectory = "postgresql";
-            Type = if lib.versionAtLeast cfg.package.version "9.6"
+            Type = if versionAtLeast cfg.package.version "9.6"
                    then "notify"
                    else "simple";
 
@@ -352,5 +369,5 @@ in
   };
 
   meta.doc = ./postgresql.xml;
-  meta.maintainers = with lib.maintainers; [ thoughtpolice ];
+  meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
 }
author	Danylo Hlynskyi <abcz2.uprola@gmail.com>	2020-02-14 20:51:20 +0200
committer	GitHub <noreply@github.com>	2020-02-14 20:51:20 +0200
commit	5443eee47c0f90da8a9d13296ba30771aed179e1 (patch)
tree	05db1f6f8e5a933fbdebd740979b533682bf5085 /nixos/modules
parent	c8d53312a59b7ca75cd064da9fb06f27d23459e0 (diff)
parent	84535e0a47bf97d6d7ea6ea3764d45baab93fde9 (diff)